+When you create and run a Microsoft Entra Domain Services managed domain, there are some differences in behavior compared to a traditional on-premises AD DS environment. You use the same administrative tools in Domain Services as a self-managed domain, but you can't directly access the domain controllers (DC). There's also some differences in behavior for password policies and password hashes depending on the source of the user account creation.

+Domain Services includes a default password policy that defines settings for things like account lockout, maximum password age, and password complexity. Settings like account lockout policy apply to all users in a managed domain, regardless of how the user was created as outlined in the previous section. A few settings, like minimum password length and password complexity, only apply to users created directly in a managed domain.

+To authenticate users on the managed domain, Domain Services needs password hashes in a format that's suitable for NT LAN Manager (NTLM) and Kerberos authentication. Microsoft Entra ID doesn't generate or store password hashes in the format that's required for NTLM or Kerberos authentication until you enable Domain Services for your tenant. For security reasons, Microsoft Entra ID also doesn't store any password credentials in clear-text form. Therefore, Microsoft Entra ID can't automatically generate these NTLM or Kerberos password hashes based on users' existing credentials.

+For cloud-only user accounts, users must change their passwords before they can use the managed domain. This password change process causes the password hashes for Kerberos and NTLM authentication to be generated and stored in Microsoft Entra ID. The account isn't synchronized from Microsoft Entra ID to Domain Services until the password is changed.

+> Microsoft Entra Connect only synchronizes legacy password hashes when you enable Domain Services for your Microsoft Entra tenant. Legacy password hashes aren't used if you only use Microsoft Entra Connect to synchronize an on-premises AD DS environment with Microsoft Entra ID.

+> If your legacy applications don't use NTLM authentication or LDAP simple binds, we recommend that you disable NTLM password hash synchronization for Domain Services. For more information, see [Disable weak cipher suites and NTLM credential hash synchronization][secure-domain].

+Once appropriately configured, the usable password hashes are stored in the managed domain. If you delete the managed domain, any password hashes stored at that point are also deleted. Synchronized credential information in Microsoft Entra ID can't be reused if you later create another managed domain - you must reconfigure the password hash synchronization to store the password hashes again. Previously domain-joined VMs or users won't be able to immediately authenticate - Microsoft Entra ID needs to generate and store the password hashes in the new managed domain. For more information, see [Password hash sync process for Domain Services and Microsoft Entra Connect][azure-ad-password-sync].

+In Domain Services, the forest only contains one domain. On-premises AD DS forests often contain many domains. In large organizations, especially after mergers and acquisitions, you may end up with multiple on-premises forests that each then contain multiple domains.

+By default, a managed domain synchronizes all objects from Microsoft Entra ID, including any user accounts created in an on-premises AD DS environment. User accounts can directly authenticate against the managed domain, such as to sign in to a domain-joined VM. This approach works when the password hashes can be synchronized and users aren't using exclusive sign-in methods like smart card authentication.

+In a Domain Services, you can also create a one-way forest *trust* to let users sign in from their on-premises AD DS. With this approach, the user objects and password hashes aren't synchronized to Domain Services. The user objects and credentials only exist in the on-premises AD DS. This approach lets enterprises host resources and application platforms in Azure that depend on classic authentication such LDAPS, Kerberos, or NTLM, but any authentication issues or concerns are removed.

+## Domain Services SKUs

+In Domain Services, the available performance and features are based on the SKU. You select a SKU when you create the managed domain, and you can switch SKUs as your business requirements change after the managed domain has been deployed. The following table outlines the available SKUs and the differences between them:

+Before these Domain Services SKUs, a billing model based on the number of objects (user and computer accounts) in the managed domain was used. There is no longer variable pricing based on the number of objects in the managed domain.

+For more information, see the [Domain Services pricing page][pricing].

+To get started, [create a Domain Services managed domain][create-instance].

+Applications and services that use lightweight directory access protocol (LDAP) to communicate with Microsoft Entra Domain Services can be [configured to use secure LDAP](tutorial-configure-ldaps.md). An appropriate certificate and required network ports must be open for secure LDAP to work correctly.

+This article helps you understand and resolve common alerts with secure LDAP access in Domain Services.

+When you enable secure LDAP, it's recommended to create extra rules that restrict inbound LDAPS access to specific IP addresses. These rules protect the managed domain from brute force attacks. To update the network security group to restrict TCP port 636 access for secure LDAP, complete the following steps:

+> TCP port 636 isn't the only rule needed for Domain Services to run smoothly. To learn more, see the [Domain Services Network security groups and required ports](network-considerations.md#network-security-groups-and-required-ports).

+Create a replacement secure LDAP certificate by following the steps to [create a certificate for secure LDAP](tutorial-configure-ldaps.md#create-a-certificate-for-secure-ldap). Apply the replacement certificate to Domain Services, and distribute the certificate to any clients that connect using secure LDAP.

+If you still have issues, [open an Azure support request][azure-support] for more troubleshooting help.

+ Title: Resolve network security group alerts in Microsoft Entra Domain Services | Microsoft Docs

+To let applications and services correctly communicate with a Microsoft Entra Domain Services managed domain, specific network ports must be open to allow traffic to flow. In Azure, you control the flow of traffic using network security groups. The health status of a Domain Services managed domain shows an alert if the required network security group rules aren't in place.

+Invalid network security group rules are the most common cause of network errors for Domain Services. The network security group for the virtual network must allow access to specific ports and protocols. If these ports are blocked, the Azure platform can't monitor or update the managed domain. The synchronization between the Microsoft Entra directory and Domain Services is also impacted. Make sure you keep the default ports open to avoid interruption in service.

+The following default inbound and outbound security rules are applied to the network security group for a managed domain. These rules keep Domain Services secure and allow the Azure platform to monitor, manage, and update the managed domain.

+> Domain Services needs unrestricted outbound access from the virtual network. We don't recommend that you create any additional rules that restrict outbound access for the virtual network.

+[Service principals](../active-directory/develop/app-objects-and-service-principals.md) are applications that the Azure platform uses to manage, update, and maintain a Microsoft Entra Domain Services managed domain. If a service principal is deleted, functionality in the managed domain is impacted.

+Domain Services automatically synchronizes user accounts and credentials from Microsoft Entra ID. If there's a problem with the Microsoft Entra application used for this process, credential synchronization between Domain Services and Microsoft Entra ID fails.

+In Microsoft Entra Domain Services, the available performance and features are based on the SKU type. These feature differences include the backup frequency or maximum number of one-way outbound forest trusts.

+You select a SKU when you create the managed domain, and you can switch SKUs up or down as your business needs change after the managed domain has been deployed. Changes in business requirements could include the need for more frequent backups or to create additional forest trusts. For more information on the limits and pricing of the different SKUs, see [Domain Services SKU concepts][concepts-sku] and [Domain Services pricing][pricing] pages.

+This article shows you how to change the SKU for an existing Domain Services managed domain using the [Microsoft Entra admin center](https://entra.microsoft.com).

+For more information on these limits, see [Domain Services SKU features and limits][concepts-sku].

+1. In the menu on the left-hand side of the Domain Services page, select **Settings > SKU**.

+ 

+If you have a resource forest and want to create additional trusts after the SKU change, see [Create an outbound forest trust to an on-premises domain in Domain Services][create-trust].

+description: Learn how to check the health of a Microsoft Entra Domain Services managed domain and understand status messages.

+Microsoft Entra Domain Services runs some background tasks to keep the managed domain healthy and up-to-date. These tasks include taking backups, applying security updates, and synchronizing data from Microsoft Entra ID. If there are issues with the Domain Services managed domain, these tasks may not successfully complete. To review and resolve any issues, you can check the health status of a managed domain using the Microsoft Entra admin center.

+This article shows you how to view the Domain Services health status and understand the information or alerts shown.

+1. On the left-hand side of the Domain Services resource window, select **Health**. The following example screenshot shows a healthy managed domain and the status of the last backup and Azure AD synchronization:

+Monitors are areas of a managed domain that are checked on a regular basis. If there are any active alerts for the managed domain, it may cause one of the monitors to report an issue. Domain Services currently has monitors for the following areas:

+ Title: Compare Microsoft directory-based services | Microsoft Docs

+#Customer intent: As an IT administrator or decision maker, I want to understand the differences between Active Directory Domain Services (AD DS), Microsoft Entra ID, and Domain Services so I can choose the most appropriate identity solution for my organization.

+* **Microsoft Entra Domain Services** - Provides managed domain services with a subset of fully compatible traditional AD DS features such as domain join, group policy, LDAP, and Kerberos / NTLM authentication.

+ * Domain Services integrates with Microsoft Entra ID, which itself can synchronize with an on-premises AD DS environment. This ability extends central identity use cases to traditional web applications that run in Azure as part of a lift-and-shift strategy.

+> [To get started, create a Domain Services managed domain using the Microsoft Entra admin center][tutorial-create]

+## Domain Services and self-managed AD DS

+* A *managed domain* that you create using Microsoft Entra Domain Services. Microsoft creates and manages the required resources.

+With Domain Services, the core service components are deployed and maintained for you by Microsoft as a *managed* domain experience. You don't deploy, manage, patch, and secure the AD DS infrastructure for components like the VMs, Windows Server OS, or domain controllers (DCs).

+Domain Services provides a smaller subset of features to traditional self-managed AD DS environment, which reduces some of the design and management complexity. For example, there are no AD forests, domain, sites, and replication links to design and maintain. You can still [create forest trusts between Domain Services and on-premises environments][create-forest-trust].

+For applications and services that run in the cloud and need access to traditional authentication mechanisms such as Kerberos or NTLM, Domain Services provides a managed domain experience with the minimal amount of administrative overhead. For more information, see [Management concepts for user accounts, passwords, and administration in Domain Services][administration-concepts].

+The following table outlines some of the features you may need for your organization, and the differences between a managed domain or a self-managed AD DS domain:

+| **Feature** | **Managed domain** | **Self-managed AD DS** |

+## Domain Services and Microsoft Entra ID

+With Domain Services-joined devices, applications can use the Kerberos and NTLM protocols for authentication, so can support legacy applications migrated to run on Azure VMs as part of a lift-and-shift strategy. The following table outlines differences in how the devices are represented and can authenticate themselves against the directory:

+| **Aspect** | **Microsoft Entra joined** | **Domain Services-joined** |

+| Device controlled by | Microsoft Entra ID | Domain Services managed domain |

+| Representation in the directory | Device objects in the Microsoft Entra directory | Computer objects in the Domain Services managed domain |

+If on-premises AD DS and Microsoft Entra ID are configured for federated authentication using AD FS, then there's no (current/valid) password hash available in Azure DS. Microsoft Entra user accounts created before fed auth was implemented might have an old password hash but this likely doesn't match a hash of their on-premises password. As a result, Domain Services won't be able to validate the users credentials

+To get started with using Domain Services, [create a Domain Services managed domain using the Microsoft Entra admin center][tutorial-create].

+[management concepts for user accounts, passwords, and administration in Domain Services][administration-concepts] and [how objects and credentials are synchronized in a managed domain][synchronization].

+description: Learn how to create and manage custom attributes in a Domain Services managed domain.

+Microsoft Entra ID supports adding custom data to resources using [extensions](/graph/extensibility-overview). Microsoft Entra Domain Services can synchronize the following types of extensions from Microsoft Entra ID, so you can also use apps that depend on custom attributes with Domain

+Domain Services back fills all synchronized users and groups with the onboarded custom attribute values. The custom attribute values gradually populate for objects that contain the directory extension in Microsoft Entra ID. During the backfill synchronization process, incremental changes in Microsoft Entra ID are paused, and the sync time depends on the size of the tenant.

+To check the backfilling status, click **Domain Services Health** and verify the **Synchronization with Microsoft Entra ID** monitor has an updated timestamp within an hour since onboarding. Once updated, the backfill is complete.

+>Domain Services only supports one-way transitive trusts where the managed domain will trust other domains, but no other directions or trust types are supported.

+For an overview of how trusts apply to Domain Services, see [Forest concepts and features][create-forest-trust].

+To get started using trusts in Domain Services, [create a managed domain that uses forest trusts][tutorial-create-advanced].

+>Alternate UPN suffixes on trusts are not supported. If an on-premises domain uses the same UPN suffix as Domain Services, sign in must use **sAMAccountName**.

+To get started with creating a managed domain with a forest trust, see [Create and configure a Domain Services managed domain][tutorial-create-advanced]. You can then [Create an outbound forest trust to an on-premises domain][create-forest-trust].

+When you create a Microsoft Entra Domain Services managed domain, you define a unique namespace. This namespace is the domain name, such as *aaddscontoso.com*, and two domain controllers (DCs) are then deployed into your selected Azure region. This deployment of DCs is known as a replica set.

+You can expand a managed domain to have more than one replica set per Microsoft Entra tenant. Replica sets can be added to any peered virtual network in any Azure region that supports Domain Services. Additional replica sets in different Azure regions provide geographical disaster recovery for legacy applications if an Azure region goes offline.

+When you create a managed domain, such as *aaddscontoso.com*, an initial replica set is created. Additional replica sets share the same namespace and configuration. Changes to Domain Services, including configuration, user identity and credentials, groups, group policy objects, computer objects, and other changes are applied to all replica sets in the managed domain using AD DS replication.

+To get started with replica sets, [create and configure a Domain Services managed domain][tutorial-create-advanced]. When deployed, [create and use additional replica sets][create-replica-set].

+In environments where you can't synchronize password hashes, or you have users that exclusively sign in using smart cards so they don't know their password, you can create a one-way outbound trust from Microsoft Entra Domain Services to one or more on-premises AD DS environments. This trust relationship lets users, applications, and computers authenticate against an on-premises domain from the Domain Services managed domain. In this case, on-premises password hashes are never synchronized.

+

+> * Create a Domain Services forest using Azure PowerShell

+* You need [Application Administrator](../active-directory/roles/permissions-reference.md#application-administrator) and [Groups Administrator](../active-directory/roles/permissions-reference.md#groups-administrator) Microsoft Entra roles in your tenant to enable Domain Services.

+* You need [Domain Services Contributor](../role-based-access-control/built-in-roles.md#contributor) Azure role to create the required Domain Services resources.

+Domain Services requires a service principal synchronize data from Microsoft Entra ID. This principal must be created in your Microsoft Entra tenant before you created the managed domain forest.

+Create a Microsoft Entra service principal for Domain Services to communicate and authenticate itself. A specific application ID is used named *Domain Controller Services* with an ID of *6ba9a5d4-8456-4118-b521-9c5ca10cdf84*. Don't change this application ID.

+ | Subscription | *-azureSubscriptionId* | Subscription ID used for Domain Services billing. You can get the list of subscriptions using the [Get-AzureRMSubscription][Get-AzureRMSubscription] cmdlet. |

+ | Location | *-aaddsLocation* | The Azure region to host your managed domain. For available regions, see [supported regions for Domain Services.](https://azure.microsoft.com/global-infrastructure/services/?products=active-directory-ds&regions=all) |

+ | Domain Services administrator | *-aaddsAdminUser* | The user principal name of the first managed domain administrator. This account must be an existing cloud user account in your Microsoft Entra ID. The user, and the user running the script, is added to the *AAD DC Administrators* group. |

+ | Domain Services domain name | *-aaddsDomainName* | The FQDN of the managed domain, based on the previous guidance on how to choose a forest name. |

+ The `New-AzureAaddsForest` script can create the Azure virtual network and Domain Services subnet if these resources don't already exist. The script can optionally create the workload subnets, when specified:

+ | Domain Services subnet name | *-aaddsSubnetName* | Name of the subnet of the *aaddsVnetName* virtual network hosting the managed domain. Don't deploy your own VMs and workloads into this subnet. |

+ | Domain Services address range | *-aaddsSubnetCIDRAddressRange* | Subnet address range in CIDR notation for the Domain Services instance, such as *192.168.1.0/24*. Address range must be contained by the address range of the virtual network, and different from other subnets. |

+ When running, [update DNS settings for the Azure virtual network](tutorial-create-instance.md#update-dns-settings-for-the-azure-virtual-network) and then [enable user accounts for Domain Services](tutorial-create-instance.md#enable-user-accounts-for-azure-ad-ds) to finalize the configurations for your managed domain.

+| Domain Services domain name | *-ManagedDomainFqdn* | FQDN of the managed domain, such as *aaddscontoso.com* |

+* [On-premises user authentication from the Domain Services forest](#on-premises-user-authentication-from-the-azure-ad-ds-forest)

+* [Access resources in the Domain Services forest as an on-premises user](#access-resources-in-azure-ad-ds-as-an-on-premises-user)

+### On-premises user authentication from the Domain Services forest

+### Access resources in Domain Services as an on-premises user

+For more conceptual information about forest types in Domain Services, see [How do forest trusts work in Domain Services?][concepts-trust]

+Instead, a group managed service account (gMSA) can be created in the Microsoft Entra Domain ServiceS managed domain. The Windows OS automatically manages the credentials for a gMSA, which simplifies the management of large groups of resources.

+* A Windows Server management VM that is joined to the Domain Services managed domain.

+## Using service accounts in Domain Services

+ * The KDS root key is used to generate and retrieve passwords for gMSAs. In Domain Services, the KDS root is created for you.

+First, create a custom OU using the [New-ADOrganizationalUnit][New-AdOrganizationalUnit] cmdlet. For more information on creating and managing custom OUs, see [Custom OUs in Domain Services][create-custom-ou].

+Domain Services managed domains include the following two built-in OUs:

+As you create and run workloads that use Domain Services, you may need to create service accounts for applications to authenticate themselves. To organize these service accounts, you often create a custom OU in the managed domain and then create service accounts within that OU.

+* A Windows Server management VM that is joined to the Domain Services managed domain.

+## Benefits of using Domain Services in an Azure CSP subscription

+Microsoft Entra Domain Services provides managed domain services such as domain join, group policy, LDAP, Kerberos/NTLM authentication that is fully compatible with Windows Server Active Directory Domain Services. Over the decades, many applications have been built to work against AD using these capabilities. Many independent software vendors (ISVs) have built and deployed applications at their customers' premises. These applications are hard to support since you often require access to the different environments where the applications are deployed. With Azure CSP subscriptions, you have a simpler alternative with the scale and flexibility of Azure.

+Domain Services supports Azure CSP subscriptions. You can deploy your application in an Azure CSP subscription tied to your customer's Microsoft Entra tenant. As a result, your employees (support staff) can manage, administer, and service the VMs on which your application is deployed using your organization's corporate credentials.

+You can also deploy a Domain Services managed domain in your customer's Microsoft Entra tenant. Your application is then connected to your customer's managed domain. Capabilities within your application that rely on Kerberos / NTLM, LDAP, or the [System.DirectoryServices API](/dotnet/api/system.directoryservices) work seamlessly against your customer's domain. End customers benefit from consuming your application as a service, without needing to worry about maintaining the infrastructure the application is deployed on.

+All billing for Azure resources you consume in that subscription, including Domain Services, is charged back to you. You maintain full control over the relationship with the customer when it comes to sales, billing, technical support etc. With the flexibility of the Azure CSP platform, a small team of support agents can service many such customers who have instances of your application deployed.

+## CSP deployment models for Domain Services

+There are two ways in which you can use Domain Services with an Azure CSP subscription. Pick the right one based on the security and simplicity considerations your customers have.

+In this deployment model, Domain Services is enabled within a virtual network that belongs to the Azure CSP subscription. The CSP partner's admin agents have the following privileges:

+In this deployment model, Domain Services is enabled within a virtual network belonging to the customer - a direct Azure subscription paid for by the customer. The CSP partner can deploy applications within a virtual network belonging to the customer's CSP subscription. The virtual networks can then be connected using Azure virtual network peering.

+## Administer Domain Services in CSP subscriptions

+* **CSP admin agents can provision a managed domain using their credentials:** Domain Services supports Azure CSP subscriptions. Users belonging to a CSP partner's admin agents group can provision a new managed domain.

+* **CSPs can script creation of new managed domains for their customers using PowerShell:** See [how to enable Domain Services using PowerShell](powershell-create-instance.md) for details.

+* **CSP admin agents can't perform ongoing management tasks on the managed domain using their credentials:** CSP admin users can't perform routine management tasks within the managed domain using their credentials. These users are external to the customer's Microsoft Entra tenant and their credentials aren't available within the customer's Microsoft Entra tenant. Domain Services doesn't have access to the Kerberos and NTLM password hashes for these users, so users can't be authenticated on managed domains.

+If you no longer need a Microsoft Entra Domain Services managed domain, you can delete it. There's no way to turn off or temporarily disable a Domain Services managed domain. Deleting the managed domain doesn't delete or have any other impact on the Microsoft Entra tenant.

+> * Domain controllers for the managed domain are deprovisioned and removed from the virtual network.

+Consider [sharing feedback][feedback] for the features that you would like to see in Domain Services.

+If you want to get started with Domain Services again, see [Create and configure a Microsoft Entra Domain Services managed domain][create-instance].

+With Microsoft Entra Domain Services, you can lift-and-shift legacy applications running on-premises into Azure. Microsoft Entra application proxy then helps you support remote workers by securely publishing those internal applications part of a Domain Services managed domain so they can be accessed over the internet.

+With the Microsoft Entra application proxy integrated with Domain Services, publish applications for users to access. For more information, see [publish applications using Microsoft Entra application proxy](../active-directory/app-proxy/application-proxy-add-on-premises-application.md).

+Microsoft Entra Domain Services managed domains are more securely locked down than traditional on-premises AD DS environments, so use a more secure *resource-based* KCD.

+This article shows you how to configure resource-based Kerberos constrained delegation in a Domain Services managed domain.

+* A Windows Server management VM that is joined to the Domain Services managed domain.

+ > Again, the computer account for the web API VM, and the service account for the web app, must be in a custom OU where you have permissions to configure resource-based KCD. You can't configure resource-based KCD for accounts in the built-in *Microsoft Entra DC Computers* or *Microsoft Entra DC Users* containers. This also means that you can't use user accounts synchronized from Microsoft Entra ID to set up resource-based KCD. You must create and use service accounts specifically created in Domain Services.

+ Title: Enable SharePoint User Profile service with Domain Services | Microsoft Docs

+SharePoint Server includes a service to synchronize user profiles. This feature allows user profiles to be stored in a central location and accessible across multiple SharePoint sites and farms. To configure the SharePoint Server user profile service, the appropriate permissions must be granted in a Microsoft Entra Domain Services managed domain. For more information, see [user profile synchronization in SharePoint Server](/SharePoint/administration/user-profile-service-administration).

+This article shows you how to configure Domain Services to allow the SharePoint Server user profile sync service.

+* A Windows Server management VM that is joined to the Domain Services managed domain.

+From your Domain Services management VM, complete the following steps:

+ Title: Microsoft Entra Domain Services feature availability in Azure Government

+description: Learn which Domain Services features are available in Azure Government.

+This following table lists Microsoft Entra Domain Services feature availability in Azure Government.

+description: Learn how to check fleet metrics of a Microsoft Entra Domain Services managed domain.

+Administrators can use Azure Monitor Metrics to configure a scope for Microsoft Entra Domain Services and gain insights into how the service is performing.

+You can access Domain Services metrics from two places:

+- In Azure Monitor Metrics, click **New chart** > **Select a scope** and select the Domain Services instance:

+ :::image type="content" border="true" source="media/fleet-metrics/select.png" alt-text="Screenshot of how to select Domain Services for fleet metrics.":::

+- In Domain Services, under **Monitoring**, click **Metrics**:

+ :::image type="content" border="true" source="media/fleet-metrics/metrics-scope.png" alt-text="Screenshot of how to select Domain Services as scope in Azure Monitor Metrics.":::

+ You can also view metrics for a fleet of Domain Services instances:

+ :::image type="content" border="true" source="media/fleet-metrics/metrics-instance.png" alt-text="Screenshot of how to select a Domain Services instance as the scope for fleet metrics.":::

+ :::image type="content" border="true" source="media/fleet-metrics/combined-metrics-instance.png" alt-text="Screenshot of combined metrics for a Domain Services instance.":::

+The following table describes the metrics that are available for Domain Services.

+You can configure metric alerts for Domain Services to be notified of possible problems. Metric alerts are one type of alert for Azure Monitor. For more information about other types of alerts, see [What are Azure Monitor Alerts?](../azure-monitor/alerts/alerts-overview.md).

+In Azure Monitor or Domain Services Metrics, click **New alert** and configure a Domain Services instance as the scope. Then choose the metrics you want to measure from the list of available signals:

+description: Learn how to retrieve data from Microsoft Entra Domain Services.

+# Microsoft Entra Domain Services instructions for data retrieval

+This document describes how to retrieve data from Microsoft Entra Domain Services.

+To let users sign in to virtual machines (VMs) in Azure using a single set of credentials, you can join VMs to a Microsoft Entra Domain Services managed domain. When you join a VM to a Domain Services managed domain, user accounts and credentials from the domain can be used to sign in and manage servers. Group memberships from the managed domain are also applied to let you control access to files or services on the VM.

+To let users sign in to virtual machines (VMs) in Azure using a single set of credentials, you can join VMs to a Microsoft Entra Domain Services managed domain. When you join a VM to a Domain Services managed domain, user accounts and credentials from the domain can be used to sign in and manage servers. Group memberships from the managed domain are also applied to let you control access to files or services on the VM.

+To let users sign in to virtual machines (VMs) in Azure using a single set of credentials, you can join VMs to a Microsoft Entra Domain Services managed domain. When you join a VM to a Domain Services managed domain, user accounts and credentials from the domain can be used to sign in and manage servers. Group memberships from the managed domain are also applied to let you control access to files or services on the VM.

+To let users sign in to virtual machines (VMs) in Azure using a single set of credentials, you can join VMs to a Microsoft Entra Domain Services managed domain. When you join a VM to a Domain Services managed domain, user accounts and credentials from the domain can be used to sign in and manage servers. Group memberships from the managed domain are also applied to let you control access to files or services on the VM.

+To let users sign in to virtual machines (VMs) in Azure using a single set of credentials, you can join VMs to a Microsoft Entra Domain Services managed domain. When you join a VM to a Domain Services managed domain, user accounts and credentials from the domain can be used to sign in and manage servers. Group memberships from the managed domain are also applied to let you control access to files or services on the VM.

+One of the packages installed in a previous step was for System Security Services Daemon (SSSD). When a user tries to sign in to a VM using domain credentials, SSSD relays the request to an authentication provider. In this scenario, SSSD uses Domain Services to authenticate the request.

+ Title: Use a template to join a Windows VM to Microsoft Entra Domain Services | Microsoft Docs

+To automate the deployment and configuration of Azure virtual machines (VMs), you can use a Resource Manager template. These templates let you create consistent deployments each time. Extensions can also be included in templates to automatically configure a VM as part of the deployment. One useful extension joins VMs to a domain, which can be used with Microsoft Entra Domain Services managed domains.

+This article shows you how to create and join a Windows Server VM to a Domain Services managed domain using Resource Manager templates. You also learn how to join an existing Windows Server VM to a Domain Services domain.

+Microsoft Entra Domain Services provides managed domain services such as domain join, group policy, LDAP, Kerberos/NTLM authentication that is fully compatible with Windows Server Active Directory. With a Domain Services managed domain, you can provide domain join features and management to virtual machines (VMs) in Azure. This tutorial shows you how to create a Windows Server VM then join it to a managed domain.

+* An Azure Bastion host deployed in your Domain Services virtual network.

+If you [delete the VM](#delete-the-vm) without unjoining from the domain, an orphaned computer object is left in Domain Services.

+* Verify the VM is connected to the same virtual network that Domain Services is enabled in, or has a peered network connection.

+* Wait for password synchronization to be completed. When a user account's password is changed, an automatic background synchronization from Microsoft Entra ID updates the password in Domain Services. It takes some time for the password to be available for domain-join use.

+Microsoft Entra Domain Services includes a Domain Name System (DNS) server that provides name resolution for the managed domain. This DNS server includes built-in DNS records and updates for the key components that allow the service to run.

+As you run your own applications and services, you may need to create DNS records for machines that aren't joined to the domain, configure virtual IP addresses for load balancers, or set up external DNS forwarders. Users who belong to the *AAD DC Administrators* group are granted DNS administration privileges on the Domain Services managed domain and can create and edit custom DNS records.

+This article shows you how to install the DNS Server tools then use the DNS console to manage records and create conditional forwarders in Domain Services.

+>Creating or changing root hints or server-level DNS forwarders is not supported and will cause issues for the Domain Services managed domain.

+* Connectivity from your Domain Services virtual network to where your other DNS namespaces are hosted.

+> When you manage records using the DNS Server tools, make sure that you don't delete or modify the built-in DNS records that are used by Domain Services. Built-in DNS records include domain DNS records, name server records, and other records used for DC location. If you modify these records, domain services are disrupted on the virtual network.

+A Domain Services DNS zone should only contain the zone and records for the managed domain itself. Don't create additional zones in the managed domain to resolve named resources in other DNS namespaces. Instead, use conditional forwarders in the managed domain to tell the DNS server where to go in order to resolve addresses for those resources.

+Settings for user and computer objects in Microsoft Entra Domain Services are often managed using Group Policy Objects (GPOs). Domain Services includes built-in GPOs for the *AADDC Users* and *AADDC Computers* containers. You can customize these built-in GPOs to configure Group Policy as needed for your environment. Members of the *Microsoft Entra DC administrators* group have Group Policy administration privileges in the Domain Services domain, and can also create custom GPOs and organizational units (OUs). For more information on what Group Policy is and how it works, see [Group Policy overview][group-policy-overview].

+In a hybrid environment, group policies configured in an on-premises AD DS environment aren't synchronized to Domain Services. To define configuration settings for users or computers in Domain Services, edit one of the default GPOs or create a custom GPO.

+* A Windows Server management VM that is joined to the Domain Services managed domain.

+To group similar policy settings, you often create additional GPOs instead of applying all of the required settings in the single, default GPO. With Domain Services, you can create or import your own custom group policy objects and link them to a custom OU. If you need to first create a custom OU, see [create a custom OU in a managed domain](create-ou.md).

+If a Microsoft Entra Domain Services managed domain shows a mismatched tenant error, you can't administer the managed domain until resolved. This error occurs if the underlying Azure virtual network is moved to a different Microsoft Entra directory.

+A mismatched directory error happens when a Domain Services managed domain and virtual network belong to two different Microsoft Entra tenants. For example, you may have a managed domain called *aaddscontoso.com* that runs in Contoso's Microsoft Entra tenant. However, the Azure virtual network for managed domain is part of the Fabrikam Microsoft Entra tenant.

+Azure role-based access control (Azure RBAC) is used to limit access to resources. When you enable Domain Services in a Microsoft Entra tenant, credential hashes are synchronized to the managed domain. This operation requires you to be a tenant admin for the Microsoft Entra directory, and access to the credentials must be controlled.

+For Azure RBAC to work consistently and secure access to all the resources Domain Services uses, the managed domain and the virtual network must belong to the same Microsoft Entra tenant.

+

+For more information on troubleshooting issues with Domain Services, see the [troubleshooting guide](troubleshoot.md).

+Microsoft Entra Domain Services provides authentication and management services to other applications and workloads. Network connectivity is a key component. Without correctly configured virtual network resources, applications and workloads can't communicate with and use the features provided by Domain Services. Plan your virtual network requirements to make sure that Domain Services can serve your applications and workloads as needed.

+This article outlines design considerations and requirements for an Azure virtual network to support Domain Services.

+To provide network connectivity and allow applications and services to authenticate against a Domain Services managed domain, you use an Azure virtual network and subnet. Ideally, the managed domain should be deployed into its own virtual network.

+You can include a separate application subnet in the same virtual network to host your management VM or light application workloads. A separate virtual network for larger or complex application workloads, peered to the Domain Services virtual network, is usually the most appropriate design.

+As you design the virtual network for Domain Services, the following considerations apply:

+* Domain Services must be deployed into the same Azure region as your virtual network.

+ * At this time, you can only deploy one managed domain per Microsoft Entra tenant. The managed domain is deployed to single region. Make sure that you create or select a virtual network in a [region that supports Domain Services](https://azure.microsoft.com/global-infrastructure/services/?products=active-directory-ds&regions=all).

+ * Domain Services provides its own DNS service. The virtual network must be configured to use these DNS service addresses. Name resolution for additional namespaces can be accomplished using conditional forwarders.

+> You can't move Domain Services to a different virtual network after you've enabled the service.

+A managed domain connects to a subnet in an Azure virtual network. Design this subnet for Domain Services with the following considerations:

+## Connections to the Domain Services virtual network

+## Network resources used by Domain Services

+Don't lock the networking resources used by Domain Services. If networking resources get locked, they can't be deleted. When domain controllers need to be rebuilt in that case, new networking resources with different IP addresses need to be created.

+| Network interface card | Domain Services hosts the managed domain on two domain controllers (DCs) that run on Windows Server as Azure VMs. Each VM has a virtual network interface that connects to your virtual network subnet. |

+| Dynamic standard public IP address | Domain Services communicates with the synchronization and management service using a Standard SKU public IP address. For more information about public IP addresses, see [IP address types and allocation methods in Azure](../virtual-network/ip-services/public-ip-addresses.md). |

+| Azure standard load balancer | Domain Services uses a Standard SKU load balancer for network address translation (NAT) and load balancing (when used with secure LDAP). For more information about Azure load balancers, see [What is Azure Load Balancer?](../load-balancer/load-balancer-overview.md) |

+| Network address translation (NAT) rules | Domain Services creates and uses two Inbound NAT rules on the load balancer for secure PowerShell remoting. If a Standard SKU load balancer is used, it will have an Outbound NAT Rule too. For the Basic SKU load balancer, no Outbound NAT rule is required. |

+> Don't delete or modify any of the network resource created by Domain Services, such as manually configuring the load balancer or rules. If you delete or modify any of the network resources, a Domain Services service outage may occur.

+Domain Services also relies on the Default Security rules AllowVnetInBound and AllowAzureLoadBalancerInBound.

+The AllowAzureLoadBalancerInBound rule is also required so that the service can properly communicate over the loadbalancer to manage the DCs. This network security group secures Domain Services and is required for the managed domain to work correctly. Don't delete this network security group. The load balancer won't work correctly without it.

+User-defined routes aren't created by default, and aren't needed for Domain Services to work correctly. If you're required to use route tables, avoid making any changes to the *0.0.0.0* route. Changes to this route disrupt Domain Services and puts the managed domain in an unsupported state.

+For more information about some of the network resources and connection options used by Domain Services, see the following articles:

+The health of a Microsoft Entra Domain Services managed domain is monitored by the Azure platform. The health status page in the Microsoft Entra admin center shows any alerts for the managed domain. To make sure issues are responded to in a timely manner, email notifications can be configured to report on health alerts as soon as they're detected in the Domain Services managed domain.

+To alert you of issues with a managed domain, you can configure email notifications. These email notifications specify the managed domain that the alert is present on, give the time of detection, and a link to the health page in the Microsoft Entra admin center. You can then follow the provided troubleshooting advice to resolve the issues.

+Domain Services sends email notifications for important updates about the managed domain. These notifications are only for urgent issues that impact the service and should be addressed immediately. Each email notification is triggered by an alert on the managed domain. The alerts also appear in the Microsoft Entra admin center and can be viewed on the [Domain Services health page][check-health].

+Domain Services doesn't send emails for advertisement, updates, or sales purposes.

+### When do I receive email notifications?

+A notification is sent immediately when a [new alert][troubleshoot-alerts] is found on a managed domain. If the alert isn't resolved, another email notification is sent as a reminder every four days.

+The list of email recipients for Domain Services should be composed of people who are able to administer and make changes to the managed domain. This email list should be thought of as your "first responders" to any alerts and issues.

+You can add up to five more recipients for email notifications. If you want more than five recipients for email notifications, create a distribution list and add that to the notification list instead.

+You can also choose to have all *Global Administrators* of the Microsoft Entra directory and every member of the *AAD DC Administrators* group receive email notifications. Domain Services only sends notification to up to 100 email addresses, including the list of global administrators and AAD DC Administrators.

+To review the existing email notification recipients, or add recipients, complete the following steps:

+1. On the left-hand side of the Domain Services resource window, select **Notification settings**. The existing recipients for email notifications are shown.

+If an alert is resolved, the alert is cleared from the Microsoft Entra admin center. The most likely reason is that someone else who receives email notifications resolved the alert on the managed domain, or it was automatically resolved by Azure platform.

+If you're unable to access the notification settings page in the Microsoft Entra admin center, you don't have the permissions to edit the managed domain. Contact a global administrator to either get permissions to edit Domain Services resource or be removed from the recipient list.

+#Customer intent: As an IT administrator or decision maker, I want to understand what Domain Services is and how it can benefit my organization.

+Microsoft Entra Domain Services provides managed domain services such as domain join, group policy, lightweight directory access protocol (LDAP), and Kerberos/NTLM authentication. You use these domain services without the need to deploy, manage, and patch domain controllers (DCs) in the cloud.

+A Domain Services managed domain lets you run legacy applications in the cloud that can't use modern authentication methods, or where you don't want directory lookups to always go back to an on-premises AD DS environment. You can lift and shift those legacy applications from your on-premises environment into a managed domain, without needing to manage the AD DS environment in the cloud.

+Domain Services integrates with your existing Microsoft Entra tenant. This integration lets users sign in to services and applications connected to the managed domain using their existing credentials. You can also use existing groups and user accounts to secure access to resources. These features provide a smoother lift-and-shift of on-premises resources to Azure.

+> [To get started, create a Domain Services managed domain using the Microsoft Entra admin center][tutorial-create]

+Take a look at our short video to learn more about Domain Services.

+## How does Domain Services work?

+When you create a Domain Services managed domain, you define a unique namespace. This namespace is the domain name, such as *aaddscontoso.com*. Two Windows Server domain controllers (DCs) are then deployed into your selected Azure region. This deployment of DCs is known as a replica set.

+Domain Services replicates identity information from Microsoft Entra ID, so it works with Microsoft Entra tenants that are cloud-only, or synchronized with an on-premises AD DS environment. The same set of Domain Services features exists for both environments.

+* For cloud-only environments, you don't need a traditional on-premises AD DS environment to use the centralized identity services of Domain Services.

+You can expand a managed domain to have more than one replica set per Microsoft Entra tenant. Replica sets can be added to any peered virtual network in any Azure region that supports Domain Services. By adding replica sets in different Azure regions, you can provide geographical disaster recovery for legacy applications if an Azure region goes offline. For more information, see [Replica sets concepts and features for managed domains][concepts-replica-sets].

+Take a look at this video about how Domain Services integrates with your applications and workloads to provide identity services in the cloud:

+To see Domain Services deployment scenarios in action, you can explore the following examples:

+* [Domain Services for hybrid organizations](scenarios.md#azure-ad-ds-for-hybrid-organizations)

+* [Domain Services for cloud-only organizations](scenarios.md#azure-ad-ds-for-cloud-only-organizations)

+## Domain Services features and benefits

+To provide identity services to applications and VMs in the cloud, Domain Services is fully compatible with a traditional AD DS environment for operations such as domain-join, secure LDAP (LDAPS), Group Policy, DNS management, and LDAP bind and read support. LDAP write support is available for objects created in the managed domain, but not resources synchronized from Microsoft Entra ID.

+To learn more about your identity options, [compare Domain Services with Microsoft Entra ID, AD DS on Azure VMs, and AD DS on-premises][compare].

+The following features of Domain Services simplify deployment and management operations:

+* **Simplified deployment experience:** Domain Services is enabled for your Microsoft Entra tenant using a single wizard in the Microsoft Entra admin center.

+* **Integrated with Microsoft Entra ID:** User accounts, group memberships, and credentials are automatically available from your Microsoft Entra tenant. New users, groups, or changes to attributes from your Microsoft Entra tenant or your on-premises AD DS environment are automatically synchronized to Domain Services.

+ * Accounts in external directories linked to your Microsoft Entra ID aren't available in Domain Services. Credentials aren't available for those external directories, so can't be synchronized into a managed domain.

+* **Use your corporate credentials/passwords:** Passwords for users in Domain Services are the same as in your Microsoft Entra tenant. Users can use their corporate credentials to domain-join machines, sign in interactively or over remote desktop, and authenticate against the managed domain.

+* **High availability:** Domain Services includes multiple domain controllers, which provide high availability for your managed domain. This high availability guarantees service uptime and resilience to failures.

+ * If needed, you can create one-way outbound forest trusts from Domain Services to an on-premises AD DS environment. For more information, see [Forest concepts and features for Domain Services][forest-trusts].

+To learn more about Domain Services compares with other identity solutions and how synchronization works, see the following articles:

+* [Compare Domain Services with Microsoft Entra ID, Active Directory Domain Services on Azure VMs, and Active Directory Domain Services on-premises][compare]

+* To learn how to administrator a managed domain, see [management concepts for user accounts, passwords, and administration in Domain Services][administration-concepts].

+description: Learn how and why to use fine-grained password policies to secure and control account passwords in a Domain Services managed domain.

+To manage user security in Microsoft Entra Domain Services, you can define fine-grained password policies that control account lockout settings or minimum password length and complexity. A default fine grained password policy is created and applied to all users in a Domain Services managed domain. To provide granular control and meet specific business or compliance needs, additional policies can be created and applied to specific users or groups.

+This article shows you how to create and configure a fine-grained password policy in Domain Services using the Active Directory Administrative Center.

+Password policies behave a little differently depending on how the user account they're applied to was created. There are two ways a user account can be created in Domain

+ * The majority of user accounts in Domain Services are created through the synchronization process from Microsoft Entra ID.

+All users, regardless of how they're created, have the following account lockout policies applied by the default password policy in Domain

+Account lockouts only occur within the managed domain. User accounts are only locked out in Domain Services, and only due to failed sign-in attempts against the managed domain. User accounts that were synchronized in from Microsoft Entra ID or on-premises aren't locked out in their source directories, only in Domain Services.

+If you have a Microsoft Entra password policy that specifies a maximum password age greater than 90 days, that password age is applied to the default policy in Domain Services. You can configure a custom password policy to define a different maximum password age in Domain Services. Take care if you have a shorter maximum password age configured in a Domain Services password policy than in Microsoft Entra ID or an on-premises AD DS environment. In that scenario, a user's password may expire in Domain Services before they're prompted to change in Microsoft Entra ID or an on-premises AD DS environment.

+For user accounts created manually in a managed domain, the following additional password settings are also applied from the default policy. These settings don't apply to user accounts synchronized in from Microsoft Entra ID, as a user can't update their password directly in Domain Services.

+Microsoft Entra Domain Services provides managed domain services such as domain join, group policy, LDAP, Kerberos/NTLM authentication that is fully compatible with Windows Server Active Directory. You consume these domain services without deploying, managing, and patching domain controllers yourself. Domain Services integrates with your existing Microsoft Entra tenant. This integration lets users sign in using their corporate credentials, and you can use existing groups and user accounts to secure access to resources.

+This article shows you how to enable Domain Services using PowerShell.

+* You need *global administrator* privileges in your Microsoft Entra tenant to enable Domain Services.

+* You need *Contributor* privileges in your Azure subscription to create the required Domain Services resources.

+Domain Services requires a service principal to authenticate and communicate and a Microsoft Entra group to define which users have administrative permissions in the managed domain.

+Create the virtual network and subnets for Microsoft Entra Domain Services. Two subnets are created - one for *DomainServices*, and one for *Workloads*. Domain Services is deployed into the dedicated *DomainServices* subnet. Don't deploy other applications or workloads into this subnet. Use the separate *Workloads* or other subnets for the rest of your VMs.

+Domain Services needs a network security group to secure the ports needed for the managed domain and block all other incoming traffic. A [network security group (NSG)][nsg-overview] contains a list of rules that allow or deny network traffic to traffic in an Azure virtual network. In Domain Services, the network security group acts as an extra layer of protection to lock down access to the managed domain. To view the ports required, see [Network security groups and required ports][network-ports].

+If you choose a region that supports Availability Zones, the Domain Services resources are distributed across zones for redundancy.

+There's nothing for you to configure for Domain Services to be distributed across zones. The Azure platform automatically handles the zone distribution of resources. For more information and to see region availability, see [What are Availability Zones in Azure?][availability-zones].

+* [Enable password synchronization to Domain Services](tutorial-create-instance.md#enable-user-accounts-for-azure-ad-ds) so end users can sign in to the managed domain using their corporate credentials.

+> To enable Domain Services, you must be a global administrator for the Microsoft Entra tenant. You also need at least *Contributor* privileges in the Azure subscription.

+* [Enable password synchronization to Domain Services](tutorial-create-instance.md#enable-user-accounts-for-azure-ad-ds) so end users can sign in to the managed domain using their corporate credentials.

+To provide authentication services, Microsoft Entra Domain Services synchronizes users and groups from Microsoft Entra ID. In a hybrid environment, users and groups from an on-premises Active Directory Domain Services (AD DS) environment can be first synchronized to Microsoft Entra ID using Microsoft Entra Connect, and then synchronized to Domain Services.

+By default, all users and groups from a Microsoft Entra directory are synchronized to a Domain Services managed domain. If you have specific needs, you can instead choose to synchronize only a defined set of users.

+* You need [Application Administrator](../active-directory/roles/permissions-reference.md#application-administrator) and [Groups Administrator](../active-directory/roles/permissions-reference.md#groups-administrator) Microsoft Entra roles in your tenant to change the Domain Services synchronization scope.

+This script configures Domain Services to synchronize selected groups from Microsoft Entra ID. All user accounts that are part of the specified groups are synchronized to the managed domain.

+1. First set *"filteredSync" = "Enabled"* on the Domain Services resource, then update the managed domain.

+To disable group-based scoped synchronization for a managed domain, set *"filteredSync" = "Disabled"* on the Domain Services resource, then update the managed domain. When complete, all users and groups are set to synchronize from Microsoft Entra ID.

+To provide authentication services, Microsoft Entra Domain Services synchronizes users and groups from Microsoft Entra ID. In a hybrid environment, users and groups from an on-premises Active Directory Domain Services (AD DS) environment can be first synchronized to Microsoft Entra ID using Microsoft Entra Connect, and then synchronized to a Domain Services managed domain.

+By default, all users and groups from a Microsoft Entra directory are synchronized to a managed domain. If only some users need to use Domain Services, you can instead choose to synchronize only groups of users. You can filter synchronization for groups on-premises, cloud only, or both.

+* You need [Application Administrator](../active-directory/roles/permissions-reference.md#application-administrator) and [Groups Administrator](../active-directory/roles/permissions-reference.md#groups-administrator) Microsoft Entra roles in your tenant to change the Domain Services synchronization scope.

+1. To filter synchronization for selected groups, click **Show selected groups**, choose whether to synchronize cloud-only groups, on-premises groups, or both. For example, the following screenshot shows how to synchronize only three groups that were created in Microsoft Entra ID. Only users who belong to those groups will have their accounts synchronized to Domain Services.

+To secure remote access to virtual machines (VMs) that run in a Microsoft Entra Domain Services managed domain, you can use Remote Desktop Services (RDS) and Network Policy Server (NPS). Domain Services authenticates users as they request access through the RDS environment. For enhanced security, you can integrate Microsoft Entra multifactor authentication to provide another authentication prompt during sign-in events. Microsoft Entra multifactor authentication uses an extension for NPS to provide this feature.

+> The recommended way to securely connect to your VMs in a Domain Services managed domain is using Azure Bastion, a fully platform-managed PaaS service that you provision inside your virtual network. A bastion host provides secure and seamless Remote Desktop Protocol (RDP) connectivity to your VMs directly in the Azure portal over SSL. When you connect via a bastion host, your VMs don't need a public IP address, and you don't need to use network security groups to expose access to RDP on TCP port 3389.

+> We strongly recommend that you use Azure Bastion in all regions where it's supported. In regions without Azure Bastion availability, follow the steps detailed in this article until Azure Bastion is available. Take care with assigning public IP addresses to VMs joined to Domain Services where all incoming RDP traffic is allowed.

+This article shows you how to configure RDS in Domain Services and optionally use the Microsoft Entra multifactor authentication NPS extension.

+To get started, create a minimum of two Azure VMs that run Windows Server 2016 or Windows Server 2019. For redundancy and high availability of your Remote Desktop (RD) environment, you can add and load balance hosts later.

+Make sure that VMs are deployed into a *workloads* subnet of your Domain Services virtual network, then join the VMs to managed domain. For more information, see how to [create and join a Windows Server VM to a managed domain][tutorial-create-join-vm].

+ * Specific to Domain Services - when you configure RD licensing, set it to **Per Device** mode, not **Per User** as noted in the deployment guide.

+If you want to increase the security of the user sign-in experience, you can optionally integrate the RD environment with Microsoft Entra multifactor authentication. With this configuration, users receive another prompt during sign-in to confirm their identity.

+To provide this capability, a Network Policy Server (NPS) is installed in your environment along with the Microsoft Entra multifactor authentication NPS extension. This extension integrates with Microsoft Entra ID to request and return the status of multifactor authentication prompts.

+Users must be [registered to use Microsoft Entra multifactor authentication][user-mfa-registration], which may require other Microsoft Entra ID licenses.

+To integrate Microsoft Entra multifactor authentication in to your Remote Desktop environment, create an NPS Server and install the extension:

+1. Create another Windows Server 2016 or 2019 VM, such as *NPSVM01*, that's connected to a *workloads* subnet in your Domain Services virtual network. Join the VM to the managed domain.

+The following configuration options are needed to integrate with a managed domain:

+Users are now prompted for another authentication factor when they sign in, such as a text message or prompt in the Microsoft Authenticator app.

+By default, Microsoft Entra Domain Services enables the use of ciphers such as NTLM v1 and TLS v1. These ciphers may be required for some legacy applications, but are considered weak and can be disabled if you don't need them. If you have on-premises hybrid connectivity using Microsoft Entra Connect, you can also disable the synchronization of NTLM password hashes.

+- If the assignment is **Audit**, the compliance will report if the Domain Services instance is compliant.

+- If the assignment is **Deny**, the compliance will prevent a Domain Services instance from being created if TLS 1.2 is not required and prevent any update to a Domain Services instance until TLS 1.2 is required.

+To disable weak cipher suites and NTLM credential hash synchronization, sign in to your Azure account, then get the Domain Services resource using the [Get-AzResource][Get-AzResource] cmdlet:

+> Users and service accounts can't perform LDAP simple binds if you disable NTLM password hash synchronization in the Domain Services managed domain. If you need to perform LDAP simple binds, don't set the *"SyncNtlmPasswords"="Disabled";* security configuration option in the following command.

+Finally, apply the defined security settings to the managed domain using the [Set-AzResource][Set-AzResource] cmdlet. Specify the Domain Services resource from the first step, and the security settings from the previous step.

+Microsoft Entra Domain Services security and DNS audits let Azure stream events to targeted resources. These resources include Azure Storage, Azure Log Analytics workspaces, or Azure Event Hub. After you enable security audit events, Domain Services sends all the audited events for the selected category to the targeted resource.

+You can use Azure Storage, Azure Event Hubs, or Azure Log Analytics workspaces as a target resource for Domain Services security audits. These destinations can be combined. For example, you could use Azure Storage for archiving security audit events, but an Azure Log Analytics workspace to analyze and report on the information in the short term.

+> You need to create the target resource before you enable Domain Services security audits. You can create these resources using the Microsoft Entra admin center, Azure PowerShell, or the Azure CLI.

+|Azure Storage| This target should be used when your primary need is to store security audit events for archival purposes. Other targets can be used for archival purposes, however those targets provide capabilities beyond the primary need of archiving. <br /><br />Before you enable Domain Services security audit events, first [Create an Azure Storage account](../storage/common/storage-account-create.md).|

+|Azure Event Hubs| This target should be used when your primary need is to share security audit events with additional software such as data analysis software or security information & event management (SIEM) software.<br /><br />Before you enable Domain Services security audit events, [Create an event hub using Microsoft Entra admin center](../event-hubs/event-hubs-create.md)|

+|Azure Log Analytics Workspace| This target should be used when your primary need is to analyze and review secure audits from the Microsoft Entra admin center directly.<br /><br />Before you enable Domain Services security audit events, [Create a Log Analytics workspace in the Microsoft Entra admin center.](../azure-monitor/logs/quick-create-workspace.md)|

+To enable Domain Services security audit events using the Microsoft Entra admin center, complete the following steps.

+> Domain Services security audits aren't retroactive. You can't retrieve or replay events from the past. Domain Services can only send events that occur after security audits are enabled.

+1. In the Domain Services window, select **Diagnostic settings** on the left-hand side.

+1. When done, select **Save** to commit your changes. The target resources start to receive Domain Services audit events soon after the configuration is saved.

+To enable Domain Services security and DNS audit events using Azure PowerShell, complete the following steps. If needed, first [install the Azure PowerShell module and connect to your Azure subscription](/powershell/azure/install-azure-powershell).

+> Domain Services audits aren't retroactive. You can't retrieve or replay events from the past. Domain Services can only send events that occur after audits are enabled.

+ * **Azure event hubs** - [Create an event hub using Azure PowerShell](../event-hubs/event-hubs-quickstart-powershell.md). You may also need to use the [New-AzEventHubAuthorizationRule](/powershell/module/az.eventhub/new-azeventhubauthorizationrule) cmdlet to create an authorization rule that grants Domain Services permissions to the event hub *namespace*. The authorization rule must include the **Manage**, **Listen**, and **Send** rights.

+1. Get the resource ID for your Domain Services managed domain using the [Get-AzResource](/powershell/module/Az.Resources/Get-AzResource) cmdlet. Create a variable named *$aadds.ResourceId* to hold the value:

+The following sample queries can be used to start analyzing audit events from Domain Services.

+Domain Services security and DNS audits align with traditional auditing for traditional AD DS domain controllers. In hybrid environments, you can reuse existing audit patterns so the same logic may be used when analyzing the events. Depending on the scenario you need to troubleshoot or analyze, the different audit event categories need to be targeted.

+ Domain Services security and DNS audits record the following event IDs when the specific action triggers an auditable event:

+description: Learn about the different health states for a Microsoft Entra Domain Services managed domain and how to restore a suspended domain.

+When Microsoft Entra Domain Services is unable to service a managed domain for a long period of time, it puts the managed domain into a suspended state. If a managed domain remains in a suspended state, it's automatically deleted. To keep your Domain Services managed domain healthy and avoid suspension, resolve any alerts as quickly as you can.

+ * Critical alerts can be caused by a misconfiguration that blocks access to resources that are needed by Domain Services. For example, the alert [AADDS104: Network Error][alert-nsg] has been unresolved for more than 15 days in the managed domain.

+You see an [alert][resolve-alerts] on the Domain Services Health page in the Microsoft Entra admin center that notes the domain is suspended. The state of the domain also shows *Suspended*.

+* You can't restore the managed domain. You must create a replacement managed domain to reuse Domain Services.

+description: Learn how the synchronization process works between Microsoft Entra or an on-premises environment to a Microsoft Entra Domain Services managed domain.

+Objects and credentials in a Microsoft Entra Domain Services managed domain can either be created locally within the domain, or synchronized from a Microsoft Entra tenant. When you first deploy Domain Services, an automatic one-way synchronization is configured and started to replicate the objects from Microsoft Entra ID. This one-way synchronization continues to run in the background to keep the Domain Services managed domain up-to-date with any changes from Microsoft Entra ID. No synchronization occurs from Domain Services back to Microsoft Entra ID.

+The following diagram illustrates how synchronization works between Domain Services, Microsoft Entra ID, and an optional on-premises AD DS environment:

+## Synchronization from Microsoft Entra ID to Domain Services

+User accounts, group memberships, and credential hashes are synchronized one way from Microsoft Entra ID to Domain Services. This synchronization process is automatic. You don't need to configure, monitor, or manage this synchronization process. The initial synchronization may take a few hours to a couple of days, depending on the number of objects in the Microsoft Entra directory. After the initial synchronization is complete, changes that are made in Microsoft Entra ID, such as password or attribute changes, are then automatically synchronized to Domain Services.

+When a user is created in Microsoft Entra ID, they're not synchronized to Domain Services until they change their password in Microsoft Entra ID. This password change process causes the password hashes for Kerberos and NTLM authentication to be generated and stored in Microsoft Entra ID. The password hashes are needed to successfully authenticate a user in Domain Services.

+The synchronization process is one-way by design. There's no reverse synchronization of changes from Domain Services back to Microsoft Entra ID. A managed domain is largely read-only except for custom OUs that you can create. You can't make changes to user attributes, user passwords, or group memberships within a managed domain.

+## Attribute synchronization and mapping to Domain Services

+The following table lists some common attributes and how they're synchronized to Domain Services.

+| Attribute in Domain Services | Source | Notes |

+| UPN | User's *UPN* attribute in Microsoft Entra tenant | The UPN attribute from the Microsoft Entra tenant is synchronized as-is to Domain Services. The most reliable way to sign in to a managed domain is using the UPN. |

+| Primary user/group SID | Autogenerated | The primary SID for user/group accounts is autogenerated in Domain Services. This attribute doesn't match the primary user/group SID of the object in an on-premises AD DS environment. This mismatch is because the managed domain has a different SID namespace than the on-premises AD DS domain. |

+| SID history for users and groups | On-premises primary user and group SID | The *SidHistory* attribute for users and groups in Domain Services is set to match the corresponding primary user or group SID in an on-premises AD DS environment. This feature helps make lift-and-shift of on-premises applications to Domain Services easier as you don't need to re-ACL resources. |

+The following table illustrates how specific attributes for user objects in Microsoft Entra ID are synchronized to corresponding attributes in Domain Services.

+| User attribute in Microsoft Entra ID | User attribute in Domain Services |

+The following table illustrates how specific attributes for group objects in Microsoft Entra ID are synchronized to corresponding attributes in Domain Services.

+| Group attribute in Microsoft Entra ID | Group attribute in Domain Services |

+## Synchronization from on-premises AD DS to Microsoft Entra ID and Domain Services

+Microsoft Entra Connect is used to synchronize user accounts, group memberships, and credential hashes from an on-premises AD DS environment to Microsoft Entra ID. Attributes of user accounts such as the UPN and on-premises security identifier (SID) are synchronized. To sign in using Domain Services, legacy password hashes required for NTLM and Kerberos authentication are also synchronized to Microsoft Entra ID.

+As previously detailed, there's no synchronization from Domain Services back to Microsoft Entra ID. You can [create a custom Organizational Unit (OU)](create-ou.md) in Domain Services and then users, groups, or service accounts within those custom OUs. None of the objects created in custom OUs are synchronized back to Microsoft Entra ID. These objects are available only within the managed domain, and aren't visible using Microsoft Graph PowerShell cmdlets, Microsoft Graph API, or using the Microsoft Entra admin center.

+## What isn't synchronized to Domain Services

+The following objects or attributes aren't synchronized from an on-premises AD DS environment to Microsoft Entra ID or Domain

+* **Excluded attributes:** You can choose to exclude certain attributes from synchronizing to Microsoft Entra ID from an on-premises AD DS environment using Microsoft Entra Connect. These excluded attributes aren't then available in Domain Services.

+* **Group Policies:** Group Policies configured in an on-premises AD DS environment aren't synchronized to Domain Services.

+* **Sysvol folder:** The contents of the *Sysvol* folder in an on-premises AD DS environment aren't synchronized to Domain Services.

+* **Computer objects:** Computer objects for computers joined to an on-premises AD DS environment aren't synchronized to Domain Services. These computers don't have a trust relationship with the managed domain and only belong to the on-premises AD DS environment. In Domain Services, only computer objects for computers that have explicitly domain-joined to the managed domain are shown.

+* **SidHistory attributes for users and groups:** The primary user and primary group SIDs from an on-premises AD DS environment are synchronized to Domain Services. However, existing *SidHistory* attributes for users and groups aren't synchronized from the on-premises AD DS environment to Domain Services.

+* **Organization Units (OU) structures:** Organizational Units defined in an on-premises AD DS environment don't synchronize to Domain Services. There are two built-in OUs in Domain Services - one for users, and one for computers. The managed domain has a flat OU structure. You can choose to [create a custom OU in your managed domain](create-ou.md).

+When you enable Domain Services, legacy password hashes for NTLM and Kerberos authentication are required. Microsoft Entra ID doesn't store clear-text passwords, so these hashes can't be automatically generated for existing user accounts. NTLM and Kerberos compatible password hashes are always stored in an encrypted manner in Microsoft Entra ID.

+The encryption keys are unique to each Microsoft Entra tenant. These hashes are encrypted such that only Domain Services has access to the decryption keys. No other service or component in Microsoft Entra ID has access to the decryption keys.

+Legacy password hashes are then synchronized from Microsoft Entra ID into the domain controllers for a managed domain. The disks for these managed domain controllers in Domain Services are encrypted at rest. These password hashes are stored and secured on these domain controllers similar to how passwords are stored and secured in an on-premises AD DS environment.

+For cloud-only Microsoft Entra environments, [users must reset/change their password](tutorial-create-instance.md#enable-user-accounts-for-azure-ad-ds) in order for the required password hashes to be generated and stored in Microsoft Entra ID. For any cloud user account created in Microsoft Entra ID after enabling Microsoft Entra Domain Services, the password hashes are generated and stored in the NTLM and Kerberos compatible formats. All cloud user accounts must change their password before they're synchronized to Domain Services.

+To get started with Domain Services, [create a managed domain](tutorial-create-instance.md).

+Microsoft Entra Domain Services provides managed domain services such as domain join, group policy, LDAP, Kerberos/NTLM authentication that is fully compatible with Windows Server Active Directory. You consume these domain services without deploying, managing, and patching domain controllers yourself. Domain Services integrates with your existing Microsoft Entra tenant. This integration lets users sign in using their corporate credentials, and you can use existing groups and user accounts to secure access to resources.

+* You need [Application Administrator](../active-directory/roles/permissions-reference.md#application-administrator) and [Groups Administrator](../active-directory/roles/permissions-reference.md#groups-administrator) Microsoft Entra roles in your tenant to enable Domain Services.

+* You need Domain Services Contributor Azure role to create the required Domain Services resources.

+When you create a Domain Services managed domain, you specify a DNS name. There are some considerations when you choose this DNS name:

+Domain Services requires a service principal and a Microsoft Entra group. These resources let the managed domain synchronize data, and define which users have administrative permissions in the managed domain.

+Create a Microsoft Entra service principal using the [New-AzureADServicePrincipal][New-AzureADServicePrincipal] cmdlet for Domain Services to communicate and authenticate itself. A specific application ID is used named *Domain Controller Services* with an ID of *2565bd9d-da50-47d4-8b85-4c97f669dc36* for Azure Global. For other Azure clouds, search for AppId value *6ba9a5d4-8456-4118-b521-9c5ca10cdf84*.

+If you choose a region that supports Availability Zones, the Domain Services resources are distributed across zones for additional redundancy. Availability Zones are unique physical locations within an Azure region. Each zone is made up of one or more datacenters equipped with independent power, cooling, and networking. To ensure resiliency, there's a minimum of three separate zones in all enabled regions.

+There's nothing for you to configure for Domain Services to be distributed across zones. The Azure platform automatically handles the zone distribution of resources. For more information and to see region availability, see [What are Availability Zones in Azure?][availability-zones].

+## Resource definition for Domain Services

+| filteredSync | Domain Services lets you synchronize *all* users and groups available in Microsoft Entra ID, or a *scoped* synchronization of only specific groups.<br /><br /> For more information about scoped synchronization, see [Microsoft Entra Domain Services scoped synchronization][scoped-sync].|

+| domainConfigurationType | By default, a managed domain is created as a *User* forest. This type of forest synchronizes all objects from Microsoft Entra ID, including any user accounts created in an on-premises AD DS environment. You don't need to specify a *domainConfiguration* value to create a user forest.<br /><br /> A *Resource* forest only synchronizes users and groups created directly in Microsoft Entra ID. Set the value to *ResourceTrusting* to create a resource forest.<br /><br />For more information on *Resource* forests, including why you may use one and how to create forest trusts with on-premises AD DS domains, see [Domain Services resource forests overview][resource-forests].|

+* [Enable password synchronization to Domain Services](tutorial-create-instance.md#enable-user-accounts-for-azure-ad-ds) so end users can sign in to the managed domain using their corporate credentials.

+To prevent repeated malicious sign-in attempts, a Microsoft Entra Domain Services managed domain locks accounts after a defined threshold. This account lockout can also happen by accident without a sign-in attack incident. For example, if a user repeatedly enters the wrong password or a service attempts to use an old password, the account gets locked out.

+A user account in a Domain Services managed domain is locked out when a defined threshold for unsuccessful sign-in attempts has been met. This account lockout behavior is designed to protect you from repeated brute-force sign-in attempts that may indicate an automated digital attack.

+For more information on fine-grained password policies, and the differences between users created directly in Domain Services versus synchronized in from Microsoft Entra ID, see [Configure password and account lockout policies][configure-fgpp].

+To troubleshoot when account lockout events occur and where they're coming from, [enable security audits for Domain Services][security-audit-events]. Audit events are only captured from the time you enable the feature. Ideally, you should enable security audits *before* there's an account lockout issue to troubleshoot. If a user account repeatedly has lockout issues, you can enable security audits ready for the next time the situation occurs.

+For example, a RADIUS server can forward the authentication to Domain Services.

+As a central part of identity and authentication for applications, Microsoft Entra Domain Services sometimes has problems. If you run into issues, there are some common alerts and associated troubleshooting steps to help you get things running again. At any time, you can also [open an Azure support request][azure-support] for more troubleshooting help.

+This article provides troubleshooting information for common alerts in Domain Services.

+This error is usually caused when an Azure subscription is moved to a new Microsoft Entra directory and the old Microsoft Entra directory that's associated with Domain Services is deleted.

+This error is unrecoverable. To resolve the alert, [delete your existing managed domain](delete-aadds.md) and recreate it in your new directory. If you have trouble deleting the managed domain, [open an Azure support request][azure-support] for more troubleshooting help.

+Domain Services automatically synchronizes with a Microsoft Entra directory. If the Microsoft Entra directory is configured for B2C, Domain Services can't be deployed and synchronized.

+To use Domain Services, you must recreate your managed domain in a non-Azure AD B2C directory using the following steps:

+Inside a virtual network, VMs can make requests to Azure resources in the same IP address range as configured for the subnet. If you configure a public IP address range for a subnet, requests routed within a virtual network may not reach the intended web resources. This configuration can lead to unpredictable errors with Domain Services.

+1. To update the virtual network IP address range, search for and select *Virtual network* in the Microsoft Entra admin center. Select the virtual network for Domain Services that incorrectly has a public IP address range set.

+1. Update the address range by choosing the existing address range and editing it, or by adding an address range. Make sure the new IP address range is in a private IP range. When ready, **Save** the changes.

+1. Choose the subnet you wish to edit, or create another subnet.

+Domain Services requires an active subscription, and can't be moved to a different subscription. If the Azure subscription that the managed domain was associated with is deleted, you must recreate an Azure subscription and managed domain.

+Domain Services requires an active subscription. If the Azure subscription that the managed domain was associated with isn't active, you must renew it to reactivate the subscription.

+2. Once the subscription is renewed, a Domain Services notification lets you re-enable the managed domain.

+Domain Services requires an active subscription, and can't be moved to a different subscription. If the Azure subscription that the managed domain was associated with is moved, move the subscription back to the previous directory, or [delete your managed domain](delete-aadds.md) from the existing directory and [create a replacement managed domain in the chosen subscription](tutorial-create-instance.md).

+Domain Services creates resources to function properly, such as public IP addresses, virtual network interfaces, and a load balancer. If any of these resources are deleted, the managed domain is in an unsupported state and prevents the domain from being managed. For more information on these resources, see [Network resources used by Domain Services](network-considerations.md#network-resources-used-by-azure-ad-ds).

+The virtual network subnet for Domain Services needs sufficient IP addresses for the automatically created resources. This IP address space includes the need to create replacement resources if there's a maintenance event. To minimize the risk of running out of available IP addresses, don't deploy other resources, such as your own VMs, into the same virtual network subnet as the managed domain.

+This error is unrecoverable. To resolve the alert, [delete your existing managed domain](delete-aadds.md) and recreate it. If you have trouble deleting the managed domain, [open an Azure support request][azure-support] for more help.

+The virtual network subnet for Domain Services needs enough IP addresses for the automatically created resources. This IP address space includes the need to create replacement resources if there's a maintenance event. To minimize the risk of running out of available IP addresses, don't deploy other resources, such as your own VMs, into the same virtual network subnet as the managed domain.

+1. Update the address range by choosing the existing address range and editing it, or by adding another address range. Make sure the new IP address range is large enough for the managed domain's subnet range. When ready, **Save** the changes.

+1. Choose the subnet you wish to edit, or create another subnet.

+Domain Services creates resources to function properly, such as public IP addresses, virtual network interfaces, and a load balancer. If any of these resources are modified, the managed domain is in an unsupported state and can't be managed. For more information about these resources, see [Network resources used by Domain Services](network-considerations.md#network-resources-used-by-azure-ad-ds).

+This alert is generated when one of these required resources is modified and can't automatically be recovered by Domain Services. To resolve the alert, [open an Azure support request][azure-support] to fix the instance.

+This error is unrecoverable. To resolve the alert, [delete your existing managed domain](delete-aadds.md) and recreate it. If you have trouble deleting the managed domain, [open an Azure support request][azure-support] for more help.

+Resource locks can be applied to Azure resources to prevent change or deletion. As Domain Services is a managed service, the Azure platform needs the ability to make configuration changes. If a resource lock is applied on some of the Domain Services components, the Azure platform can't perform its management tasks.

+To check for resource locks on the Domain Services components and remove them, complete the following steps:

+Policies are applied to Azure resources and resource groups that control what configuration actions are allowed. As Domain Services is a managed service, the Azure platform needs the ability to make configuration changes. If a policy is applied on some of the Domain Services components, the Azure platform may not be able to perform its management tasks.

+To check for applied policies on the Domain Services components and update them, complete the following steps:

+Review the [Domain Services Health](check-health.md) alert and see which Microsoft Entra extension properties failed to onboard successfully. Navigate to the **Custom Attributes** page to find the expected Domain Services LDAPName of the extension. Make sure the LDAPName doesn't conflict with another AD schema attribute, or that it's one of the allowed built-in AD attributes.

+Upon successful onboarding, Domain Services will back fill synchronized users and groups with the onboarded custom attribute values. The custom attribute values appear gradually, depending on the size of the tenant. To check the backfill status, go to [Domain Services Health](check-health.md) and verify the **Synchronization with Microsoft Entra ID** monitor timestamp has updated within the last hour.

+[Check the Domain Services health](check-health.md) for any alerts that indicate problems in the configuration of the managed domain. Problems with the network configuration can block the synchronization from Microsoft Entra ID. If you're able to resolve alerts that indicate a configuration issue, wait two hours and check back to see if the synchronization has successfully completed.

+* Required network connectivity is blocked. To learn more about how to check the Azure virtual network for problems and what's required, see [troubleshoot network security groups](alert-nsg.md) and the [network requirements for Domain Services](network-considerations.md).

+[Check the Domain Services health](check-health.md) for alerts that indicate problems in the configuration of the managed domain. Problems with the network configuration can block the Azure platform from successfully taking backups. If you're able to resolve alerts that indicate a configuration issue, wait two hours and check back to see if the synchronization has successfully completed.

+> If a managed domain is suspended for an extended period of time, there's a danger of it being deleted. Resolve the reason for suspension as quickly as possible. For more information, see [Understand the suspended states for Domain Services](suspension.md).

+Domain Services requires an active subscription. If the Azure subscription that the managed domain was associated with isn't active, you must renew it to reactivate the subscription.

+2. Once the subscription is renewed, a Domain Services notification lets you re-enable the managed domain.

+> If a managed domain is suspended for an extended period of time, there's a danger of it being deleted. Resolve the reason for suspension as quickly as possible. For more information, see [Understand the suspended states for Domain Services](suspension.md).

+[Check the Domain Services health](check-health.md) for alerts that indicate problems in the configuration of the managed domain. If you're able to resolve alerts that indicate a configuration issue, wait two hours and check back to see if the synchronization has completed. When ready, [open an Azure support request][azure-support] to re-enable the managed domain.

+> If a managed domain is suspended for an extended period of time, there's a danger of it being deleted. Resolve the reason for suspension as quickly as possible. For more information, see [Understand the suspended states for Domain Services](suspension.md).

+[Check the Domain Services health](check-health.md) for alerts that indicate problems in the configuration of the managed domain. If you're able to resolve alerts that indicate a configuration issue, wait six hours and check back to see if the alert is removed. [Open an Azure support request][azure-support] if you need assistance.

+If you still have issues, [open an Azure support request][azure-support] for more troubleshooting help.

+When you try to join a virtual machine (VM) or connect an application to a Microsoft Entra Domain Services managed domain, you may get an error that you're unable to do so. To troubleshoot domain-join problems, review at which of the following points you have an issue:

+* If you don't receive an authentication prompt, the VM or application can't connect to the Domain Services managed domain.

+When you create a managed domain, a network security group is also created with the appropriate rules for successful domain operation. If you edit or create additional network security group rules, you may unintentionally block ports required for Domain Services to provide connection and authentication services. These network security group rules can cause issues such as password sync not completing, users not being able to sign in, or domain-join issues.

+The most common reasons for a user account that can't sign in to a Microsoft Entra Domain Services managed domain include the following scenarios:

+* [The account isn't synchronized into Domain Services yet.](#account-isnt-synchronized-into-azure-ad-ds-yet)

+* [Domain Services doesn't have the password hashes to let the account sign in.](#azure-ad-ds-doesnt-have-the-password-hashes)

+> Domain Services can't synchronize in credentials for accounts that are external to the Microsoft Entra tenant. External users can't sign in to the Domain Services managed domain.

+## Account isn't synchronized into Domain Services yet

+For hybrid environments that user Microsoft Entra Connect to synchronize on-premises directory data into Microsoft Entra ID, make sure that you run the latest version of Microsoft Entra Connect and have [configured Microsoft Entra Connect to perform a full synchronization after enabling Domain Services][azure-ad-connect-phs]. If you disable Domain Services and then re-enable, you have to follow these steps again.

+## Domain Services doesn't have the password hashes

+Microsoft Entra ID doesn't generate or store password hashes in the format that's required for NTLM or Kerberos authentication until you enable Domain Services for your tenant. For security reasons, Microsoft Entra ID also doesn't store any password credentials in clear-text form. Therefore, Microsoft Entra ID can't automatically generate these NTLM or Kerberos password hashes based on users' existing credentials.

+For hybrid environments using Microsoft Entra Connect to synchronize from an on-premises AD DS environment, you can locally generate and synchronize the required NTLM or Kerberos password hashes into Microsoft Entra ID. After you create your managed domain, [enable password hash synchronization to Microsoft Entra Domain Services][azure-ad-connect-phs]. Without completing this password hash synchronization step, you can't sign in to an account using the managed domain. If you disable Domain Services and then re-enable, you have to follow those steps again.

+For more information, see [How password hash synchronization works for Domain Services][phs-process].

+Managed domains with no on-premises synchronization, only accounts in Microsoft Entra ID, also need to generate the required NTLM or Kerberos password hashes. If a cloud-only account can't sign in, has a password change process successfully completed for the account after enabling Domain Services?

+ * If you disable Domain Services and then re-enable, each account must follow the steps again to change their password and generate the required password hashes.

+For more information and how to resolve account lockout issues, see [Troubleshoot account lockout problems in Domain Services][troubleshoot-account-lockout].

+As a central part of identity and authentication for applications, Microsoft Entra Domain Services sometimes has problems. If you run into issues, there are some common error messages and associated troubleshooting steps to help you get things running again. At any time, you can also [open an Azure support request][azure-support] for more troubleshooting help.

+This article provides troubleshooting steps for common issues in Domain Services.

+If you have problems enabling Domain Services, review the following common errors and steps to resolve them:

+| *Domain Services could not be enabled in this Microsoft Entra tenant. The service does not have adequate permissions to the application called Microsoft Entra Domain Services Sync. Delete the application called 'Microsoft Entra Domain Services Sync' and then try to enable Domain Services for your Microsoft Entra tenant.* |[Domain Services doesn't have adequate permissions to the Microsoft Entra Domain Services Sync application](troubleshoot.md#inadequate-permissions) |

+Check that you don't have an existing AD DS environment with the same domain name on the same, or a peered, virtual network. For example, you may have an AD DS domain named *aaddscontoso.com* that runs on Azure VMs. When you try to enable a Domain Services managed domain with the same domain name of *aaddscontoso.com* on the virtual network, the requested operation fails.

+This failure is due to name conflicts for the domain name on the virtual network. A DNS lookup checks if an existing AD DS environment responds on the requested domain name. To resolve this failure, use a different name to set up your managed domain, or deprovision the existing AD DS domain and then try again to enable Domain Services.

+*Domain Services could not be enabled in this Microsoft Entra tenant. The service does not have adequate permissions to the application called Microsoft Entra Domain Services Sync. Delete the application called 'Microsoft Entra Domain Services Sync' and then try to enable Domain Services for your Microsoft Entra tenant.*

+Check if there's an application named *Microsoft Entra Domain Services Sync* in your Microsoft Entra directory. If this application exists, delete it, then try again to enable Domain Services. To check for an existing application and delete it if needed, complete the following steps:

+1. Once you've deleted the application, try to enable Domain Services again.

+Check if you have an existing application named *AzureActiveDirectoryDomainControllerServices* with an application identifier of *d87dcbc6-a371-462e-88e3-28ad15ec4e64* in your Microsoft Entra directory. If this application exists, delete it and then try again to enable Domain Services.

+1. Once you've enabled the application, try to enable Domain Services again.

+* **Credentials format** - Try using the UPN format to specify credentials, such as `dee@aaddscontoso.onmicrosoft.com`. The UPN format is the recommended way to specify credentials in Domain Services. Make sure this UPN is configured correctly in Microsoft Entra ID.

+ * **Cloud-only accounts**: If the affected user account is a cloud-only user account, make sure that the [user has changed their password after you enabled Domain Services][cloud-only-passwords]. This password reset causes the required credential hashes for the managed domain to be generated.

+* **External accounts** - Check that the affected user account isn't an external account in the Microsoft Entra tenant. Examples of external accounts include Microsoft accounts like `dee@live.com` or user accounts from an external Microsoft Entra directory. Domain Services doesn't store credentials for external user accounts so they can't sign in to the managed domain.

+If you continue to have issues, [open an Azure support request][azure-support] for more troubleshooting help.

+To provide connectivity to users and applications, a Microsoft Entra Domain Services managed domain is deployed into an Azure virtual network subnet. This virtual network subnet should only be used for the managed domain resources provided by the Azure platform.

+When you create your own VMs and applications, they shouldn't be deployed into the same virtual network subnet. Instead, you should create and deploy your applications into a separate virtual network subnet, or in a separate virtual network that's peered to the Domain Services virtual network.

+This tutorial shows you how to create and configure a dedicated virtual network subnet or how to peer a different network to the Domain Services managed domain's virtual network.

+> * Understand the virtual network connectivity options for domain-joined resources to Domain Services

+> * Create an IP address range and additional subnet in the Domain Services virtual network

+> * Configure virtual network peering to a network that's separate from Domain Services

+* You need [Application Administrator](../active-directory/roles/permissions-reference.md#application-administrator) and [Groups Administrator](../active-directory/roles/permissions-reference.md#groups-administrator) Microsoft Entra roles in your tenant to enable Domain Services.

+* You need Domain Services Contributor Azure role to create the required Domain Services resources.

+In the previous tutorial, a managed domain was created that used some default configuration options for the virtual network. These default options created an Azure virtual network and virtual network subnet. The Domain Services domain controllers that provide the managed domain services are connected to this virtual network subnet.

+ * As the VMs are part of the same virtual network, they can automatically perform name resolution and communicate with the Domain Services domain controllers.

+ * When you configure virtual network peering, you must also configure DNS settings to use name resolution back to the Domain Services domain controllers.

+* If you want to manage Domain Services and connected VMs as one group of resources, you can create an additional virtual network subnet for VMs.

+* If you want to separate the management of Domain Services and then any connected VMs, you can use virtual network peering.

+You may have an existing Azure virtual network for VMs, or wish to keep your managed domain virtual network separate. To use the managed domain, VMs in other virtual networks need a way to communicate with the Domain Services domain controllers. This connectivity can be provided using Azure virtual network peering.

+1. It takes a few moments to create the peering on both the Domain Services virtual network and the virtual network you selected. When ready, the **Peering status** reports *Connected*, as shown in the following example:

+For VMs and applications in the peered virtual network to successfully talk to the managed domain, the DNS settings must be updated. The IP addresses of the Domain Services domain controllers must be configured as the DNS servers on the peered virtual network. There are two ways to configure the domain controllers as DNS servers for the peered virtual network:

+* Configure the Azure virtual network DNS servers to use the Domain Services domain controllers.

+In this tutorial, let's configure the Azure virtual network DNS servers to direct all queries to the Domain Services domain controllers.

+1. By default, a virtual network uses the built-in Azure-provided DNS servers. Choose to use **Custom** DNS servers. Enter the IP addresses for the Domain Services domain controllers, which are usually *10.0.2.4* and *10.0.2.5*. Confirm these IP addresses on the **Overview** window of your managed domain in the portal.

+ 

+> * Understand the virtual network connectivity options for domain-joined resources to Domain Services

+> * Create an IP address range and additional subnet in the Domain Services virtual network

+> * Configure virtual network peering to a network that's separate from Domain Services

+For hybrid environments, a Microsoft Entra tenant can be configured to synchronize with an on-premises Active Directory Domain Services (AD DS) environment using Microsoft Entra Connect. By default, Microsoft Entra Connect doesn't synchronize legacy NT LAN Manager (NTLM) and Kerberos password hashes that are needed for Microsoft Entra Domain Services.

+To use Domain Services with accounts synchronized from an on-premises AD DS environment, you need to configure Microsoft Entra Connect to synchronize those password hashes required for NTLM and Kerberos authentication. After Microsoft Entra Connect is configured, an on-premises account creation or password change event also then synchronizes the legacy password hashes to Microsoft Entra ID.

+To authenticate users on the managed domain, Domain Services needs password hashes in a format that's suitable for NTLM and Kerberos authentication. Microsoft Entra ID doesn't store password hashes in the format that's required for NTLM or Kerberos authentication until you enable Domain Services for your tenant. For security reasons, Microsoft Entra ID also doesn't store any password credentials in clear-text form. Therefore, Microsoft Entra ID can't automatically generate these NTLM or Kerberos password hashes based on users' existing credentials.

+Microsoft Entra Connect can be configured to synchronize the required NTLM or Kerberos password hashes for Domain Services. Make sure that you have completed the steps to [enable Microsoft Entra Connect for password hash synchronization][enable-azure-ad-connect]. If you had an existing instance of Microsoft Entra Connect, [download and update to the latest version][azure-ad-connect-download] to make sure you can synchronize the legacy password hashes for NTLM and Kerberos. This functionality isn't available in early releases of Microsoft Entra Connect or with the legacy DirSync tool. Microsoft Entra Connect version *1.1.614.0* or later is required.

+> Microsoft Entra Connect should only be installed and configured for synchronization with on-premises AD DS environments. It's not supported to install Microsoft Entra Connect in a Domain Services managed domain to synchronize objects back to Microsoft Entra ID.

+With Microsoft Entra Connect installed and configured to synchronize with Microsoft Entra ID, now configure the legacy password hash sync for NTLM and Kerberos. A PowerShell script is used to configure the required settings and then start a full password synchronization to Microsoft Entra ID. When that Microsoft Entra Connect password hash synchronization process is complete, users can sign in to applications through Domain Services that use legacy NTLM or Kerberos password hashes.

+You can create a one-way outbound trust from Microsoft Entra Domain Services to one or more on-premises AD DS environments. This trust relationship lets users, applications, and computers authenticate against an on-premises domain from the Domain Services managed domain. A forest trust can help users access resources in scenarios such as:

+Trusts can be created in any domain. The domain will automatically block synchronization from an on-premises domain for any user accounts that were synchronized to Domain Services. This prevents UPN collisions when users authenticate.

+

+> * Configure DNS in an on-premises AD DS environment to support Domain Services connectivity

+> * Create a one-way outbound forest trust in Domain Services

+In this tutorial, you create and configure the outbound forest trust from Domain Services using the Microsoft Entra admin center. To get started, first sign in to the [Microsoft Entra admin center](https://entra.microsoft.com). You need [Application Administrator](../active-directory/roles/permissions-reference.md#application-administrator) and [Groups Administrator](../active-directory/roles/permissions-reference.md#groups-administrator) Microsoft Entra roles in your tenant to modify a Domain Services instance.

+The virtual network that hosts the Domain Services forest needs network connectivity to your on-premises Active Directory. Applications and services also need network connectivity to the virtual network hosting the Domain Services forest. Network connectivity to the Domain Services forest must be always on and stable otherwise users may fail to authenticate or access resources.

+Before you configure a forest trust in Domain Services, make sure your networking between Azure and on-premises environment meets the following requirements:

+* Make sure Domain Services has its own subnet, don't share this virtual network subnet with application VMs and services.

+ * Azure virtual network peerings must be created between all virtual networks you want to use the Domain Services forest trust to the on-premises AD DS environment.

+* Make sure there's continuous name resolution (DNS) between your Domain Services forest name and your on-premises Active Directory forest name.

+1. Enter the name for Domain Services domain name, such as *aaddscontoso.com*, then select **Next**.

+## Create outbound forest trust in Domain Services

+If the forest trust is no longer needed for an environment, complete the following steps to remove it from Domain

+* [On-premises user authentication from the Domain Services forest](#on-premises-user-authentication-from-the-azure-ad-ds-forest)

+* [Access resources in the Domain Services forest using on-premises user](#access-resources-in-the-azure-ad-ds-forest-using-on-premises-user)

+### On-premises user authentication from the Domain Services forest

+1. Connect to the Windows Server VM joined to the Domain Services forest using [Azure Bastion](../bastion/bastion-overview.md) and your Domain Services administrator credentials.

+### Access resources in the Domain Services forest using on-premises user

+Using the Windows Server VM joined to the Domain Services forest, you can test the scenario where users can access resources hosted in the forest when they authenticate from computers in the on-premises domain with users from the on-premises domain. The following examples show you how to create and test various common scenarios.

+1. Connect to the Windows Server VM joined to the Domain Services forest using [Azure Bastion](../bastion/bastion-overview.md) and your Domain Services administrator credentials.

+ > You must provide credentials because the trust relationship is only one way. This means users from the Domain Services managed domain can't access resources or search for users or groups in the trusted (on-premises) domain.

+1. On the Windows Server VM joined to the Domain Services forest, create a folder and provide name such as *CrossForestShare*.

+> * Configure DNS in an on-premises AD DS environment to support Domain Services connectivity

+> * Create a one-way outbound forest trust in Domain Services

+For more conceptual information about forest in Domain Services, see [How do forest trusts work in Domain Services?][concepts-trust].

+Microsoft Entra Domain Services provides managed domain services such as domain join, group policy, LDAP, Kerberos/NTLM authentication that is fully compatible with Windows Server Active Directory. You consume these domain services without deploying, managing, and patching domain controllers yourself. Domain Services integrates with your existing Microsoft Entra tenant. This integration lets users sign in using their corporate credentials, and you can use existing groups and user accounts to secure access to resources.

+You can [create a managed domain using default configuration options][tutorial-create-instance] for networking and synchronization, or manually define these settings. This tutorial shows you how to define those advanced configuration options to create and configure a Domain Services managed domain using the Microsoft Entra admin center.

+* You need [Application Administrator](../active-directory/roles/permissions-reference.md#application-administrator) and [Groups Administrator](../active-directory/roles/permissions-reference.md#groups-administrator) Microsoft Entra roles in your tenant to enable Domain Services.

+* You need [Domain Services Contributor](../role-based-access-control/built-in-roles.md#domain-services-contributor) Azure role to create the required Domain Services resources.

+Although not required for Domain Services, it's recommended to [configure self-service password reset (SSPR)][configure-sspr] for the Microsoft Entra tenant. Users can change their password without SSPR, but SSPR helps if they forget their password and need to reset it.

+1. Choose the Azure **Location** in which the managed domain should be created. If you choose a region that supports Availability Zones, the Domain Services resources are distributed across zones for additional redundancy.

+ > There's nothing for you to configure for Domain Services to be distributed across zones. The Azure platform automatically handles the zone distribution of resources. For more information and to see region availability, see [What are Availability Zones in Azure?][availability-zones]

+1. The **SKU** determines the performance and backup frequency. You can change the SKU after the managed domain has been created if your business demands or requirements change. For more information, see [Domain Services SKU concepts][concepts-sku].

+To provide connectivity, an Azure virtual network and a dedicated subnet are needed. Domain Services is enabled in this virtual network subnet. In this tutorial, you create a virtual network, though you could instead choose to use an existing virtual network. In either approach, you must create a dedicated subnet for use by Domain Services.

+* The subnet must have at least 3-5 available IP addresses in its address range to support the Domain Services resources.

+* Don't select the *Gateway* subnet for deploying Domain Services. It's not supported to deploy Domain Services into a *Gateway* subnet.

+1. On the **Network** page, choose a virtual network to deploy Domain Services into from the drop-down menu, or select **Create new**.

+ Make sure to pick an address range that is within your private IP address range. IP address ranges you don't own that are in the public address space cause errors within Domain Services.

+A special administrative group named *AAD DC Administrators* is used for management of the Domain Services domain. Members of this group are granted administrative permissions on VMs that are domain-joined to the managed domain. On domain-joined VMs, this group is added to the local administrators group. Members of this group can also use Remote Desktop to connect remotely to domain-joined VMs.

+> You don't have *Domain Administrator* or *Enterprise Administrator* permissions on a managed domain using Domain Services. These permissions are reserved by the service and aren't made available to users within the tenant.

+Domain Services lets you synchronize *all* users and groups available in Microsoft Entra ID, or a *scoped* synchronization of only specific groups. You can change the synchronize scope now, or once the managed domain is deployed. For more information, see [Microsoft Entra Domain Services scoped synchronization][scoped-sync].

+1. To create the managed domain, select **Create**. A note is displayed that certain configuration options like DNS name or virtual network can't be changed once the Domain Services managed has been created. To continue, select **OK**.

+1. The process of provisioning your managed domain can take up to an hour. A notification is displayed in the portal that shows the progress of your Domain Services deployment. Select the notification to see detailed progress for the deployment.

+> The managed domain is associated with your Microsoft Entra tenant. During the provisioning process, Domain Services creates two Enterprise Applications named *Domain Controller Services* and *AzureActiveDirectoryDomainControllerServices* in the Microsoft Entra tenant. These Enterprise Applications are needed to service your managed domain. Don't delete these applications.

+With Domain Services successfully deployed, now configure the virtual network to allow other connected VMs and applications to use the managed domain. To provide this connectivity, update the DNS server settings for your virtual network to point to the two IP addresses where the managed domain is deployed.

+## Enable user accounts for Domain Services

+To authenticate users on the managed domain, Domain Services needs password hashes in a format that's suitable for NT LAN Manager (NTLM) and Kerberos authentication. Microsoft Entra ID doesn't generate or store password hashes in the format that's required for NTLM or Kerberos authentication until you enable Domain Services for your tenant. For security reasons, Microsoft Entra ID also doesn't store any password credentials in clear-text form. Therefore, Microsoft Entra ID can't automatically generate these NTLM or Kerberos password hashes based on users' existing credentials.

+> For more information, see [Password hash sync process for Domain Services and Microsoft Entra Connect][password-hash-sync-process].

+For cloud-only user accounts, users must change their passwords before they can use Domain Services. This password change process causes the password hashes for Kerberos and NTLM authentication to be generated and stored in Microsoft Entra ID. The account isn't synchronized from Microsoft Entra ID to Domain Services until the password is changed. Either expire the passwords for all cloud users in the tenant who need to use Domain Services, which forces a password change on next sign-in, or instruct cloud users to manually change their passwords. For this tutorial, let's manually change a user password.

+It takes a few minutes after you've changed your password for the new password to be usable in Domain Services and to successfully sign in to computers joined to the managed domain.

+> * Enable user accounts for Domain Services and generate password hashes

+Microsoft Entra Domain Services provides managed domain services such as domain join, group policy, LDAP, Kerberos/NTLM authentication that is fully compatible with Windows Server Active Directory. You consume these domain services without deploying, managing, and patching domain controllers yourself. Domain Services integrates with your existing Microsoft Entra tenant. This integration lets users sign in using their corporate credentials, and you can use existing groups and user accounts to secure access to resources.

+You can create a managed domain using default configuration options for networking and synchronization, or [manually define these settings][tutorial-create-instance-advanced]. This tutorial shows you how to use default options to create and configure a Domain Services managed domain using the Microsoft Entra admin center.

+* You need [Application Administrator](../active-directory/roles/permissions-reference.md#application-administrator) and [Groups Administrator](../active-directory/roles/permissions-reference.md#groups-administrator) Microsoft Entra roles in your tenant to enable Domain Services.

+* You need [Domain Services Contributor](../role-based-access-control/built-in-roles.md#domain-services-contributor) Azure role to create the required Domain Services resources.

+Although not required for Domain Services, it's recommended to [configure self-service password reset (SSPR)][configure-sspr] for the Microsoft Entra tenant. Users can change their password without SSPR, but SSPR helps if they forget their password and need to reset it.

+1. Choose the Azure **Location** in which the managed domain should be created. If you choose a region that supports Azure Availability Zones, the Domain Services resources are distributed across zones for additional redundancy.

+ > There's nothing for you to configure for Domain Services to be distributed across zones. The Azure platform automatically handles the zone distribution of resources. For more information and to see region availability, see [What are Availability Zones in Azure?][availability-zones]

+1. The **SKU** determines the performance and backup frequency. You can change the SKU after the managed domain has been created if your business demands or requirements change. For more information, see [Domain Services SKU concepts][concepts-sku].

+1. To create the managed domain, select **Create**. A note is displayed that certain configuration options such as DNS name or virtual network can't be changed once the Domain Services managed has been created. To continue, select **OK**.

+1. The process of provisioning your managed domain can take up to an hour. A notification is displayed in the portal that shows the progress of your Domain Services deployment. Select the notification to see detailed progress for the deployment.

+> The managed domain is associated with your Microsoft Entra tenant. During the provisioning process, Domain Services creates two Enterprise Applications named *Domain Controller Services* and *AzureActiveDirectoryDomainControllerServices* in the Microsoft Entra tenant. These Enterprise Applications are needed to service your managed domain. Don't delete these applications.

+With Domain Services successfully deployed, now configure the virtual network to allow other connected VMs and applications to use the managed domain. To provide this connectivity, update the DNS server settings for your virtual network to point to the two IP addresses where the managed domain is deployed.

+## Enable user accounts for Domain Services

+To authenticate users on the managed domain, Domain Services needs password hashes in a format that's suitable for NT LAN Manager (NTLM) and Kerberos authentication. Microsoft Entra ID doesn't generate or store password hashes in the format that's required for NTLM or Kerberos authentication until you enable Domain Services for your tenant. For security reasons, Microsoft Entra ID also doesn't store any password credentials in clear-text form. Therefore, Microsoft Entra ID can't automatically generate these NTLM or Kerberos password hashes based on users' existing credentials.

+> [Microsoft Entra Connect Cloud Sync is not supported with Domain Services](../active-directory/cloud-sync/what-is-cloud-sync.md#comparison-between-azure-ad-connect-and-cloud-sync). On-premises users need to be synced using Microsoft Entra Connect in order to be able to access domain-joined VMs. For more information, see [Password hash sync process for Domain Services and Microsoft Entra Connect][password-hash-sync-process].

+For cloud-only user accounts, users must change their passwords before they can use Domain Services. This password change process causes the password hashes for Kerberos and NTLM authentication to be generated and stored in Microsoft Entra ID. The account isn't synchronized from Microsoft Entra ID to Domain Services until the password is changed. Either expire the passwords for all cloud users in the tenant who need to use Domain Services, which forces a password change on next sign-in, or instruct cloud users to manually change their passwords. For this tutorial, let's manually change a user password.

+It takes a few minutes after you've changed your password for the new password to be usable in Domain Services and to successfully sign in to computers joined to the managed domain.

+> * Enable user accounts for Domain Services and generate password hashes

+Microsoft Entra Domain Services provides managed domain services such as domain join, group policy, LDAP, and Kerberos/NTLM authentication that is fully compatible with Windows Server Active Directory. You administer this managed domain using the same Remote Server Administration Tools (RSAT) as with an on-premises Active Directory Domain Services domain. As Domain Services is a managed service, there are some administrative tasks that you can't perform, such as using remote desktop protocol (RDP) to connect to the domain controllers.

+This tutorial shows you how to configure a Windows Server VM in Azure and install the required tools to administer a Domain Services managed domain.

+* An Azure Bastion host deployed in your Domain Services virtual network.

+## Available administrative tasks in Domain Services

+Domain Services provides a managed domain for your users, applications, and services to consume. This approach changes some of the available management tasks you can do, and what privileges you have within the managed domain. These tasks and permissions may be different than what you experience with a regular on-premises Active Directory Domain Services environment. You also can't connect to domain controllers on the managed domain using Remote Desktop.

+ 

+Common Active Directory Administrative Center actions such as resetting a user account password or managing group membership are available. These actions only work for users and groups created directly in the managed domain. Identity information only synchronizes *from* Microsoft Entra ID to Domain Services. There's no write back from Domain Services to Microsoft Entra ID. You can't change passwords or managed group membership for users synchronized from Microsoft Entra ID and have those changes synchronized back.

+To improve the resiliency of a Microsoft Entra Domain Services managed domain, or deploy to additional geographic locations close to your applications, you can use *replica sets*. Every Domain Services managed domain namespace, such as *aaddscontoso.com*, contains one initial replica set. The ability to create additional replica sets in other Azure regions provides geographical resiliency for a managed domain.

+You can add a replica set to any peered virtual network in any Azure region that supports Domain Services.

+The virtual networks that host replica sets must be able to communicate with each other. Applications and services that depend on Domain Services also need network connectivity to the virtual networks hosting the replica sets. Azure virtual network peering should be configured between all virtual networks to create a fully meshed network. These peerings enable effective intra-site replication between replica sets.

+Before you can use replica sets in Domain Services, review the following Azure virtual network requirements:

+* Make sure Domain Services has its own subnet. Don't share this virtual network subnet with application VMs and services.

+When you create a managed domain, such as *aaddscontoso.com*, an initial replica set is created. Additional replica sets share the same namespace and configuration. Changes to Domain Services, including configuration, user identity and credentials, groups, group policy objects, computer objects, and other changes are applied to all replica sets in the managed domain using AD DS replication.

+In this tutorial, you create an additional replica set in an Azure region different than the initial Domain Services replica set.

+ Select a virtual network in the destination region, such as *vnet-eastus*, then choose a subnet such as *aadds-subnet*. If needed, choose **Create new** to add a virtual network in the destination region, then **Manage** to create a subnet for Domain Services.

+1. In the Domain Services management VM, access the DNS console and manually delete DNS records for the domain controllers from the deleted replica set.

+For more conceptual information, learn how replica sets work in Domain Services.

+This topic shows how to perform a disaster recovery (DR) drill for Microsoft Entra Domain Services using replica sets. This excercise simulates one of the replica sets going offline by making changes to the network virtual network properties to block client access to it. It's not a true DR drill in that the replica set isn't taken offline.

+The DR drill covers:

+1. The client's connection to the replica set will be terminated. This will happen by restricting network access.

+1. The client then establishes a new connection with the other replica set. Once that happens, the client is able to authenticate to the domain and perform LDAP queries.

+1. The domain member will be rebooted, and a domain user can sign in after reboot.

+1. The network restrictions are removed, and the client can connect to original replica set.

+- An active Domain Services instance deployed with at least one extra replica set in place. The domain must be in a healthy state.

+- A client machine that's joined to the Domain Services hosted domain. The client must be in its own virtual network, virtual network peering enabled with both replica set virtual networks, and the virtual network must have the IP addresses of all domain controllers in the replica sets listed in DNS.

+You need to perform these operations for each replica set in the Domain Services instance. The operations simulate an outage for each replica set. When domain controllers aren't reachable, the client automatically fails over to a reachable domain controller. This experience should be seamless to the end user or workload. Therefore, it's critical that applications and services don't point to a specific domain controller.

+These operations demonstrate that the domain is still available even though one of the replica sets is unreachable by the client. Perform this set of steps for each replica set in the Domain Services instance.

+After you complete these steps, you see domain members continue to access the directory if one of the replica sets in the Domain Services isn't reachable. You can simulate the same behavior by blocking all network access for a replica set instead of a client machine, but we don't recommend it. It won't change the behavior from a client perspective, but it impacts the health of your Domain Services instance until the network access is restored.

+For more conceptual information, learn how replica sets work in Domain Services.

+To help you understand the state of your Microsoft Entra Domain Services managed domain, you can enable security audit events. These security audit events can then be reviewed using Azure Monitor Workbooks that combine text, analytics queries, and parameters into rich interactive reports. Domain Services includes workbook templates for security overview and account activity that let you dig into audit events and manage your environment.

+This article shows you how to use Azure Monitor Workbooks to review security audit events in Domain Services.

+ * If needed, [enable security audits for Domain Services][enable-security-audits].

+When security audit events are turned on in Domain Services, it can be hard to analyze and identify issues in the managed domain. Azure Monitor lets you aggregate these security audit events and query the data. With Azure Monitor Workbooks, you can visualize this data to make it quicker and easier to identify issues.

+Domain Services includes the following two workbook templates:

+The two template workbooks provided by Domain Services are a good place to start with your own data analysis. If you need to get more granular in the data queries and investigations, you can save your own workbooks and edit the queries.

+Microsoft Entra user provisioning can help address these challenges. To learn more about how customers have been using Microsoft Entra user provisioning, read the [ASOS case study](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/asos-better-protects-its-data-with-azure-ad-automated-user/ba-p/827846). The following video provides an overview of user provisioning in Microsoft Entra ID.

+ httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", authResult.AccessToken);

+You can also define how many days a user can postpone, or "snooze," the nudge. If a user taps **Skip for now** to postpone the app setup, they get nudged again on the next MFA attempt after the snooze duration has elapsed. You can decide whether the user can snooze indefinitely or up to three times (after which registration is required).

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+1. If a user wishes to not install the Authenticator app, they can tap **Skip for now** to snooze the prompt for up to 14 days, which can be set by an admin. Users with free and trial subscriptions can snooze the prompt up to three times.

+ 

+## Enable the registration campaign policy using the Microsoft Entra admin center

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as [Authentication Policy Administrator](../roles/permissions-reference.md#authentication-policy-administrator) or [Global Administrator](../roles/permissions-reference.md#global-administrator).

+1. Browse to **Protection** > **Authentication methods** > **Registration campaign** and click **Edit**.

+ :::image type="content" border="true" source="media/how-to-mfa-registration-campaign/admin-experience.png" alt-text="Screenshot of enabling a registration campaign.":::

+In addition to using the Microsoft Entra admin center, you can also enable the registration campaign policy using Graph Explorer. To enable the registration campaign policy, you must use the Authentication Methods Policy using Graph APIs. **Global Administrators** and **Authentication Policy Administrators** can update the policy.

+ 

+ 

+|Name|Possible values|Description|

+|snoozeDurationInDays|Range: 0 - 14|Defines the number of days before the user is nudged again.<br>If the value is 0, the user is nudged during every MFA attempt.<br>Default: 1 day|

+|enforceRegistrationAfterAllowedSnoozes|"true"<br>"false"|Dictates whether a user is required to perform setup after 3 snoozes.<br>If true, user is required to register.<br>If false, user can snooze indefinitely.<br>Default: true<br>Please note this property only comes into effect once the Microsoft managed value for the registration campaign will change to Enabled for text message and voice call for your organization.|

+|state|"enabled"<br>"disabled"<br>"default"|Allows you to enable or disable the feature.<br>Default value is used when the configuration hasn't been explicitly set and will use Microsoft Entra ID default value for this setting. Currently maps to disabled.<br>Change states to either enabled or disabled as needed.|

+|excludeTargets|N/A|Allows you to exclude different users and groups that you want omitted from the feature. If a user is in a group that is excluded and a group that is included, the user will be excluded from the feature.|

+|includeTargets|N/A|Allows you to include different users and groups that you want the feature to target.|

+Set the **Limited number of snoozes** to **Enabled** such that users can postpone the app setup up to three times, after which setup is required.

+It's the same as snoozing. If setup is required for a user after they snoozed three times, the user will get prompted the next time they sign in.

+By default, smart lockout locks an account from sign-in after:

+- 10 failed attempts in Azure Public and Microsoft Azure operated by 21Vianet tenants

+- 3 failed attempts for Azure US Government tenants

+The account locks again after each subsequent failed sign-in attempt. The lockout period is one minute at first, and longer in subsequent attempts. To minimize the ways an attacker could work around this behavior, we don't disclose the rate at which the lockout period increases after unsuccessful sign-in attempts.

+Smart lockout tracks the last three bad password hashes to avoid incrementing the lockout counter for the same password. If someone enters the same bad password multiple times, this behavior doesn't cause the account to lock out.

+Federated deployments that use Active Directory Federation Services (AD FS) 2016 and AD FS 2019 can enable similar benefits by using [AD FS Extranet Lockout and Extranet Smart Lockout](/windows-server/identity/ad-fs/operations/configure-ad-fs-extranet-smart-lockout-protection). It's recommended to move to [managed authentication](https://www.microsoft.com/security/business/identity-access/upgrade-adfs).

+* Lockout state across Microsoft Entra data centers is synchronized. However, the total number of failed sign-in attempts allowed before an account is locked out will have slight variance from the configured lockout threshold. Once an account is locked out, it's locked out everywhere across all Microsoft Entra data centers.

+* After an account lockout, the user can initiate self-service password reset (SSPR) to sign in again. If the user chooses **I forgot my password** during SSPR, the duration of the lockout is reset to 0 seconds. If the user chooses **I know my password** during SSPR, the lockout timer continues, and the duration of the lockout isn't reset. To reset the duration and sign in again, the user needs to change their password.

+* The Microsoft Entra lockout duration must be set longer than the AD DS account lockout duration. The Microsoft Entra duration is set in seconds, while the AD DS duration is set in minutes.

+For example, if you want your Microsoft Entra smart lockout duration to be higher than AD DS, then Microsoft Entra ID would be 120 seconds (2 minutes) while your on-premises AD is set to 1 minute (60 seconds). If you want your Microsoft Entra lockout threshold to be 5, then you want your on-premises AD DS lockout threshold to be 10. This configuration would ensure smart lockout prevents your on-premises AD DS accounts from being locked out by brute force attacks on your Microsoft Entra accounts.

+Based on your organizational requirements, you can customize the Microsoft Entra smart lockout values. Customization of the smart lockout settings, with values specific to your organization, requires Microsoft Entra ID P1 or higher licenses for your users. Customization of the smart lockout settings isn't available for Microsoft Azure operated by 21Vianet tenants.

+When the smart lockout threshold is triggered, you'll get the following message while the account is locked:

+Smart lockout tracks the last three bad password hashes to avoid incrementing the lockout counter for the same password. If someone enters the same bad password multiple times, this behavior doesn't cause the account to lock out.

+In addition to Smart lockout, Microsoft Entra ID also protects against attacks by analyzing signals including IP traffic and identifying anomalous behavior. Microsoft Entra ID blocks these malicious sign-ins by default and returns [AADSTS50053 - IdsLocked error code](../develop/reference-error-codes.md), regardless of the password validity.

+For tokens to be issued with claims incoming from the custom authentication extension, you must assign a custom claims provider to your application. This is based on the token audience, so the provider must be assigned to the client application to receive claims in an ID token, and to the resource application to receive claims in an access token. The custom claims provider relies on the custom authentication extension configured with the **token issuance start** event listener. You can choose whether all, or a subset of claims, from the custom claims provider are mapped into the token.

+| **Sign-out** | Global | Each application can control if the sign-out is local to the app. |

+The naming policy is applied to creating or editing groups created across workloads (for example, Outlook, Microsoft Teams, SharePoint, Exchange, or Planner), even if no editing changes are made. It's applied to both the group name and group alias. If you set up your naming policy in Microsoft Entra ID and you have an existing Exchange group naming policy, the Microsoft Entra ID naming policy is enforced in your organization.

+When group naming policy is configured, the policy will be applied to new Microsoft 365 groups created by end users. Naming policy doesn't apply to certain directory roles, such as Global Administrator or User Administrator (please see below for the complete list of roles exempted from group naming policy). For existing Microsoft 365 groups, the policy won't immediately apply at the time of configuration. Once group owner edits the group name for these groups, naming policy will be enforced, even if no changes are made.

+Prefixes and suffixes can contain special characters that are supported in group name and group alias. Any characters in the prefix or suffix that aren't supported in the group alias are still applied in the group name, but removed from the group alias. Because of this restriction, the prefixes and suffixes applied to the group name might be different from the ones applied to the group alias.

+- Blocked words aren't case sensitive.

+- There's an upper limit of 5000 phrases that can be configured in the blocked words list.

+ If you're prompted about accessing an untrusted repository, enter **Y**. It might take few minutes for the new module to install.

+Here's an example of a PowerShell script to export multiple blocked words:

+Here's an example PowerShell script to import multiple blocked words:

+Groups mobile app | Groups created in the Groups mobile app are compliant with the naming policy. Groups mobile app doesn't show the preview of the naming policy and doesn't return custom blocked word errors when the user enters the group name. But the naming policy is automatically applied when creating or editing a group and users is presented with appropriate errors if there are custom blocked words in the group name or alias.

+Project for the web | Project for the web is compliant with the naming policy.

+Yammer | When a user signed in to Yammer with their Microsoft Entra account creates a group or edits a group name, the group name will comply with naming policy. This applies both to Microsoft 365 connected groups and all other Yammer groups.<br>If a Microsoft 365 connected group was created before the naming policy is in place, the group name won't automatically follow the naming policies. When a user edits the group name, they'll be prompted to add the prefix and suffix.

+StaffHub | StaffHub teams do not follow the naming policy, but the underlying Microsoft 365 group does. StaffHub team name doesn't apply the prefixes and suffixes and doesn't check for custom blocked words. But StaffHub does apply the prefixes and suffixes and removes blocked words from the underlying Microsoft 365 group.

+ Policy type: AAD

+ Policy type: AAD

+Workflows contain specific tasks, which can run automatically against users based on the specified execution conditions. Automatic workflow scheduling is supported based on the employeeHireDate and employeeLeaveDateTime user attributes in Microsoft Entra ID.

+The EmployeeHireDate and EmployeeLeaveDateTime contain dates and times that must be formatted in a specific way. This means that you may need to use an expression to convert the value of your source attribute to a format that will be accepted by the EmployeeHireDate or EmployeeLeaveDateTime. The following table outlines the format that is expected and provides an example expression on how to convert the values.

+|Workday to Active Directory User Provisioning|FormatDateTime([StatusHireDate], "yyyy-MM-ddzzz", "yyyyMMddHHmmss.fZ")|On-premises AD string attribute|[Attribute mappings for Workday](../saas-apps/workday-inbound-tutorial.md#below-are-some-example-attribute-mappings-between-workday-and-active-directory-with-some-common-expressions)|

+The expression examples in the table use endDate for SAP and StatusHireDate for Workday. However, you may opt to use different attributes.

+- The Workflows won't run earlier than the time specified in the attribute, however the [tenant schedule (default 3h)](customize-workflow-schedule.md) may delay the workflow run. For instance, if you set the `employeeHireDate` to 8AM but the tenant schedule doesn't run until 9AM, the workflow won't be processed until then. If a new hire is starting at 8AM, you would want to set the time to something like (start time - tenant schedule) to ensure it runs before the employee arrives.

+ The following steps guide you through creating a synchronization rule using cloud sync.

+ 1. Select **Manage Microsoft Entra cloud sync**.

+ 1. Under **Configuration**, select your configuration.

+ 1. Select **Click to edit mappings**. This link opens the **Attribute mappings** screen.

+ 1. Select **Add attribute**.

+ 1. Fill in the following information:

+ - Source attribute: msDS-cloudExtensionAttribute1

+ :::image type="content" source="media/how-to-lifecycle-workflow-sync-attributes/edit-cloud-attribute-mapping.png" alt-text="Screenshot of the cloud attribute mapping.":::

+ 1. Select **Apply**.

+ 1. Back on the **Attribute mappings** screen, you should see your new attribute mapping.

+ 1. Select **Save schema**.

+The following example walks you through setting up a custom synchronization rule that synchronizes the Active Directory attribute to the employeeHireDate attribute in Microsoft Entra ID.

+ 1. Go to Start\Azure AD Connect\ and open the Synchronization Rules Editor

+ 1. Ensure the direction at the top is set to **Inbound**.

+ 1. Select **Add Rule.**

+ 1. On the **Create Inbound synchronization rule** screen, enter the following information and select **Next**.

+ 1. On the **Scoping filter** screen, select **Next.**

+ 1. On the **Join rules** screen, select **Next**.

+ 1. On the **Transformations** screen, Under **Add transformations,** enter the following information.

+ 1. Select **Add**.

+ 1. In the Synchronization Rules Editor, ensure the direction at the top is set to **Outbound**.

+ 1. Select **Add Rule.**

+ 1. On the **Create Outbound synchronization rule** screen, enter the following information and select **Next**.

+ 1. On the **Scoping filter** screen, select **Next.**

+ 1. On the **Join rules** screen, select **Next**.

+ 1. On the **Transformations** screen, Under **Add transformations,** enter the following information.

+ 1. Select **Add**.

+ 1. Close the Synchronization Rules Editor

+ 1. Enable the scheduler again by running `Set-ADSyncScheduler -SyncCycleEnabled $true`.

+## Edit attribute mapping in the provisioning application

+Once you have set up your provisioning application, you're able to edit its attribute mapping. When the app is created, you get a list of default mappings between your HRM and Active Directory. From there you can either edit the existing mapping, or add new mapping.

+To update this mapping, you'd do the following:

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Global Administrator](../roles/permissions-reference.md#global-administrator).

+1. Browse to **Identity** > **Applications** > **Enterprise applications**.

+1. Open your provisioned application.

+1. Select Provisioning and then select **Edit attribute Mapping**.

+1. Select **Show advanced options**, and then select edit Attribute list for On Premise Active Directory.

+ :::image type="content" source="media/how-to-lifecycle-workflow-sync-attributes/edit-on-prem-attribute.png" alt-text="Screenshot of editing on-premises attribute.":::

+1. Add your source attribute(s) created as Type String, and select on the CheckBox for required.

+ :::image type="content" source="media/how-to-lifecycle-workflow-sync-attributes/edit-attribute-list.png" alt-text="Screenshot of source api list.":::

+ > [!NOTE]

+ > The number, and name, of source attributes added will depend on which attributes you are syncing.

+1. Select Save.

+1. From there you must map the HRM attributes to the added Active Directory attributes. To do this, Add New Mapping using an Expression.

+1. Your expression must match the formatting found in the [Understanding EmployeeHireDate and EmployeeLeaveDateTime formatting](how-to-lifecycle-workflow-sync-attributes.md#understanding-employeehiredate-and-employeeleavedatetime-formatting) section.

+ :::image type="content" source="media/how-to-lifecycle-workflow-sync-attributes/attribute-formatting-expression.png" alt-text="Screenshot of setting attribute format.":::

+1. Select ok.

+- [Configure API-driven inbound provisioning app (Public preview)](../app-provisioning/inbound-provisioning-api-configure-app.md)

+Connect-MgGraph -Confirm

+New-MgUser -DisplayName $Displayname_manager -PasswordProfile $PasswordProfile -UserPrincipalName $UPN_manager -AccountEnabled $true -MailNickName $Name_manager -Department $Department

+New-MgUser -DisplayName $Displayname_employee -PasswordProfile $PasswordProfile -UserPrincipalName $UPN_employee -AccountEnabled $true -MailNickName $Name_employee -Department $Department

+- For license information, see [License requirements](./multi-tenant-organization-overview.md#license-requirements).

+- For license information, see [License requirements](./multi-tenant-organization-overview.md#license-requirements).

+- For license information, see [License requirements](./multi-tenant-organization-overview.md#license-requirements).

+Most recommendations follow the same pattern. You're provided information about how the recommendation work, its value, and some action steps to address the recommendation. This section provides an overview of the details provided in a recommendation, but aren't specific to one recommendation.

+1. Browse to **Identity** > **Overview** > **Recommendations tab**.

+

+| [Remove unused applications](recommendation-remove-unused-apps.md) | Applications | [Microsoft Entra Workload ID Premium](https://www.microsoft.com/security/business/identity-access/microsoft-entra-workload-id) | Preview |

+| [Remove unused credentials from applications](recommendation-remove-unused-credential-from-apps.md) | Applications | [Microsoft Entra Workload ID Premium](https://www.microsoft.com/security/business/identity-access/microsoft-entra-workload-id) | Preview |

+| [Renew expiring application credentials](recommendation-renew-expiring-application-credential.md) | Applications | [Microsoft Entra Workload ID Premium](https://www.microsoft.com/security/business/identity-access/microsoft-entra-workload-id) | Preview |

+| [Renew expiring service principal credentials](recommendation-renew-expiring-service-principal-credential.md) | Applications | [Microsoft Entra Workload ID Premium](https://www.microsoft.com/security/business/identity-access/microsoft-entra-workload-id) | Preview |

+This article covers the recommendation to migrate from the Azure Active Directory Authentication Library (ADAL) to the Microsoft Authentication Libraries. This recommendation is called `AdalToMsalMigration` in the recommendations API in Microsoft Graph.

+ADAL is currently slated for end-of-support on June 30, 2023. We recommend that customers migrate to Microsoft Authentication Libraries (MSAL), which replaces ADAL.

+ - `https://graph.microsoft.com/beta/directory/recommendations/<TENANT_ID>_Microsoft.Identity.IAM.Insights.AdalToMsalMigration/impactedResources`

+Review the following common questions as you work with the ADAL to MSAL recommendation.

+Multi-factor authentication (MFA) is a key component to improve the security posture of your Microsoft Entra tenant. While SMS text and voice calls were once commonly used for multi-factor authentication, they're becoming increasingly less secure. You also don't want to overwhelm your users with lots of MFA methods and messages.

+- Currently in the list of **Impacted resources**, only the app name and resource ID are shown. The key ID for the credential that needs to be rotated isn't shown. To find the key ID credential, navigate back to **App registrations** > **Certificates and Secrets** for the application.

+- An **Impacted resource** with credentials that expired recently are as **Complete**. If that resource has more than one credential expiring soon, the status of the resource is **Active**.

+A Microsoft Entra service principal is the local representation of an application object in a single tenant or directory. The service principal defines who can access an application and what resources the application can access. Authentication of service principals is often completed using certificate credentials, which have a lifespan. If the credentials expire, the application can't authenticate with your tenant.

+- This recommendation identifies service principal credentials that are about to expire. If they do expire, the recommendation doesn't distinguish between the credential expiring on its own or if you addressed it.

+- Service principal credentials that expire before the recommendation is completed are complete by the system.

+This article covers the recommendation to switch per-user multifactor authentication (MFA) accounts to Conditional Access MFA accounts. This recommendation is called `switchFromPerUserMFA` in the recommendations API in Microsoft Graph.

+In your tenant, you can enable MFA on a per-user basis. In this scenario, your users perform MFA each time they sign in. There are some exceptions, such as when they sign in from trusted IP addresses or when the remember MFA on trusted devices feature is turned on. While enabling MFA is a good practice, switching per-user MFA to MFA based on [Conditional Access](../conditional-access/overview.md) can reduce the number of times your users are prompted for MFA.

+description: Learn how to automatically provision and deprovision user accounts from Microsoft Entra ID to Asana.

+This tutorial describes the steps you need to do in both Asana and Microsoft Entra ID to configure automatic user provisioning. When configured, Microsoft Entra ID automatically provisions and deprovisions users and groups to [Asana](https://www.asana.com/) using the Microsoft Entra provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Microsoft Entra ID](../app-provisioning/user-provisioning.md).

+* If you need more roles, you can [update the application manifest](../develop/howto-add-app-roles-in-azure-ad-apps.md) to add new roles.

+ 

+ 

+ 

+ 

+ 

+ 

+1. Review the user attributes that are synchronized from Microsoft Entra ID to Asana in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Asana for update operations. If you choose to change the [matching target attribute](../app-provisioning/customize-application-attributes.md), you need to ensure that the Asana API supports filtering users based on that attribute. Select the **Save** button to commit any changes.

+ |urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager|Reference||

+ |addresses[type eq "work"].country|String||

+ |addresses[type eq "work"].region|String||

+ |addresses[type eq "work"].locality|String||

+ |phoneNumbers[type eq "work"].value|String||

+ |urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:employeeNumber|String||

+ |urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:costCenter|String||

+ |urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:organization|String||

+ |urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:division|String||

+ 

+ 

+ 

+* If the provisioning configuration seems to be in an unhealthy state, the application goes into quarantine. Learn more about quarantine states [here](../app-provisioning/application-provisioning-quarantine-status.md).

+* 09/07/2023 - Added support for **addresses[type eq "work"].locality, addresses[type eq "work"].region, addresses[type eq "work"].country, phoneNumbers[type eq "work"].value, urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:employeeNumber, urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:costCenter,

+urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:organization and urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:division**.

+1. On the **Basic SAML Configuration** section, enter the values for the following fields:

+ c. In the **Logout URL** text box, type a URL using the following pattern:

+ `https://<CUSTOMER_NAME>.foundu.com.au/saml/logout`

+ > These values are not real. Update these values with the actual Identifier, Reply URL and Logout URL. Contact [foundU Client support team](mailto:help@foundu.com.au) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+In this section, you'll create a test user in the Azure portal called B.Simon.

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to foundU.

+ a. Copy **Identifier(Entity ID)** value, paste this value into the **Identifier** text box in the **Basic SAML Configuration section** in the Azure portal.

+ b. Copy **Reply URL (Assertion Consumer Service URL)** value, paste this value into the **Reply URL** text box in the **Basic SAML Configuration section** in the Azure portal.

+ c. Copy **Logout URL** value, paste this value into the **Logout URL** text box in the **Basic SAML Configuration section** in the Azure portal.

+ d. In the **Entity ID** textbox, paste the **Identifier** value, which you have copied from the Azure portal.

+ e. In the **Single Sign-on Service URL** textbox, paste the **Login URL** value, which you have copied from the Azure portal.

+ f. In the **Single Logout Service URL** textbox, paste the **Logout URL** value, which you have copied from the Azure portal.

+* Click on **Test this application** in Azure portal. This will redirect to foundU Sign on URL where you can initiate the login flow.

+* Click on **Test this application** in Azure portal and you should be automatically signed in to the foundU for which you set up the SSO

+You can also use Microsoft My Apps to test the application in any mode. When you click the foundU tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the foundU for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).

+1. Log in to [Insite LMS Console](https://portal.insitelms.net) with your Admin account.

+1. Navigate to **Applications** module on the left hand side menu.

+1. In the section **Self hosted Jobs**, you'll find a job named ΓÇ£SCIMΓÇ¥. If you can't find the job, contact the Insite LMS support team.

+> [!NOTE]

+> The Api Key is only valid for 1 year and needs to be renewed manually before it expires.

+To configure single sign-on on **Parallels Desktop** side, follow the latest version of Parallels's Azure SSO setup guide on [this page](https://kb.parallels.com/en/129240). If you encounter any difficulties throughout the setup process, contact [Parallels Desktop support team](https://www.parallels.com/support/).

+Add existing user accounts to the Admin or User groups on the Azure AD side, following Parallels's Azure SSO setup guide that can be found on [this page](https://kb.parallels.com/en/129240). When a user account gets deactivated following their departure from the organization, that is immediately reflected in the user count of the Parallels's product license.

+> [!NOTE]

+> The semantic elements discussed here apply to Document Intelligence prebuilt models. Your custom models may return different data representations. For example, date and time returned by a custom model may be represented in a pattern that differs from standard ISO 8601 formatting.

+A document element includes the list of recognized fields from among the fields specified by the semantic schema of the detected document type:

+* A document field may be extracted or inferred. Extracted fields are represented via the extracted content and optionally its normalized value, if interpretable.

+* An inferred field doesn't have content property and is represented only via its value.

+* An array field doesn't include a content property. The content can be concatenated from the content of the array elements.

+* An object field does contain a content property that specifies the full content representing the object that may be a superset of the extracted subfields.

+```

+## Copy projects across language resources

+Often you can copy conversational language understanding projects from one resource to another using the **copy** button in Azure Language Studio. However in some cases, it might be easier to copy projects using the API.

+First, identify the:

+ * source project name

+ * target project name

+ * source language resource

+ * target language resource, which is where you want to copy it to.

+Call the API to authorize the copy action, and get the `accessTokens` for the actual copy operation later.

+```console

+curl --request POST \

+ --url 'https://<target-language-resource>.cognitiveservices.azure.com//language/authoring/analyze-conversations/projects/<source-project-name>/:authorize-copy?api-version=2023-04-15-preview' \

+ --header 'Content-Type: application/json' \

+ --header 'Ocp-Apim-Subscription-Key: <Your-Subscription-Key>' \

+ --data '{"projectKind":"Conversation","allowOverwrite":false}'

+```

+Call the API to complete the copy operation. Use the response you got earlier as the payload.

+```console

+curl --request POST \

+ --url 'https://<source-language-resource>.cognitiveservices.azure.com/language/authoring/analyze-conversations/projects/<source-project-name>/:copy?api-version=2023-04-15-preview' \

+ --header 'Content-Type: application/json' \

+ --header 'Ocp-Apim-Subscription-Key: <Your-Subscription-Key>\

+ --data '{

+"projectKind": "Conversation",

+"targetProjectName": "<target-project-name>",

+"accessToken": "<access-token>",

+"expiresAt": "<expiry-date>",

+"targetResourceId": "<target-resource-id>",

+"targetResourceRegion": "<target-region>"

+}'

+```

+If you have an Azure Cognitive Search resource protected by a private network, and want to allow Azure OpenAI on your data to access your search service, complete [an application form](https://aka.ms/applyacsvpnaoaioyd). The application will be reviewed in ten business days and you will be contacted via email about the results. If you are eligible, we will send a private endpoint request to your search service, and you will need to approve the request.

+- Publishing creates an Azure App Service in your subscription. It may incur costs depending on the [pricing plan](https://azure.microsoft.com/pricing/details/app-service/windows/) you select. When you're done with your app, you can delete it from the Azure portal.

+description: In this quickstart, you learn how to install the Speech SDK for your preferred programming language.

+- [Speech to text quickstart](../get-started-speech-to-text.md)

+- [Text to speech quickstart](../get-started-text-to-speech.md)

+- [Speech translation quickstart](../get-started-speech-translation.md)

+| Prometheus metrics | When you [enable metric scraping](../azure-monitor/containers/prometheus-metrics-enable.md) for your cluster, [Prometheus metrics](../azure-monitor/containers/prometheus-metrics-scrape-default.md) are collected by [Azure Monitor managed service for Prometheus](../azure-monitor/essentials/prometheus-metrics-overview.md) and stored in an [Azure Monitor workspace](../azure-monitor/essentials/azure-monitor-workspace-overview.md). Analyze them with [prebuilt dashboards](../azure-monitor/visualize/grafana-plugin.md#use-out-of-the-box-dashboards) in [Azure Managed Grafana](../managed-grafan). |

+## Create an AKS cluster

+1. Create an Azure resource group using the [`az group create`][az-group-create] command.

+ ```azurecli-interactive

+ az group create --name myNetworkResourceGroup --location eastus

+ ```

+2. Create an AKS cluster using the [`az aks create`][az-aks-create] command.

+ az aks create --name myAKSCluster --resource-group myNetworkResourceGroup --generate-ssh-keys

+## Create a static IP address

+1. Create a static public IP address using the [`az network public ip create`][az-network-public-ip-create] command.

+2. Get the name of the node resource group using the [`az aks show`][az-aks-show] command and query for the `nodeResourceGroup` property.

+ ```azurecli-interactive

+ az aks show --name myAKSCluster --resource-group myNetworkResourceGroup --query nodeResourceGroup -o tsv

+ ```

+3. Get the static public IP address using the [`az network public-ip list`][az-network-public-ip-list] command. Specify the name of the node resource group and public IP address you created, and query for the `ipAddress`.

+ az network public-ip show --resource-group <node resource group> --name myAKSPublicIP --query ipAddress --output tsv

+1. Ensure the cluster identity used by the AKS cluster has delegated permissions to the node resource group using the [`az role assignment create`][az-role-assignment-create] command.

+ CLIENT_ID=$(az aks show --name myAKSCluster --resource-group myNetworkResourceGroup --query identity.principalId -o tsv)

+ RG_SCOPE=$(az group show --name <node resource group> --query id -o tsv)

+ > Adding the `loadBalancerIP` property to the load balancer YAML manifest is deprecating following [upstream Kubernetes](https://github.com/kubernetes/kubernetes/pull/107235). While current usage remains the same and existing services are expected to work without modification, we **highly recommend setting service annotations** instead. To set service annotations, you can use `service.beta.kubernetes.io/azure-load-balancer-ipv4` for an IPv4 address and `service.beta.kubernetes.io/azure-load-balancer-ipv6` for an IPv6 address, as shown in the example YAML.

+ service.beta.kubernetes.io/azure-load-balancer-resource-group: <node resource group>

+ service.beta.kubernetes.io/azure-load-balancer-ipv4: <public IP address>

+3. Set a public-facing DNS label to the service using the `service.beta.kubernetes.io/azure-dns-label-name` service annotation. This publishes a fully qualified domain name (FQDN) for your service using Azure's public DNS servers and top-level domain. The annotation value must be unique within the Azure location, so we recommend you use a sufficiently qualified label. Azure automatically appends a default suffix in the location you selected, such as `<location>.cloudapp.azure.com`, to the name you provide, creating the FQDN.

+ > [!NOTE]

+ > If you want to publish the service on your own domain, see [Azure DNS][azure-dns-zone] and the [external-dns][external-dns] project.

+

+ ```yaml

+ apiVersion: v1

+ kind: Service

+ metadata:

+ annotations:

+ service.beta.kubernetes.io/azure-load-balancer-resource-group: <node resource group>

+ service.beta.kubernetes.io/azure-load-balancer-ipv4: <public IP address>

+ service.beta.kubernetes.io/azure-dns-label-name: <unique-service-label>

+ name: azure-load-balancer

+ spec:

+ type: LoadBalancer

+ ports:

+ - port: 80

+ selector:

+ app: azure-load-balancer

+4. Create the service and deployment using the `kubectl apply` command.

+ ```console

+ kubectl apply -f load-balancer-service.yaml

+ ```

+5. To see the DNS label for your load balancer, use the `kubectl describe service` command.

+ ```console

+ kubectl describe service azure-load-balancer

+ ```

+ The DNS label will be listed under the `Annotations`, as shown in the following condensed example output:

+ ```output

+ Name: azure-load-balancer

+ Namespace: default

+ Labels: <none>

+ Annotations: service.beta.kuberenetes.io/azure-dns-label-name: <unique-service-label>

+ ```

+If the static IP address defined in the `loadBalancerIP` property of the Kubernetes service manifest doesn't exist or hasn't been created in the node resource group and there are no other delegations configured, the load balancer service creation fails. To troubleshoot, review the service creation events using the [`kubectl describe`][kubectl-describe] command. Provide the name of the service specified in the YAML manifest, as shown in the following example:

+The output shows you information about the Kubernetes service resource. The following example output shows a `Warning` in the `Events`: "`user supplied IP address was not found`." In this scenario, make sure you created the static public IP address in the node resource group and that the IP address specified in the Kubernetes service manifest is correct.

+```output

+For more control over the network traffic to your applications, you may want to [create an ingress controller][aks-ingress-basic]. You can also [create an ingress controller with a static public IP address][aks-static-ingress].

+[az-aks-create]: /cli/azure/aks#az-aks-create

+[az-group-create]: /cli/azure/group#az-group-create

+### Disable GMSA on an existing cluster

+* Disable GMSA on an existing cluster with Windows Server nodes using the [`az aks update`][az-aks-update] command.

+ ```azurecli-interactive

+ az aks update \

+ --resource-group myResourceGroup \

+ --name myAKSCluster \

+ --disable-windows-gmsa

+ ```

+> [!NOTE]

+> You can re-enable GMSA on an existing cluster by using the [az aks update][az-aks-update] command.

+Use API Management policies to ensure that your API Management instance accepts traffic only from Azure Front Door. You can accomplish this restriction using one or both of the [following methods](../frontdoor/front-door-faq.yml#what-are-the-steps-to-restrict-the-access-to-my-backend-to-only-azure-front-door-):

+> - Automation Update management relies on [Log Analytics agent](../../azure-monitor/agents/log-analytics-agent.md) (aka MMA agent), which is on a deprecation path and wonΓÇÖt be supported after **August 31, 2024**.

+> - [Azure Update Manager](../../update-center/overview.md) (AUM) is the v2 version of Automation Update management and the future of Update management in Azure. AUM is a native service in Azure and does not rely on [Log Analytics agent](../../azure-monitor/agents/log-analytics-agent.md) or [Azure Monitor agent](../../azure-monitor/agents/agents-overview.md).

+> - Follow [guidance](../../update-center/guidance-migration-automation-update-management-azure-update-manager.md) to migrate machines and schedules from Automation Update Management to Azure Update Manager.

+> - If you are using Automation Update Management, we recommend that you continue to use the Log Analytics agent and *not* migrate to the Azure Monitor agent until machines and schedules are migrated to Azure Update Manager.

+> - The Log Analytics agent wouldn't be deprecated before moving all Automation Update Management customers to Update Manager.

+Azure Automation now supports [Azure availability zones](../reliability/availability-zones-overview.md#zonal-and-zone-redundant-services) to provide improved resiliency and reliability by providing high availability to the service, runbooks, and other Automation assets. [Learn more](automation-availability-zones.md).

+New scripts are added to the Azure Automation [GitHub organization](https://github.com/azureautomation) to address one of Azure Automation's key scenarios of VM management based on Azure Monitor alert. For more information, see [Trigger runbook from Azure alert](./automation-create-alert-triggered-runbook.md#common-azure-vm-management-operations).

+ Title: Use dynamic configuration in Python (preview)

+description: Learn how to dynamically update configuration data for Python

+ms.devlang: python

+#Customer intent: As a Python developer, I want to dynamically update my app to use the latest configuration data in App Configuration.

+# Tutorial: Use dynamic configuration in Python (preview)

+This tutorial shows how you can enable dynamic configuration updates in Python. It builds a script to leverage the App Configuration provider library for its built-in configuration caching and refreshing capabilities.

+In this tutorial, you learn how to:

+> [!div class="checklist"]

+> * Set up your app to update its configuration in response to changes in an App Configuration store.

+> [!NOTE]

+> Requires [azure-appconfiguration-provider](https://pypi.org/project/azure-appconfiguration-provider/1.1.0b1/) package version 1.1.0b1 or later.

+## Prerequisites

+- An Azure subscription - [create one for free](https://azure.microsoft.com/free)

+- We assume you already have an App Configuration store. To create one, [create an App Configuration store](quickstart-aspnet-core-app.md).

+## Sentinel key

+A *sentinel key* is a key that you update after you complete the change of all other keys. Your app monitors the sentinel key. When a change is detected, your app refreshes all configuration values. This approach helps to ensure the consistency of configuration in your app and reduces the overall number of requests made to your App Configuration store, compared to monitoring all keys for changes.

+## Reload data from App Configuration

+1. Create a new Python file named *app.py* and add the following code:

+ ```python

+ from azure.appconfiguration.provider import load, SentinelKey

+ from azure.appconfiguration import (

+ AzureAppConfigurationClient,

+ ConfigurationSetting,

+ )

+ import os

+ import time

+ connection_string = os.environ.get("APPCONFIGURATION_CONNECTION_STRING")

+ # Setting up a configuration setting with a known value

+ client = AzureAppConfigurationClient.from_connection_string(connection_string)

+ # Creating a configuration setting to be refreshed

+ configuration_setting = ConfigurationSetting(key="message", value="Hello World!")

+ # Creating a Sentinel key to monitor

+ sentinel_setting = ConfigurationSetting(key="Sentinel", value="1")

+ # Setting the configuration setting in Azure App Configuration

+ client.set_configuration_setting(configuration_setting=configuration_setting)

+ client.set_configuration_setting(configuration_setting=sentinel_setting)

+ # Connecting to Azure App Configuration using connection string, and refreshing when the configuration setting message changes

+ config = load(

+ connection_string=connection_string,

+ refresh_on=[SentinelKey("Sentinel")],

+ refresh_interval=1, # Default value is 30 seconds, shorted for this sample

+ )

+ # Printing the initial value

+ print(config["message"])

+ print(config["Sentinel"])

+ # Updating the configuration setting to a new value

+ configuration_setting.value = "Hello World Updated!"

+ # Updating the sentinel key to a new value, only after this is changed can a refresh happen

+ sentinel_setting.value = "2"

+ # Setting the updated configuration setting in Azure App Configuration

+ client.set_configuration_setting(configuration_setting=configuration_setting)

+ client.set_configuration_setting(configuration_setting=sentinel_setting) # Should always be done last to make sure all other keys included in the refresh

+ # Waiting for the refresh interval to pass

+ time.sleep(2)

+ # Refreshing the configuration setting

+ config.refresh()

+ # Printing the updated value

+ print(config["message"])

+ print(config["Sentinel"])

+ ```

+1. Run your script:

+ ```cli

+ python app.py

+ ```

+1. Verify Output:

+## Next steps

+In this tutorial, you enabled your Python app to dynamically refresh configuration settings from App Configuration. To learn how to use an Azure managed identity to streamline the access to App Configuration, continue to the next tutorial.

+> [!div class="nextstepaction"]

+> [Managed identity integration](./howto-integrate-azure-managed-service-identity.md)

+|HPE Superdome Flex 280 | 1.25.12 | 1.22.0_2023-08-08 | 16.0.5100.7242 |Not validated|

+|TKGm 2.3|1.26.5|1.23.0_2023-09-12|16.0.5100.7246|14.5 (Ubuntu 20.04)|

+|TKGm 2.2|1.25.7|1.19.0_2023-05-09|16.0.937.6223|14.5 (Ubuntu 20.04)|

+|TKGm 2.1.0|1.24.9|1.15.0_2023-01-10|16.0.816.19223|14.5 (Ubuntu 20.04)|

+|TKGm 1.6.0|1.23.8|1.11.0_2022-09-13|16.0.312.4243|12.3 (Ubuntu 12.3-1)|

+| VMware | [Tanzu Kubernetes Grid](https://tanzu.vmware.com/kubernetes-grid) |TKGm 2.3; upstream K8s v1.26.5+vmware.2<br>TKGm 2.2; upstream K8s v1.25.7+vmware.2 <br>TKGm 2.1.0; upstream K8s v1.24.9+vmware.1 <br>TKGm 1.6.0; upstream K8s v1.23.8+vmware.2|

+ Title: 'Tutorial: Get started using Azure Cache for Redis Enterprise active replication with an AKS-hosted application'

+description: In this tutorial, you learn how to connect your AKS hosted application to a cache that uses active geo-replication.

+#CustomerIntent: As a developer, I want to see how to use a Enterprise cache that uses active geo-replication to capture data from two apps running against different caches in separate geo-locations.

+# Get started using Azure Cache for Redis Enterprise active replication with an AKS-hosted application

+In this tutorial, you will host an inventory application on Azure Kubernetes Service (AKS) and find out how you can use active geo-replication to replicate data in your Azure Cache for Redis Enterprise instances across Azure regions.

+## Prerequisites

+- An Azure subscription. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+- One Azure Kubernetes Service Cluster - For more information on creating a cluster, see [Quickstart: Deploy an Azure Kubernetes Service (AKS) cluster using the Azure portal](/azure/aks/learn/quick-kubernetes-deploy-portal). Alternatively, you can host two instances of the demo application on the two different AKS clusters. In a production environment, you would use two different clusters located in the same regions as your clusters to deploy two versions of the application. For this tutorial, you deploy both instances of the application on the same AKS cluster.

+> [!IMPORTANT]

+> This tutorial assumes that you are familiar with basic Kubernetes concepts like containers, pods and service.

+## Overview

+This tutorial uses a sample inventory page that shows three different T-shirt options. The user can "purchase" each T-shirt and see the inventory drop. The unique thing about this demo is that we run the inventory app in two different regions. Typically, you would have to run the database storing inventory data in a single region so that there are no consistency issues. With other database backends and synchronization, customers might have unpleasant experience due to higher latency for calls across different Azure regions. When you use Azure Cache for Redis Enterprise as the backend, you can link two caches together with active geo-replication so that the inventory remains consistent across both regions while enjoying low latency performance from Redis Enterprise in the same region.

+## Set up two Azure Cache for Redis instances

+1. Create a new Azure Cache for Redis Enterprise instance in **West US 2** region by using the Azure portal or your preferred CLI tool. Alternately, you can use any region of your choice. Use the [quickstart guide](quickstart-create-redis-enterprise.md) to get started.

+1. On the **Advanced** tab:

+ 1. Enable **Non-TLS access only**.

+ 1. Set **Clustering Policy** to **Enterprise**

+ 1. Configure a new active geo-replication group using [this guide](cache-how-to-active-geo-replication.md). Eventually, you add both caches to the same replication group. Create the group name with the first cache, and add the second cache to the same group.

+ > [!IMPORTANT]

+ > This tutorial uses a non-TLS port for demonstration, but we highly recommend that you use a TLS port for anything in production.

+1. Set up another Azure Cache for Redis Enterprise in **East US** region with the same configuration as the first cache. Alternatively, you can use any region of your choice. Ensure that you choose the same replication group as the first cache.

+## Prepare Kubernetes deployment files

+Create two .yml files using the following procedure. One file for each cache you created in the two regions.

+To demonstrate data replication across regions, we run two instances of the same application in different regions. Let's make one instance run in Seattle, west namespace, while the second runs in New York, east namespace.

+### West namespace

+Update the following fields in the following YAML file and save it as _app_west.yaml_.

+1. Update the variable `REDIS_HOST` with the **Endpoint value** URL after removing the port suffix: 10000

+1. Update `REDIS_PASSWORD` with the **Access key** of your _West US 2_ cache.

+1. Update `APP_LOCATION` to display the region where this application instance is running. For this cache, configure the `APP_LOCATION` to `Seattle` to indicate this application instance is running in Seattle.

+1. Verify that the variable `namespace` value is `west` in both places in the file.

+It should look like following code:

+```YAML

+apiVersion: apps/v1

+kind: Deployment

+metadata:

+ name: shoppingcart-app

+ namespace: west

+spec:

+ replicas: 1

+ selector:

+ matchLabels:

+ app: shoppingcart

+ template:

+ metadata:

+ labels:

+ app: shoppingcart

+ spec:

+ containers:

+ - name: demoapp

+ image: mcr.microsoft.com/azure-redis-cache/redisactivereplicationdemo:latest

+ resources:

+ limits:

+ cpu: "0.5"

+ memory: "250Mi"

+ requests:

+ cpu: "0.5"

+ memory: "128Mi"

+ env:

+ - name: REDIS_HOST

+ value: "DemoWest.westus2.redisenterprise.cache.azure.net"

+ - name: REDIS_PASSWORD

+ value: "myaccesskey"

+ - name: REDIS_PORT

+ value: "10000" # redis enterprise port

+ - name: HTTP_PORT

+ value: "8080"

+ - name: APP_LOCATION

+ value: "Seattle, WA"

+apiVersion: v1

+kind: Service

+metadata:

+ name: shoppingcart-svc

+ namespace: west

+spec:

+ type: LoadBalancer

+ ports:

+ - protocol: TCP

+ port: 80

+ targetPort: 8080

+ selector:

+ app: shoppingcart

+```

+### East namespace

+Save another copy of the same YAML file as _app_east.yaml_. This time, use the values that correspond with your second cache.

+ 1. Update the variable `REDIS_HOST` with the **Endpoint value** after removing the port suffix: 10000

+ 1. Update `REDIS_PASSWORD` with the **Access key** of your _East US_ cache.

+ 1. Update `APP_LOCATION` to display the region where this application instance is running. For this cache, configure the `APP_LOCATION` to _New York_ to indicate this application instance is running in New York.

+ 1. Verify that the variable `namespace` value is `east` in both places in the file.

+It should look like following code:

+```YAML

+apiVersion: apps/v1

+kind: Deployment

+metadata:

+ name: shoppingcart-app

+ namespace: east

+spec:

+ replicas: 1

+ selector:

+ matchLabels:

+ app: shoppingcart

+ template:

+ metadata:

+ labels:

+ app: shoppingcart

+ spec:

+ containers:

+ - name: demoapp

+ image: mcr.microsoft.com/azure-redis-cache/redisactivereplicationdemo:latest

+ resources:

+ limits:

+ cpu: "0.5"

+ memory: "250Mi"

+ requests:

+ cpu: "0.5"

+ memory: "128Mi"

+ env:

+ - name: REDIS_HOST

+ value: "DemoEast.eastus.redisenterprise.cache.azure.net"

+ - name: REDIS_PASSWORD

+ value: "myaccesskey"

+ - name: REDIS_PORT

+ value: "10000" # redis enterprise port

+ - name: HTTP_PORT

+ value: "8080"

+ - name: APP_LOCATION

+ value: "New York, NY"

+apiVersion: v1

+kind: Service

+metadata:

+ name: shoppingcart-svc

+ namespace: east

+spec:

+ type: LoadBalancer

+ ports:

+ - protocol: TCP

+ port: 80

+ targetPort: 8080

+ selector:

+ app: shoppingcart

+```

+## Install and connect to your AKS cluster

+In this section, you first install the Kubernetes CLI and then connect to an AKS cluster.

+> [!NOTE]

+> An Azure Kubernetes Service Cluster is required for this tutorial. You deploy both instances of the application on the same AKS cluster.

+### Install the Kubernetes CLI

+Use the Kubernetes CLI, _kubectl, to connect to the Kubernetes cluster from your local computer. If you're running locally, then you can use the following command to install kubectl.

+```bash

+az aks install-cli

+```

+If you use Azure Cloud Shell, _kubectl_ is already installed, and you can skip this step.

+### Connect to your AKS clusters in two regions

+Use the portal to copy the resource group and cluster name for your AKS cluster in the West US 2 region. To configure _kubectl_ to connect to your AKS cluster, use the following command with your resource group and cluster name:

+```bash

+ az aks get-credentials --resource-group myResourceGroup --name myClusterName

+ ```

+Verify that you're able to connect to your cluster by running the following command:

+```bash

+kubectl get nodes

+```

+You should see similar output showing the list of your cluster nodes.

+```output

+NAME STATUS ROLES AGE VERSION

+aks-agentpool-21274953-vmss000001 Ready agent 1d v1.24.15

+aks-agentpool-21274953-vmss000003 Ready agent 1d v1.24.15

+aks-agentpool-21274953-vmss000006 Ready agent 1d v1.24.15

+```

+## Deploy and test your application

+You need two namespaces for your applications to run on your AKS cluster. Create a west and then deploy the application.

+Run the following command to deploy the application instance to your AKS cluster in the _west_ namespace:

+```bash

+kubectl create namespace west

+kubectl apply -f app_west.yaml

+```

+You get a response indicating your deployment and service was created:

+```output

+deployment.apps/shoppingcart-app created

+service/shoppingcart-svc created

+```

+To test the application, run the following command to check if the pod is running:

+```bash

+kubectl get pods -n west

+```

+You see your pod running successfully like:

+```output

+NAME READY STATUS RESTARTS AGE

+shoppingcart-app-5fffdcb5cd-48bl5 1/1 Running 0 68s

+```

+Run the following command to get the endpoint for your application:

+```bash

+kubectl get service -n west

+```

+You might see that the EXTERNAL-IP has status `<pending>` for a few minutes. Keep retrying until the status is replaced by an IP address.

+```output

+NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE

+shoppingcart-svc LoadBalancer 10.0.166.147 20.69.136.105 80:30390/TCP 90s

+```

+Once the External-IP is available, open a web browser to the External-IP address of your service and you see the application running as follows:

+<!-- screenshot for Seattle -->

+Run the same deployment steps and deploy an instance of the demo application to run in East US region.

+```bash

+kubectl create namespace east

+kubectl apply -f app_east.yml

+kubectl get pods -n east

+kubectl get service -n east

+```

+With two services opened in your browser, you should see that changing the inventory in one region is almost instantly reflected in the other region. The inventory data is stored in the Redis Enterprise instances that are replicating data across regions.

+You did it! Click on the buttons and explore the demo. To reset the count, add `/reset` after the url:

+ `<IP address>/reset`

+## Clean up your deployment

+To clean up your cluster, run the following commands:

+```bash

+kubectl delete deployment shoppingcart-app -n west

+kubectl delete service shoppingcart-svc -n west

+kubectl delete deployment shoppingcart-app -n east

+kubectl delete service shoppingcart-svc -n east

+```

+## Related Content

+- [Tutorial: Connect to Azure Cache for Redis from your application hosted on Azure Kubernetes Service](cache-tutorial-aks-get-started.md)

+- [Quickstart: Deploy an Azure Kubernetes Service (AKS) cluster using the Azure portal](/azure/aks/learn/quick-kubernetes-deploy-portal)

+- [AKS sample voting application](https://github.com/Azure-Samples/azure-voting-app-redis/tree/master)

+| Event Hubs (Extension v5.x+) | extensions.eventHubs.maxEventBatchSize | 100<sup>1</sup> |

+<sup>1</sup> The default `maxEventBatchSize` changed in [v6.0.0](https://www.nuget.org/packages/Microsoft.Azure.WebJobs.Extensions.EventHubs/6.0.0) of the `Microsoft.Azure.WebJobs.Extensions.EventHubs` package. In earlier versions, this was 10.

+ "maxEventBatchSize" : 100

+ "targetUnprocessedEventThreshold": 153

+[Render service] introduces a new version of the [Get Map Tile] API that supports using Azure Maps tiles not only in the Azure Maps SDKs but other map controls as well. It includes raster and vector tile formats, 256x256 or 512x512 tile sizes (where applicable) and numerous map types such as road, weather, contour, or map tiles. For a complete list, see [TilesetID] in the REST API documentation. You're required to display the appropriate copyright attribution on the map anytime you use the Azure Maps Render service, either as basemaps or layers, in any third-party map control. For more information, see [How to use the Get Map Attribution API].

+> [!NOTE]

+>

+> **Azure Maps Render v1 service retirement**

+>

+> The Azure Maps [Render v1] service is now deprecated and will be retired on 9/17/26. To avoid service disruptions, all calls to Render v1 API will need to be updated to use [Render v2] API by 9/17/26.

+The [Get Map Tile] API allows you to request past, current, and future radar and satellite tiles.

+[Get Map Tile]: /rest/api/maps/render-v2/get-map-tile

+[Render service]: /rest/api/maps/render-v2

+- Azure Maps Creator also allows custom vector tiles to be created and accessed through the [Render - Get Map Tile] API

+[Render - Get Map Tile]: /rest/api/maps/render-v2/get-map-tile

+- Azure Maps Creator also allows custom vector tiles to be created and accessed through the [Render - Get Map Tile] API

+[Render - Get Map Tile]: /rest/api/maps/render-v2/get-map-tile

+* Azure Maps Creator also allows custom vector tiles to be created and accessed through the [Render - Get Map Tile] API

+[Render - Get Map Tile]: /rest/api/maps/render-v2/get-map-tile

+### Render - Get Map Tile API

+The Azure Maps [Render - Get Map Tile] API has been extended to support Creator tilesets.

+Applications can use the Render - Get Map Tile API to request tilesets. The tilesets can then be integrated into a map control or SDK. For an example of a map control that uses the Render service, see [Indoor Maps Module].

+>When you review a list of items to determine whether to delete them, consider the impact of that deletion on all dependent API or applications. For example, if you delete a tileset that's being used by an application by means of the [Render - Get Map Tile] API, the application fails to render that tileset.

+[Render service]: #renderget-map-tile-api

+[Render - Get Map Tile]: /rest/api/maps/render-v2/get-map-tile

+ https://atlas.microsoft.com/map/static/png?api-version=2022-08-01&style=main&layer=basic&sku=S1&zoom=14&height=500&Width=500&center=-74.040701, 40.698666&path=lc0000FF|fc0000FF|lw3|la0.80|fa0.50||-74.03995513916016 40.70090237454063|-74.04082417488098 40.70028420372218|-74.04113531112671 40.70049568385827|-74.04298067092896 40.69899904076542|-74.04271245002747 40.69879568992435|-74.04367804527283 40.6980961582905|-74.04364585876465 40.698055487620714|-74.04368877410889 40.698022951066996|-74.04168248176573 40.696444909137|-74.03901100158691 40.69837271818651|-74.03824925422668 40.69837271818651|-74.03809905052185 40.69903971085914|-74.03771281242369 40.699340668780984|-74.03940796852112 40.70058515602143|-74.03948307037354 40.70052821920425|-74.03995513916016 40.70090237454063

+ https://atlas.microsoft.com/map/static/png?api-version=2022-08-01&style=main&layer=basic&zoom=14&height=700&Width=700&center=-122.13230609893799,47.64599069048016&path=lcFF0000|lw2|la0.60|ra1000||-122.13230609893799 47.64599069048016&pins=default|la15+50|al0.66|lc003C62|co002D62||'Microsoft Corporate Headquarters'-122.14131832122801 47.64690503939462|'Microsoft Visitor Center'-122.136828 47.642224|'Microsoft Conference Center'-122.12552547454833 47.642940335653996|'Microsoft The Commons'-122.13687658309935 47.64452336193245&subscription-key={Your-Azure-Maps-Subscription-key}

+ https://atlas.microsoft.com/map/static/png?api-version=2022-08-01&style=main&layer=basic&zoom=14&height=700&Width=700&center=-122.13230609893799,47.64599069048016&path=lcFF0000|lw2|la0.60|ra1000||-122.13230609893799 47.64599069048016&pins=default|la15+50|al0.66|lc003C62|co41D42A||'Microsoft Corporate Headquarters'-122.14131832122801 47.64690503939462|'Microsoft Visitor Center'-122.136828 47.642224|'Microsoft Conference Center'-122.12552547454833 47.642940335653996|'Microsoft The Commons'-122.13687658309935 47.64452336193245&subscription-key={Your-Azure-Maps-Subscription-key}

+description: The map copyright attribution information must be displayed in all applications that use the Render API, including web and mobile applications. This article discusses how to display the correct attribution every time you display or update a tile.

+When using the Azure Maps [Render service], either as a basemap or layer, you're required to display the appropriate data provider copyright attribution on the map. This information should be displayed in the lower right-hand corner of the map.

+The above image is an example of a map from the Render service, displaying the road style. It shows the copyright attribution in the lower right-hand corner of the map.

+The above image is an example of a map from the Render service, displaying the satellite style. note that there's another data provider listed.

+The map copyright attribution information must be displayed on the map in any applications that use the Render API, including web and mobile applications.

+| Parameter | Type | Description |

+| -- | | |

+| api-version | string | Version number of Azure Maps API. |

+* For more information, see the [Render service] documentation.

+[Render service]: /rest/api/maps/render-v2

+[road tiles]: /rest/api/maps/render-v2/get-map-tile

+[Map Tiles]: /rest/api/maps/render-v2/get-map-tile

+[Render]: /rest/api/maps/render-v2/get-map-static-image

+[road tiles]: /rest/api/maps/render-v2/get-map-tile

+[Map tile]: /rest/api/maps/render-v2/get-map-tile

+[Render]: /rest/api/maps/render-v2/get-map-static-image

+The render coverage tables below list the countries/regions that support Azure Maps road tiles. Both raster and vector tiles are supported. At the lowest resolution, the entire world fits in a single tile. At the highest resolution, a single tile represents 38 square meters. You'll see more details about continents, regions, cities, and individual streets as you zoom in the map. For more information about tiles, see [Zoom levels and tile grid].

+> [!NOTE]

+>

+> **Azure Maps Render v1 service retirement**

+>

+> The Azure Maps [Render v1] service is now deprecated and will be retired on 9/17/26. To avoid service disruptions, all calls to Render v1 API will need to be updated to use [Render v2] API by 9/17/26.

+| Symbol | Meaning |

+|::|--|

+| Γ£ô | Country/region is provided with detailed data. |

+| Γùæ | Country/region is provided with simplified data. |

+| v2 | Country/region is only supported in the Render v2 service. |

+| Country/region is missing | Country/region data isn't provided. |

+| China | v2 |

+| Japan | v2 |

+> [Get map tiles](/rest/api/maps/render-v2/get-map-tile)

+[Zoom levels and tile grid]: zoom-levels-and-tile-grid.md

+[Render v1]: /rest/api/maps/render

+[Render v2]: /rest/api/maps/render-v2

+[Choose the right pricing tier in Azure Maps]: choose-pricing-tier.md

+[Map image]: /rest/api/maps/render-v2/get-map-static-image

+[Map tile]: /rest/api/maps/render-v2/get-map-tile

+- An [Azure storage account]

+## Upload the reachable range and charging points

+It's helpful to visualize the charging stations and the boundary for the maximum reachable range of the electric vehicle on a map. Follow the steps outlined in the [How to create data registry] article to upload the boundary data and charging stations data as geojson objects to your [Azure storage account] then register them in your Azure Maps account. Make sure to make a note of the unique identifier (`udid`) value, you will need it. The `udid` is is how you reference the geojson objects you uploaded into your Azure storage account from your source code.

+After you've uploaded the data to the Azure storage account, call the Azure Maps [Get Map Image service]. This service is used to render the charging points and maximum reachable boundary on the static map image by running the following script:

+staticMapResponse = await session.get("https://atlas.microsoft.com/map/static/png?api-version=2022-08-01&subscription-key={}&pins={}&path={}&bbox={}&zoom=12".format(subscriptionKey,encodedPins,path,str(minLon)+", "+str(minLat)+", "+str(maxLon)+", "+str(maxLat)))

+To help visualize the route, follow the steps outlined in the [How to create data registry] article to upload the route data as a geojson object to your [Azure storage account] then register it in your Azure Maps account. Make sure to make a note of the unique identifier (`udid`) value, you will need it. The `udid` is is how you reference the geojson objects you uploaded into your Azure storage account from your source code. Then, call the rendering service, [Get Map Image API], to render the route on the map, and visualize it.

+staticMapResponse = await session.get("https://atlas.microsoft.com/map/static/png?api-version=2022-08-01&subscription-key={}&&path={}&pins={}&bbox={}&zoom=16".format(subscriptionKey,path,pins,str(minLon)+", "+str(minLat)+", "+str(maxLon)+", "+str(maxLat)))

+[Get Map Image API]: /rest/api/maps/render-v2/get-map-static-image

+[Get Map Image service]: /rest/api/maps/render-v2/get-map-static-image

+[Render - Get Map Image]: /rest/api/maps/render-v2/get-map-static-image

+> * Upload [Geofencing GeoJSON data] that defines the construction site areas you want to monitor. You'll upload geofences as polygon coordinates to your Azure storage account, then use the [data registry] service to register that data with your Azure Maps account.

+Create the geofence JSON file using the following geofence data. You'll upload this file into your Azure storage account next.

+Follow the steps outlined in the [How to create data registry] article to upload the geofence JSON file into your Azure storage account then register it in your Azure Maps account.

+> [!IMPORTANT]

+> Make sure to make a note of the unique identifier (`udid`) value, you will need it. The `udid` is is how you reference the geofence you uploaded into your Azure storage account from your source code and HTTP requests.

+[az maps account create]: /cli/azure/maps/account?view=azure-cli-latest&preserve-view=true#az-maps-account-create

+[Azure portal]: https://portal.azure.com

+[data registry]: /rest/api/maps/data-registry

+[Geofencing GeoJSON data]: geofence-geojson.md

+[Handle content types in Azure Logic Apps]: ../logic-apps/logic-apps-content-type.md

+[How to create data registry]: how-to-create-data-registries.md

+[logic apps]: ../event-grid/handler-webhooks.md#logic-apps

+[Postman]: https://www.postman.com

+[Search Geofence Get API]: /rest/api/maps/spatial/getgeofence

+[Spatial Geofence Get API]: /rest/api/maps/spatial/getgeofence

+[three event types]: ../event-grid/event-schema-azure-maps.md

+[Tutorial: Send email notifications about Azure IoT Hub events using Event Grid and Logic Apps]: ../event-grid/publish-iot-hub-events-to-logic-apps.md

+[Upload Geofencing GeoJSON data section]: #upload-geofencing-geojson-data

+> * Upload a geofence to an Azure storage account.

+## Upload a geofence into your Azure storage account

+The geofence defines the authorized geographical area for our rental vehicle. Use the geofence in your Azure function to determine whether a car has moved outside the geofence area.

+Follow the steps outlined in the [How to create data registry] article to upload the [geofence JSON data file] into your Azure storage account then register it in your Azure Maps account. Make sure to make a note of the unique identifier (`udid`) value, you'll need it. The `udid` is how you reference the geofence you uploaded into your Azure storage account from your source code. For more information on geofence data files, see [Geofencing GeoJSON data].

+ * Replace **UDID** with the `udid` of the geofence you uploaded in [Upload a geofence into your Azure storage account].

+[How to create data registry]: how-to-create-data-registries.md

+[geofence JSON data file]: https://raw.githubusercontent.com/Azure-Samples/iothub-to-azure-maps-geofencing/master/src/Data/geofence.json?token=AKD25BYJYKDJBJ55PT62N4C5LRNN4

+[Upload a geofence into your Azure storage account]: #upload-a-geofence-into-your-azure-storage-account

+[Geofencing GeoJSON data]: ./geofence-geojson.md

+| [Render] | Yes, except for Terra maps (`MapTile.GetTerraTile` and `layer=terra`) which are nonbillable.|<ul><li>15 tiles = 1 transaction</li><li>One request for Get Copyright = 1 transaction</li><li>One request for Get Map Attribution = 1 transaction</li><li>One request for Get Static Map = 1 transaction</li><li>One request for Get Map Tileset = 1 transaction</li></ul> <br> For Creator related usage, see the [Creator table]. |<ul><li>Maps Base Map Tiles (Gen2 pricing)</li><li>Maps Imagery Tiles (Gen2 pricing)</li><li>Maps Static Map Images (Gen2 pricing)</li><li>Maps Traffic Tiles (Gen2 pricing)</li><li>Maps Weather Tiles (Gen2 pricing)</li><li>Standard Hybrid Aerial Imagery Transactions (Gen1 S0 pricing)</li><li>Standard Aerial Imagery Transactions (Gen1 S0 pricing)</li><li>Standard S1 Aerial Imagery Transactions (Gen1 S1 pricing)</li><li>Standard S1 Hybrid Aerial Imagery Transactions (Gen1 S1 pricing)</li><li>Standard S1 Rendering Transactions (Gen1 S1 pricing)</li><li>Standard S1 Tile Transactions (Gen1 S1 pricing)</li><li>Standard S1 Weather Tile Transactions (Gen1 S1 pricing)</li><li>Standard Tile Transactions (Gen1 S0 pricing)</li><li>Standard Weather Tile Transactions (Gen1 S0 pricing)</li><li>Maps Copyright (Gen2 pricing, Gen1 S0 pricing and Gen1 S1 pricing)</li></ul>|

+| [Render] | Yes, only with `GetMapTile` with Creator Tileset ID and `GetStaticTile`.<br>For everything else for Render, see Render section in the above table.| One request = 1 transaction<br>One tile = 1 transaction | Azure Maps Creator Map Render (Gen2 pricing) |

+[Render]: /rest/api/maps/render-v2

+[Get Map Image service]: /rest/api/maps/render-v2/get-map-static-image

+[Render - Get Map Image]: /rest/api/maps/render-v2/get-map-static-image

+[Get map tiles]: /rest/api/maps/render-v2/get-map-tile

+> [!NOTE]

+> [OpenCensus Python SDK is deprecated](https://opentelemetry.io/blog/2023/sunsetting-opencensus/), but Microsoft supports it until retirement on September 30, 2024. We now recommend the [OpenTelemetry-based Python offering](https://learn.microsoft.com/azure/azure-monitor/app/opentelemetry-enable?tabs=python) and provide [migration guidance](https://learn.microsoft.com/azure/azure-monitor/app/opentelemetry-python-opencensus-migrate?tabs=aspnetcore).

+> [!NOTE]

+> [OpenCensus Python SDK is deprecated](https://opentelemetry.io/blog/2023/sunsetting-opencensus/), but Microsoft supports it until retirement on September 30, 2024. We now recommend the [OpenTelemetry-based Python offering](https://learn.microsoft.com/azure/azure-monitor/app/opentelemetry-enable?tabs=python) and provide [migration guidance](https://learn.microsoft.com/azure/azure-monitor/app/opentelemetry-python-opencensus-migrate?tabs=aspnetcore).

+> [OpenCensus Python SDK is deprecated](https://opentelemetry.io/blog/2023/sunsetting-opencensus/), but Microsoft supports it until retirement on September 30, 2024. We now recommend the [OpenTelemetry-based Python offering](https://learn.microsoft.com/azure/azure-monitor/app/opentelemetry-enable?tabs=python) and provide [migration guidance](https://learn.microsoft.com/azure/azure-monitor/app/opentelemetry-python-opencensus-migrate?tabs=aspnetcore).

+> [!NOTE]

+> [OpenCensus Python SDK is deprecated](https://opentelemetry.io/blog/2023/sunsetting-opencensus/), but Microsoft supports it until retirement on September 30, 2024. We now recommend the [OpenTelemetry-based Python offering](https://learn.microsoft.com/azure/azure-monitor/app/opentelemetry-enable?tabs=python) and provide [migration guidance](https://learn.microsoft.com/azure/azure-monitor/app/opentelemetry-python-opencensus-migrate?tabs=aspnetcore).

+| [Traffic analytics](../../network-watcher/traffic-analytics.md) | Feature of Network Watcher that analyzes flow logs to provide insights into traffic flow. |

+- For AKS clusters, use the [Network Observability add-on for AKS (preview)](https://aka.ms/NetObsAddonDoc) to monitor and observe access between services in the cluster (east-west traffic).

+Large organizations may also have a *fleet architect*, which is similar to the platform engineer but is responsible for multiple clusters. They need visibility across the entire environment and must perform administrative tasks at scale. At scale recommendations are included in the guidance below. See [What is Azure Kubernetes Fleet Manager (preview)?](../../kubernetes-fleet/overview.md) for details on creating a Fleet resource for multi-cluster and at-scale scenarios.

+| [Azure Monitor managed service for Prometheus](../essentials/prometheus-metrics-overview.md) | [Prometheus](https://prometheus.io) is a cloud-native metrics solution from the Cloud Native Compute Foundation and the most common tool used for collecting and analyzing metric data from Kubernetes clusters. Azure Monitor managed service for Prometheus is a fully managed solution that's compatible with the Prometheus query language (PromQL) and Prometheus alerts and integrates with Azure Managed Grafana for visualization. This service supports your investment in open source tools without the complexity of managing your own Prometheus environment. |

+[Create an instance of Managed Grafana](../../managed-grafan#use-out-of-the-box-dashboards) are available for monitoring Kubernetes clusters including several that present similar information as Container insights views.

+When you enable Container Insights for your Kubernetes cluster, it deploys a containerized version of the [Azure Monitor agent](../agents/log-analytics-agent.md) that sends data to a Log Analytics workspace in Azure Monitor. Container insights collects container stdout/stderr, infrastructure logs, and performance data. All log data is stored in a Log Analytics workspace where they can be analyzed using [Kusto Query Language (KQL)](../logs/log-query-overview.md).

+- Container insights collects many of the same metric values as [Prometheus](#enable-scraping-of-prometheus-metrics). You can disable collection of these metrics by configuring Container insights to only collect **Logs and events** as described in [Enable cost optimization settings in Container insights](../containers/container-insights-cost-config.md#custom-data-collection). This configuration disables the Container insights experience in the Azure portal, but you can use Grafana to visualize Prometheus metrics and Log Analytics to analyze log data collected by Container insights.

+- Reduce your cost for Container insights data ingestion by reducing the amount of data that's collected.

+- Use the [prebuilt dashboard](../visualize/grafana-plugin.md#use-out-of-the-box-dashboards) in Managed Grafana for **Kubelet** to see the health and performance of each.

+- Multiple [Kubernetes dashboards](https://grafana.com/grafana/dashboards/?search=kubernetes) are available that visualize the performance and health of your nodes based on data stored in Prometheus.

+- Use the [prebuilt dashboard](../visualize/grafana-plugin.md#use-out-of-the-box-dashboards) in Managed Grafana for **Kubelet** to see the health and performance of each kubelet.

+- Use the [prebuilt dashboards](../visualize/grafana-plugin.md#use-out-of-the-box-dashboards) in Managed Grafana for **Nodes** and **Pods** to view their health and performance.

+* If you need to delete a parent resource group or subscription that contains backups, you should delete any backups first. Deleting the resource group or subscription won't delete the backups. You can remove backups by [disabling backups](backup-disable.md) or [manually deleting the backups](backup-disable.md). If you delete the resource group without disabling backups, backups will continue to impact your billing.

+description: Learn how to locate and copy the IDs of Azure tenants and subscriptions.

+1. Under the Azure services heading, select **Microsoft Entra ID**. If you don't see **Microsoft Entra ID** here, use the search box to find it.

+- Learn more about [Microsoft Entra ID](../active-directory/fundamentals/active-directory-whatis.md).

+**Cross Zonal Restore** | Allows you to restore Azure Virtual Machines or disks pinned to any zone to different available zones (as per the Azure RBAC capabilities) from restore points. Note that when you select a zone to restore, it selects the [logical zone](../reliability/availability-zones-overview.md#zonal-and-zone-redundant-services) (and not the physical zone) as per the Azure subscription you will use to restore to. <br><br> You can trigger Cross Zonal Restore for managed virtual machines only. <br><br> Cross Zonal Restore is supported for [Restore with Managed System Identities (MSI)](#restore-vms-with-managed-identities). <br><br> Cross Zonal Restore supports restore of an Azure zone pinned/non-zone pinned VM from a vault with Zonal-redundant storage (ZRS) enabled. Learn [how to set Storage Redundancy](backup-create-rs-vault.md#set-storage-redundancy). <br><br> It's supported to restore an Azure zone pinned VM only from a [vault with Cross Region Restore (CRR)](backup-create-rs-vault.md#set-storage-redundancy) (if the secondary region supports zones) or Zone Redundant Storage (ZRS) enabled. <br><br> Cross Zonal Restore is supported from [secondary regions](#restore-in-secondary-region). <br><br> It's unsupported from [snapshots](backup-azure-vms-introduction.md#snapshot-creation) restore point. <br><br> It's unsupported for [Encrypted Azure VMs](backup-azure-vms-introduction.md#encryption-of-azure-vm-backups).

+**Cross Zonal Restore** | You can use cross-zonal restore to restore Azure zone-pinned VMs in available zones. You can restore Azure VMs or disks to different zones (one of the Azure RBAC capabilities) from restore points. Note that when you select a zone to restore, it selects the [logical zone](../reliability/availability-zones-overview.md#zonal-and-zone-redundant-services) (and not the physical zone) as per the Azure subscription you will use to restore to. <br><br> This feature is available for the following options:<br> - [Create a VM](./backup-azure-arm-restore-vms.md#create-a-vm) <br> - [Restore disks](./backup-azure-arm-restore-vms.md#restore-disks) <br><br> Cross-zonal restore is unsupported for [snapshots](backup-azure-vms-introduction.md#snapshot-creation) of restore points. It's also unsupported for [encrypted Azure VMs](backup-azure-vms-introduction.md#encryption-of-azure-vm-backups).

+* **Azure AD authentication:** For Windows 10 version 20H2+, Windows 11 21H2+, and Windows Server 2022, use `--enable-mfa`. For more information, see [az network bastion rdp - optional parameters](/cli/azure/network/bastion?#az-network-bastion-rdp(bastion)-optional-parameters).

+- Publisher: `microsoft-dsvm`

+ - Offer: `ubuntu-hpc`

+#### Notes

+ The docker data root of the above images lies in different places:

+ - For the batch image `microsoft-azure-batch` (Offer: `centos-container-rdma`, etc), the docker data root is mapped to `/mnt/batch/docker`, which is usually located on the temporary disk.

+ - For the HPC image, or `microsoft-dsvm` (Offer: `ubuntu-hpc`, etc), the docker data root is unchanged from the Docker default which is `/var/lib/docker` on Linux and `C:\ProgramData\Docker` on Windows. These folders are usually located on the OS disk.

+ When using non-Batch images, the OS disk has the potential risk of being filled up quickly as container images are downloaded.

+#### Potential solutions for customer

+Change the docker data root in a start task when creating a pool in BatchExplorer. Here's an example of the Start Task command:

+```csharp

+1) sudo systemctl stop docker

+2) sudo vi /lib/systemd/system/docker.service

+ +++

+ FROM:

+ ExecStart=/usr/bin/docker daemon -H fd://

+ TO:

+ ExecStart=/usr/bin/docker daemon -g /new/path/docker -H fd://

+ +++

+3) sudo systemctl daemon-reload

+4) sudo systemctl start docker

+```

+ 2.4. Once the identity is enabled, you should see something similar.

+### Manually adding Managed Identity to Azure Communication Services resource

+Alternatively if you would like to go through the manual process of connecting your resources you can follow these steps.

+#### Enable system assigned identity

+1. Navigate to your Azure Communication Services resource in the Azure portal.

+2. Select the Identity tab.

+3. Enable system assigned identity. This action begins the creation of the identity. A pop-up notification appears notifying you that the request is being processed.

+[](./media/enable-system-identity.png#lightbox)

+#### Option 1: Add role from Azure Cognitive Services in the Azure portal

+1. Navigate to your Azure Cognitive Services resource.

+2. Select the "Access control (IAM)" tab.

+3. Click the "+ Add" button.

+4. Select "Add role assignments" from the menu.

+[](./media/add-role.png#lightbox)

+5. Choose the "Cognitive Services User" role to assign, then click "Next."

+[](media/cognitive-service-user.png#lightbox)

+6. For the field "Assign access to" choose the "User, group or service principal."

+7. Press "+ Select members" and a side tab opens.

+8. Search for your Azure Communication Services resource name in the text box and click it when it shows up, then click "Select."

+[](./media/select-acs-resource.png#lightbox)

+9. Click "Review + assign," this assigns the role to the managed identity.

+#### Option 2: Add role through Azure Communication Services Identity tab

+1. Navigate to your Azure Communication Services resource in the Azure portal.

+2. Select Identity tab.

+3. Click on "Azure role assignments."

+[](./media/add-role-acs.png#lightbox)

+4. Click the "Add role assignment (Preview)" button, which opens the "Add role assignment (Preview)" tab.

+5. Select the "Resource group" for "Scope."

+6. Select the "Subscription."

+7. Select the "Resource Group" containing the Cognitive Service.

+8. Select the Role "Cognitive Services User."

+[](./media/acs-roles-cognitive-services.png#lightbox)

+9. Click Save.

+Your Azure Communication Service has now been linked to your Azure Cognitive Service resource.

+## Next steps

+| Workload profile | Run serverless apps with support for scale-to-zero and pay only for resources your apps use with the consumption profile. You can also run apps with customized hardware and increased cost predictability using dedicated workload profiles. | Consumption and Dedicated | You can choose to run apps under either or both plans using separate workload profiles. The Dedicated plan has a fixed cost for the entire environment regardless of how many workload profiles you're using. |

+| Docker Hub | Supports both authenticated pulls and unauthenticated pulls. | Azure CLI, Azure portal |

+| Nvidia | Supports both authenticated pulls and unauthenticated pulls. | Azure CLI |

+This article walks you through the steps of enabling Artifact Cache with authentication by using the Azure CLI. You have to use the Credentials to make an authenticated pull or to access a private repository.

+* You have an existing Key Vault to store the credentials. Learn more about [creating and storing credentials in a Key Vault.][create-and-store-keyvault-credentials]

+### Create Credentials - Azure CLI

+Before configuring the Credentials, you have to create and store secrets in the Azure KeyVault and retrieve the secrets from the Key Vault. Learn more about [creating and storing credentials in a Key Vault.][create-and-store-keyvault-credentials] and to [set and retrieve a secret from Key Vault.][set-and-retrieve-a-secret].

+1. Run [az acr credential set create][az-acr-credential-set-create] command to create the credentials.

+ - For example, To create the credentials for a given `MyRegistry` Azure Container Registry.

+ - For example, to update the username or password KV secret ID on the credentials for a given `MyRegistry` Azure Container Registry.

+3. Run [az-acr-credential-set-show][az-acr-credential-set-show] to show the credentials.

+ - For example, to show the credentials for a given `MyRegistry` Azure Container Registry.

+### Create a cache rule with the Credentials - Azure CLI

+ - For example, to create a cache rule with the credentials for a given `MyRegistry` Azure Container Registry.

+2. Run [az acr cache update][az-acr-cache-update] command to update the credentials on a cache rule.

+ - For example, to update the credentials on a cache rule for a given `MyRegistry` Azure Container Registry.

+ - For example, to remove the credentials from an existing cache rule for a given `MyRegistry` Azure Container Registry.

+ - For example, to assign permissions for the credentials access the KeyVault secret

+3. Run[az acr credential set list][az-acr-credential-set-list] to list the credential in an Azure Container Registry.

+ - For example, to list the credentials for a given `MyRegistry` Azure Container Registry.

+4. Run [az-acr-credential-set-delete][az-acr-credential-set-delete] to delete the credentials.

+ - For example, to delete the credentials for a given `MyRegistry` Azure Container Registry.

+### Create new Credentials

+Before configuring the Credentials, you require to create and store secrets in the Azure KeyVault and retrieve the secrets from the Key Vault. Learn more about [creating and storing credentials in a Key Vault.][create-and-store-keyvault-credentials] and to [set and retrieve a secret from Key Vault.][set-and-retrieve-a-secret].

+1. Navigate to **Credentials** > **Create credentials**.

+ :::image type="content" source="./media/container-registry-artifact-cache/add-credential-set-05.png" alt-text="Screenshot for adding credentials.":::

+ :::image type="content" source="./media/container-registry-artifact-cache/create-credential-set-06.png" alt-text="Screenshot for create new credentials.":::

+Follow the steps to create a Cache rule without using the Credentials.

+ - For example, to create a Cache rule without the credentials for a given `MyRegistry` Azure Container Registry.

+- Credentials has an unhealthy status

+ - [Unhealthy Credentials](tutorial-troubleshoot-artifact-cache.md#unhealthy-credentials)

+## Unhealthy Credentials

+Credentials are a set of Key Vault secrets that operate as a Username and Password for private repositories. Unhealthy Credentials are often a result of these secrets no longer being valid. In the Azure portal, you can select the credentials, to edit and apply changes.

+| Docker Hub | Supports both authenticated pulls and unauthenticated pulls. | Azure CLI, Azure portal |

+| Nvidia | Supports both authenticated pulls and unauthenticated pulls. | Azure CLI |

+1. Optionally, send the diagnostic logs to Azure Storage, Azure Event Hubs, Azure Monitor, or a third party.

+> [!NOTE]

+> The RU/s cost of reads for the strong and bounded staleness consistency levels consume approximately two times more RUs while performing read operations when compared to that of other relaxed consistency levels.

+### [Bicep](#tab/arm-bicep)

+```bicep

+@description('Location for all resources.')

+param location string = resourceGroup().location

+param privateEndpointName string

+param resourceId string

+param groupId string

+param subnetId string

+resource privateEndpoint 'Microsoft.Network/privateEndpoints@2019-04-01' = {

+ name: privateEndpointName

+ location: location

+ properties: {

+ subnet: {

+ id: subnetId

+ }

+ privateLinkServiceConnections: [

+ {

+ name: 'MyConnection'

+ properties: {

+ privateLinkServiceId: resourceId

+ groupIds: [

+ groupId

+ ]

+ requestMessage: ''

+ }

+ }

+ ]

+ }

+}

+output privateEndpointNetworkInterface string = privateEndpoint.properties.networkInterfaces[0].id

+```

+### [JSON](#tab/arm-json)

+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",

+### [Bicep / JSON](#tab/arm-bicep+arm-json)

+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",

+A user-assigned identity is required in the restore request because the source account managed identity (User-assigned and System-assigned identities) can't be carried over automatically to the target database account.

+1. Once the restore has completed, the target (restored) account has the user-assigned identity. If desired, user can update the account to use System-Assigned managed identity.

+Azure Cosmos DB gives you the option to configure [continuous backups](./continuous-backup-restore-introduction.md) on your account. With continuous backups, you can restore your data to any point in time within the past 30 days. To use continuous backups on an account where customer-managed keys are enabled, you must use a system-assigned or user-assigned managed identity in the Key Vault access policy. Azure Cosmos DB first-party identities are not currently supported on accounts using continuous backups.

+Prerequisite steps for Customer Managed Keys enabled accounts to update user assigned identity.

+- Add a user-assigned identity to the Cosmos DB account, and grant permissions in key vault access policy.

+- Set the user-assigned as default identity via Azure CLI or ARM.

+```azurecli

+az cosmosdb update --resource-group MyResourceGroup --name MyAccountName --default-identity UserAssignedIdentity=/subscriptions/MySubscriptionId/resourcegroups/MyResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/MyUserAssignedIdentity

+```

+nc -v <accountName>.mongocluster.cosmos.azure.com 10260

+If TCP connect to port 10260 fails, an environment firewall may be blocking the Azure Cosmos DB connection. Kindly scroll down to the page's bottom to submit a support ticket.

+var response = await client.ReadDocumentAsync(collectionUri, document, requestOptions);

+ItemRequestOptions requestOptions = new ItemRequestOptions { ConsistencyLevel = ConsistencyLevel.Eventual };

+ .ReadItemAsync(

+ "path":"/name"

+ "path":"/age"

+result = container.scripts.execute_stored_procedure(sproc=created_sproc,params=[new_item], partition_key=new_id)

+result = container.create_item(item, pre_trigger_include='trgPreValidateToDoItemTimestamp')

+> If there's a failure, the failed operation will have a status code of its corresponding error. All the other operations will have a 424 status code (failed dependency). If the operation fails because it tries to create an item that already exists, a status code of 409 (conflict) is returned. The status code enables one to identify the cause of transaction failure.

+> If there's a failure, the failed operation will have a status code of its corresponding error. All the other operations will have a 424 status code (failed dependency). If the operation fails because it tries to create an item that already exists, a status code of 409 (conflict) is returned. The status code enables one to identify the cause of transaction failure.

+> [!NOTE]

+> This section primarily applies to the API for NoSQL. Other APIs, such as the API for Gremlin, do not support the unique identifier as the partition key.

+If your container has a property that has a wide range of possible values, it's likely a great partition key choice. One possible example of such a property is the *item ID*. For small read-heavy containers or write-heavy containers of any size, the *item ID* (`/id`) is naturally a great choice for the partition key.

+ --public-network-access Disabled

+If `--public-network-access` is not set, restored account is accessible from public network. Please ensure to pass `Disabled` to the `--public-network-access` option to prevent public network access for restored account.

+> [!IMPORTANT]

+> Use `az cosmsodb sql database create` to create a NoSQL database. The `az cosmosdb database create` command is deprecated.

+To see your account keys, navigate to Keys from the left menu. Then, click on the ΓÇ£viewΓÇ¥ icon at the right of each key. Click on the copy button to copy the selected key. You can hide them afterwards by clicking the same icon per key, which will be updated as a ΓÇ£hideΓÇ¥ button.

+| **Cost Allocation Rules** | Create, Read, Update, Delete | Read |

+The Cost Management connector for Power BI supports Enterprise Agreements, direct Microsoft Customer Agreements and Microsoft Partner Agreements on Billing Account and Billing Profile scopes. For more information about Cost Management connector support, see [Create visuals and reports with the Cost Management connector in Power BI Desktop](/power-bi/connect-data/desktop-connect-azure-cost-management). After you transfer a subscription from one of the agreements to a Microsoft Partner Agreement, your Power BI reports stop working.

+| EA | MCA - Enterprise | ΓÇó Transferring all enrollment products is completed as part of the MCA transition process from an EA. For more information, see [Complete Enterprise Agreement tasks in your billing account for a Microsoft Customer Agreement](mca-enterprise-operations.md).<br><br> ΓÇó If you want to transfer specific products but not all of the products in an enrollment, see [Transfer Azure subscription billing ownership for a Microsoft Customer Agreement](mca-request-billing-ownership.md). <br><br>ΓÇó Self-service reservation and savings plan transfers with no currency change are supported. When there's is a currency change during or after an enrollment transfer, reservations paid for monthly are canceled for the source enrollment. Cancellation happens at the time of the next monthly payment for an individual reservation. The cancellation is intentional and only affects monthly reservation purchases. For more information, see [Transfer Azure Enterprise enrollment accounts and subscriptions](../manage/ea-transfers.md#prerequisites-1).<br><br> ΓÇó You can't transfer a savings plan purchased under an Enterprise Agreement enrollment that was bought in a non-USD currency. You can [change the savings plan scope](../savings-plan/manage-savings-plan.md#change-the-savings-plan-scope) so that it applies to other subscriptions. |

+- Dispatch the following transform activities in a public network:

+ - .NET custom activity

+ - Azure Function activity

+ - Databricks Notebook/ Jar/ Python activity

+ - Data Lake Analytics U-SQL activity

+ - Get Metadata activity

+ - HDInsight Hive activity

+ - HDInsight Pig activity

+ - HDInsight MapReduce activity

+ - HDInsight Spark activity

+ - HDInsight Streaming activity

+ - Lookup activity

+ - Machine Learning Studio (classic) Batch Execution activity

+ - Machine Learning Studio (classic) Update Resource activity

+ - Stored Procedure activity

+ - Validation activity

+ - Web activity

+

+- Dispatching the following transform activities against compute resources in on-premises or Azure Virtual Network:

+ - Azure Function activity

+ - Custom activity (runs on Azure Batch)

+ - Data Lake Analytics U-SQL activity

+ - Get Metadata activity

+ - HDInsight Hive activity (BYOC-Bring Your Own Cluster)

+ - HDInsight Pig activity (BYOC)

+ - HDInsight MapReduce activity (BYOC)

+ - HDInsight Spark activity (BYOC)

+ - HDInsight Streaming activity (BYOC)

+ - Lookup activity

+ - Machine Learning Studio (classic) Batch Execution activity

+ - Machine Learning Studio (classic) Update Resource activity

+ - Machine Learning Execute Pipeline activity

+ - Stored Procedure activity

+ - Validation activity

+ - Web activity

+ Title: Automate continuous integration with GitHub Actions

+description: Learn how to automate continuous integration in Azure Data Factory with GitHub Actions.

+# Automate continuous integration and delivery using GitHub Actions

+In this guide, we show how to do continuous integration and delivery in Azure Data Factory with GitHub Actions. This is done using workflows. A workflow is defined by a YAML file that contains the various steps and parameters that make up the workflow.

+The workflow leverages the [automated publishing capability](continuous-integration-delivery-improvements.md) of Azure Data Factory. And the [Azure Data Factory Deploy Action](https://github.com/marketplace/actions/data-factory-deploy) from the GitHub Marketplace that uses the [pre- and post-deployment script](continuous-integration-delivery-sample-script.md).

+## Requirements

+- Azure Subscription - if you don't have one, create a [free Azure account](https://azure.microsoft.com/free/) before you begin.

+- Azure Data Factory - you need two instances, one development instance that is the source of changes. And a second one where changes are propagated with the workflow. If you don't have an existing Data Factory instance, follow this [tutorial](quickstart-create-data-factory.md) to create one.

+- GitHub repository integration set up - if you don't have a GitHub repository connected to your development Data Factory, follow the [tutorial](source-control.md#github-settings) to connect it.

+## Create a user-assigned managed identity

+You need credentials that authenticate and authorize GitHub Actions to deploy your ARM template to the target Data Factory. We leverage a user-assigned managed identity (UAMI) with [workload identity federation](../active-directory/workload-identities/workload-identity-federation.md). Using workload identity federation allows you to access Azure Active Directory (Azure AD) protected resources without needing to manage secrets. In this scenario, GitHub Actions are able to access the Azure resource group and deploy the target Data Factory instance.

+Follow the tutorial to [create a user-assigned managed identity](../active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md#create-a-user-assigned-managed-identity). Once the UAMI is created, browse to the Overview page and take a note of the Subscription ID and Client ID. We need these values later.

+## Configure the workload identity federation

+1. Follow the tutorial to [configure a federated identity credential on a user-assigned managed identity](../active-directory/workload-identities/workload-identity-federation-create-trust-user-assigned-managed-identity.md#configure-a-federated-identity-credential-on-a-user-assigned-managed-identity).

+ Here is an example of a federated identity configuration:

+

+ :::image type="content" source="media/continuous-integration-delivery-github-actions/add-federated-credential.png" lightbox="media/continuous-integration-delivery-github-actions/add-federated-credential.png"alt-text="Screenshot of adding Federated Credential in Azure Portal.":::

+2. After creating the credential, navigate to Azure Active Directory Overview page and take a note of the tenant ID. We need this value later.

+3. Browse to the Resource Group containing the target Data Factory instance and assign the UAMI the [Data Factory Contributor role](concepts-roles-permissions.md#roles-and-requirements).

+> [!IMPORTANT]

+> In order to avoid authorization errors during deployment, be sure to assign the Data Factory Contributor role at the Resource Group level containing the target Data Factory instance.

+## Configure the GitHub secrets

+You need to provide your application's Client ID, Tenant ID and Subscription ID to the login action. These values can be stored in GitHub secrets and referenced in your workflow.

+1. Open your GitHub repository and go to Settings.

+

+ :::image type="content" source="media/continuous-integration-delivery-github-actions/github-settings.png" lightbox="media/continuous-integration-delivery-github-actions/github-settings.png" alt-text="Screenshot of navigating to GitHub Settings.":::

+2. Select Security -> Secrets and variables -> Actions.

+

+ :::image type="content" source="media/continuous-integration-delivery-github-actions/github-secrets.png" lightbox="media/continuous-integration-delivery-github-actions/github-secrets.png" alt-text="Screenshot of navigating to GitHub Secrets.":::

+3. Create secrets for AZURE_CLIENT_ID, AZURE_TENANT_ID, and AZURE_SUBSCRIPTION_ID. Use these values from your Azure Active Directory application for your GitHub secrets:

+

+ | GitHub Secret | Azure Active Directory Application |

+ ||-|

+ | AZURE_CLIENT_ID | Application (client) ID |

+ | AZURE_TENANT_ID | Directory (tenant) ID |

+ | AZURE_SUBSCRIPTION_ID | Subscription ID |

+4. Save each secret by selecting Add secret.

+## Create the workflow that deploys the Data Factory ARM template

+At this point, you must have a Data Factory instance with git integration set up. If not, follow the links in the Requirements section.

+The workflow is composed of two jobs:

+- **A build job** which uses the npm package [@microsoft/azure-data-factory-utilities](https://www.npmjs.com/package/@microsoft/azure-data-factory-utilities) to (1) validate all the Data Factory resources in the repository. You get the same validation errors as when "Validate All" is selected in Data Factory Studio. And (2) export the ARM template that is later used to deploy to the QA or Staging environment.

+- **A release job** which takes the exported ARM template artifact and deploys it to the higher environment Data Factory instance.

+1. Navigate to the repository connected to your Data Factory, under your root folder (ADFroot in the below example) create a build folder where you store the package.json file:

+ ```json

+ {

+ "scripts":{

+ "build":"node node_modules/@microsoft/azure-data-factory-utilities/lib/index"

+ },

+ "dependencies":{

+ "@microsoft/azure-data-factory-utilities":"^1.0.0"

+ }

+ }

+ ```

+

+ The setup should look like:

+

+ :::image type="content" source="media/continuous-integration-delivery-github-actions/saving-package-json-file.png" lightbox="media/continuous-integration-delivery-github-actions/saving-package-json-file.png" alt-text="Screenshot of saving the package.json file in GitHub.":::

+2. Navigate to the Actions tab -> New workflow

+

+ :::image type="content" source="media/continuous-integration-delivery-github-actions/new-workflow.png" lightbox="media/continuous-integration-delivery-github-actions/new-workflow.png" alt-text="Screenshot of creating a new workflow in GitHub.":::

+3. Paste the workflow YAML.

+```yml

+on:

+ push:

+ branches:

+ - main

+permissions:

+ id-token: write

+ contents: read

+jobs:

+ build:

+ runs-on: ubuntu-latest

+ steps:

+ - uses: actions/checkout@v3

+# Installs Node and the npm packages saved in your package.json file in the build

+ - name: Setup Node.js environment

+ uses: actions/setup-node@v3.4.1

+ with:

+ node-version: 14.x

+

+ - name: install ADF Utilities package

+ run: npm install

+ working-directory: ${{github.workspace}}/ADFroot/build # (1) provide the folder location of the package.json file

+

+# Validates all of the Data Factory resources in the repository. You'll get the same validation errors as when "Validate All" is selected.

+ - name: Validate

+ run: npm run build validate ${{github.workspace}}/ADFroot/ /subscriptions/<subscriptionID>/resourceGroups/<resourceGroupName>/providers/Microsoft.DataFactory/factories/<ADFname> # (2) The validate command needs the root folder location of your repository where all the objects are stored. And the 2nd parameter is the resourceID of the ADF instance

+ working-directory: ${{github.workspace}}/ADFroot/build

+

+ - name: Validate and Generate ARM template

+ run: npm run build export ${{github.workspace}}/ADFroot/ /subscriptions/<subID>/resourceGroups/<resourceGroupName>/providers/Microsoft.DataFactory/factories/<ADFname> "ExportedArmTemplate" # (3) The build command, as validate, needs the root folder location of your repository where all the objects are stored. And the 2nd parameter is the resourceID of the ADF instance. The 3rd parameter is the exported ARM template artifact name

+ working-directory: ${{github.workspace}}/ADFroot/build

+

+# In order to leverage the artifact in another job, we need to upload it with the upload action

+ - name: upload artifact

+ uses: actions/upload-artifact@v3

+ with:

+ name: ExportedArmTemplate # (4) use the same artifact name you used in the previous export step

+ path: ${{github.workspace}}/ADFroot/build/ExportedArmTemplate

+

+ release:

+ needs: build

+ runs-on: ubuntu-latest

+ steps:

+

+ # we 1st download the previously uploaded artifact so we can leverage it later in the release job

+ - name: Download a Build Artifact

+ uses: actions/download-artifact@v3.0.2

+ with:

+ name: ExportedArmTemplate # (5) Artifact name

+ - name: Login via Az module

+ uses: azure/login@v1

+ with:

+ client-id: ${{ secrets.AZURE_CLIENT_ID }}

+ tenant-id: ${{ secrets.AZURE_TENANT_ID }}

+ subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

+ enable-AzPSSession: true

+ - name: data-factory-deploy

+ uses: Azure/data-factory-deploy-action@v1.2.0

+ with:

+ resourceGroupName: # (6) your target ADF resource group name

+ dataFactoryName: # (7) your target ADF name

+ armTemplateFile: # (8) ARM template file name ARMTemplateForFactory.json

+ armTemplateParametersFile: # (9) ARM template parameters file name ARMTemplateParametersForFactory.json

+ additionalParameters: # (10) Parameters which will be replaced in the ARM template. Expected format 'key1=value key2=value keyN=value'. At the minimum here you should provide the target ADF name parameter. Check the ARMTemplateParametersForFactory.json file for all the parameters that are expected in your scenario

+```

+LetΓÇÖs walk together through the workflow. It contains parameters that are numbered for your convenience and comments describe what each expects.

+For the build job, there are four parameters you need to provide. For more detailed information about these, check the npm package [Azure Data Factory utilities](https://www.npmjs.com/package/@microsoft/azure-data-factory-utilities) documentation.

+> [!TIP]

+> Use the same artifact name in the Export, Upload and Download actions.

+In the Release job, there are the next six parameters you need to supply. For more details about these, please check the [Azure Data Factory Deploy Action GitHub Marketplace listing](https://github.com/marketplace/actions/data-factory-deploy).

+## Monitor the workflow execution

+LetΓÇÖs test the setup by making some changes in the development Data Factory instance. Create a feature branch and make some changes. Then make a pull request to the main branch. This triggers the workflow to execute.

+1. To check it, browse to the repository -> Actions -> and identify your workflow.

+

+ :::image type="content" source="media/continuous-integration-delivery-github-actions/monitoring-workflow.png" lightbox="media/continuous-integration-delivery-github-actions/monitoring-workflow.png" alt-text="Screenshot showing monitoring a workflow in GitHub.":::

+2. You can further drill down into each run, see the jobs composing it and their statuses and duration, as well as the Artifact created by the run. In our scenario, this is the ARM template created in the build job.

+

+ :::image type="content" source="media/continuous-integration-delivery-github-actions/monitoring-jobs.png" lightbox="media/continuous-integration-delivery-github-actions/monitoring-jobs.png" alt-text="Screenshot showing monitoring jobs in GitHub.":::

+3. You can further drill down by navigating to a job and its steps.

+

+ :::image type="content" source="media/continuous-integration-delivery-github-actions/monitoring-release-job.png" lightbox="media/continuous-integration-delivery-github-actions/monitoring-release-job.png" alt-text="Screenshot showing monitoring the release job in GitHub.":::

+4. You can also navigate to the target Data Factory instance to which you deployed changes to and make sure it reflects the latest changes.

+## Next steps

+- [Continuous integration and delivery overview](continuous-integration-delivery.md)

+- [Manually promote a Resource Manager template to each environment](continuous-integration-delivery-manual-promotion.md)

+- [Use custom parameters with a Resource Manager template](continuous-integration-delivery-resource-manager-custom-parameters.md)

+- [Linked Resource Manager templates](continuous-integration-delivery-linked-templates.md)

+- [Using a hotfix production environment](continuous-integration-delivery-hotfix-environment.md)

+- [Sample pre- and post-deployment script](continuous-integration-delivery-sample-script.md)

+ Title: Azure Stack Edge 2309 release notes

+description: Describes critical open issues and resolutions for the Azure Stack Edge running 2309 release.

+

+# Azure Stack Edge 2309 release notes

+The following release notes identify the critical open issues and the resolved issues for the 2309 release for your Azure Stack Edge devices. Features and issues that correspond to a specific model of Azure Stack Edge are called out wherever applicable.

+The release notes are continuously updated, and as critical issues requiring a workaround are discovered, they're added. Before you deploy your device, carefully review the information contained in the release notes.

+This article applies to the **Azure Stack Edge 2309** release, which maps to software version **3.2.2380.1652**.

+## Supported update paths

+To apply the 2309 update, your device must be running version 2203 or later.

+ - If you are not running the minimum required version, you'll see this error:

+ *Update package cannot be installed as its dependencies are not met.*

+ - You can update to 2203 from 2207 or later, and then install 2309.

+You can update to the latest version using the following update paths:

+| Current version of Azure Stack Edge software and Kubernetes | Update to Azure Stack Edge software and Kubernetes | Desired update to 2309 |

+| --| --| --|

+|2207 |2303 |2309 |

+|2209 |2303 |2309 |

+|2210 |2303 |2309 |

+|2301 |2303 |2309 |

+|2303 |Directly to |2309 |

+## What's new

+The 2309 release has the following new features and enhancements:

+- Beginning this release, you have the option of selecting Kubernetes profiles based on your workloads. You can also configure Maximum Transmission Unit (MTU) for the network interfaces on your device.

+- Starting March 2023, Azure Stack Edge devices are required to be on the 2301 release or later to create a Kubernetes cluster. In preparation for this requirement, it is highly recommended that you update to the latest version as soon as possible.

+- You can deploy Azure Kubernetes service (AKS) on an Azure Stack Edge cluster. This feature is supported only for SAP and PMEC customers. For more information, see [Deploy AKS on Azure Stack Edge](azure-stack-edge-deploy-aks-on-azure-stack-edge.md).

+## Issues fixed in this release

+| No. | Feature | Issue |

+| | | |

+|**1.**|Core Azure Stack Edge platform and Azure Kubernetes Service (AKS) on Azure Stack Edge |Critical bug fixes to improve workload availability during two-node Azure Stack Edge update of core Azure Stack Edge platform and AKS on Azure Stack Edge. |

+<!--## Known issues in this release

+| No. | Feature | Issue | Workaround/comments |

+| | | | |

+|**1.**|Need known issues in 2303 |-->

+## Known issues from previous releases

+The following table provides a summary of known issues carried over from the previous releases.

+| No. | Feature | Issue | Workaround/comments |

+| | | | |

+| **1.** |Azure Stack Edge Pro + Azure SQL | Creating SQL database requires Administrator access. |Do the following steps instead of Steps 1-2 in [Create-the-sql-database](../iot-edge/tutorial-store-data-sql-server.md#create-the-sql-database). <br> 1. In the local UI of your device, enable compute interface. Select **Compute > Port # > Enable for compute > Apply.**<br> 2. Download `sqlcmd` on your client machine from [SQL command utility](/sql/tools/sqlcmd-utility). <br> 3. Connect to your compute interface IP address (the port that was enabled), adding a ",1401" to the end of the address.<br> 4. Final command will look like this: sqlcmd -S {Interface IP},1401 -U SA -P "Strong!Passw0rd". After this, steps 3-4 from the current documentation should be identical. |

+| **2.** |Refresh| Incremental changes to blobs restored via **Refresh** are NOT supported |For Blob endpoints, partial updates of blobs after a Refresh, may result in the updates not getting uploaded to the cloud. For example, sequence of actions such as:<br> 1. Create blob in cloud. Or delete a previously uploaded blob from the device.<br> 2. Refresh blob from the cloud into the appliance using the refresh functionality.<br> 3. Update only a portion of the blob using Azure SDK REST APIs. These actions can result in the updated sections of the blob to not get updated in the cloud. <br>**Workaround**: Use tools such as robocopy, or regular file copy through Explorer or command line, to replace entire blobs.|

+|**3.**|Throttling|During throttling, if new writes to the device aren't allowed, writes by the NFS client fail with a "Permission Denied" error.| The error will show as below:<br>`hcsuser@ubuntu-vm:~/nfstest$ mkdir test`<br>mkdir: can't create directory 'test': Permission deniedΓÇï|

+|**4.**|Blob Storage ingestion|When using AzCopy version 10 for Blob storage ingestion, run AzCopy with the following argument: `Azcopy <other arguments> --cap-mbps 2000`| If these limits aren't provided for AzCopy, it could potentially send a large number of requests to the device, resulting in issues with the service.|

+|**5.**|Tiered storage accounts|The following apply when using tiered storage accounts:<br> - Only block blobs are supported. Page blobs aren't supported.<br> - There's no snapshot or copy API support.<br> - Hadoop workload ingestion through `distcp` isn't supported as it uses the copy operation heavily.||

+|**6.**|NFS share connection|If multiple processes are copying to the same share, and the `nolock` attribute isn't used, you may see errors during the copy.ΓÇï|The `nolock` attribute must be passed to the mount command to copy files to the NFS share. For example: `C:\Users\aseuser mount -o anon \\10.1.1.211\mnt\vms Z:`.|

+|**7.**|Kubernetes cluster|When applying an update on your device that is running a Kubernetes cluster, the Kubernetes virtual machines will restart and reboot. In this instance, only pods that are deployed with replicas specified are automatically restored after an update. |If you have created individual pods outside a replication controller without specifying a replica set, these pods won't be restored automatically after the device update. You'll need to restore these pods.<br>A replica set replaces pods that are deleted or terminated for any reason, such as node failure or disruptive node upgrade. For this reason, we recommend that you use a replica set even if your application requires only a single pod.|

+|**8.**|Kubernetes cluster|Kubernetes on Azure Stack Edge Pro is supported only with Helm v3 or later. For more information, go to [Frequently asked questions: Removal of Tiller](https://v3.helm.sh/docs/faq/).|

+|**9.**|Kubernetes |Port 31000 is reserved for Kubernetes Dashboard. Port 31001 is reserved for Edge container registry. Similarly, in the default configuration, the IP addresses 172.28.0.1 and 172.28.0.10, are reserved for Kubernetes service and Core DNS service respectively.|Don't use reserved IPs.|

+|**10.**|Kubernetes |Kubernetes doesn't currently allow multi-protocol LoadBalancer services. For example, a DNS service that would have to listen on both TCP and UDP. |To work around this limitation of Kubernetes with MetalLB, two services (one for TCP, one for UDP) can be created on the same pod selector. These services use the same sharing key and spec.loadBalancerIP to share the same IP address. IPs can also be shared if you have more services than available IP addresses. <br> For more information, see [IP address sharing](https://metallb.universe.tf/usage/#ip-address-sharing).|

+|**11.**|Kubernetes cluster|Existing Azure IoT Edge marketplace modules may require modifications to run on IoT Edge on Azure Stack Edge device.|For more information, see [Run existing IoT Edge modules from Azure Stack Edge Pro FPGA devices on Azure Stack Edge Pro GPU device](azure-stack-edge-gpu-modify-fpga-modules-gpu.md).|

+|**12.**|Kubernetes |File-based bind mounts aren't supported with Azure IoT Edge on Kubernetes on Azure Stack Edge device.|IoT Edge uses a translation layer to translate `ContainerCreate` options to Kubernetes constructs. Creating `Binds` maps to `hostpath` directory and thus file-based bind mounts can't be bound to paths in IoT Edge containers. If possible, map the parent directory.|

+|**13.**|Kubernetes |If you bring your own certificates for IoT Edge and add those certificates on your Azure Stack Edge device after the compute is configured on the device, the new certificates aren't picked up.|To work around this problem, you should upload the certificates before you configure compute on the device. If the compute is already configured, [Connect to the PowerShell interface of the device and run IoT Edge commands](azure-stack-edge-gpu-connect-powershell-interface.md#use-iotedge-commands). Restart `iotedged` and `edgehub` pods.|

+|**14.**|Certificates |In certain instances, certificate state in the local UI may take several seconds to update. |The following scenarios in the local UI may be affected. <br> - **Status** column in **Certificates** page. <br> - **Security** tile in **Get started** page. <br> - **Configuration** tile in **Overview** page.<br> |

+|**15.**|Certificates|Alerts related to signing chain certificates aren't removed from the portal even after uploading new signing chain certificates.| |

+|**16.**|Web proxy |NTLM authentication-based web proxy isn't supported. ||

+|**17.**|Internet Explorer|If enhanced security features are enabled, you may not be able to access local web UI pages. | Disable enhanced security, and restart your browser.|

+|**18.**|Kubernetes |Kubernetes doesn't support ":" in environment variable names that are used by .NET applications. This is also required for Event Grid IoT Edge module to function on Azure Stack Edge device and other applications. For more information, see [ASP.NET core documentation](/aspnet/core/fundamentals/configuration/?tabs=basicconfiguration#environment-variables).|Replace ":" by double underscore. For more information,see [Kubernetes issue](https://github.com/kubernetes/kubernetes/issues/53201)|

+|**19.** |Azure Arc + Kubernetes cluster |By default, when resource `yamls` are deleted from the Git repository, the corresponding resources aren't deleted from the Kubernetes cluster. |To allow the deletion of resources when they're deleted from the git repository, set `--sync-garbage-collection` in Arc OperatorParams. For more information, see [Delete a configuration](../azure-arc/kubernetes/tutorial-use-gitops-connected-cluster.md#additional-parameters). |

+|**20.**|NFS |Applications that use NFS share mounts on your device to write data should use Exclusive write. That ensures the writes are written to the disk.| |

+|**21.**|Compute configuration |Compute configuration fails in network configurations where gateways or switches or routers respond to Address Resolution Protocol (ARP) requests for systems that don't exist on the network.| |

+|**22.**|Compute and Kubernetes |If Kubernetes is set up first on your device, it claims all the available GPUs. Hence, it isn't possible to create Azure Resource Manager VMs using GPUs after setting up the Kubernetes. |If your device has 2 GPUs, then you can create one VM that uses the GPU and then configure Kubernetes. In this case, Kubernetes will use the remaining available one GPU. |

+|**23.**|Custom script VM extension |There's a known issue in the Windows VMs that were created in an earlier release and the device was updated to 2103. <br> If you add a custom script extension on these VMs, the Windows VM Guest Agent (Version 2.7.41491.901 only) gets stuck in the update causing the extension deployment to time out. | To work around this issue: <br> 1. Connect to the Windows VM using remote desktop protocol (RDP). <br> 2. Make sure that the `waappagent.exe` is running on the machine: `Get-Process WaAppAgent`. <br> 3. If the `waappagent.exe` isn't running, restart the `rdagent` service: `Get-Service RdAgent` \| `Restart-Service`. Wait for 5 minutes.<br> 4. While the `waappagent.exe` is running, kill the `WindowsAzureGuest.exe` process. <br> 5. After you kill the process, the process starts running again with the newer version. <br> 6. Verify that the Windows VM Guest Agent version is 2.7.41491.971 using this command: `Get-Process WindowsAzureGuestAgent` \| `fl ProductVersion`.<br> 7. [Set up custom script extension on Windows VM](azure-stack-edge-gpu-deploy-virtual-machine-custom-script-extension.md). |

+|**24.**|Multi-Process Service (MPS) |When the device software and the Kubernetes cluster are updated, the MPS setting isn't retained for the workloads. |[Re-enable MPS](azure-stack-edge-gpu-connect-powershell-interface.md#connect-to-the-powershell-interface) and redeploy the workloads that were using MPS. |

+|**25.**|Wi-Fi |Wi-Fi doesn't work on Azure Stack Edge Pro 2 in this release. |

+|**26.**|Azure IoT Edge |The managed Azure IoT Edge solution on Azure Stack Edge is running on an older, obsolete IoT Edge runtime that is at end of life. For more information, see [IoT Edge v1.1 EoL: What does that mean for me?](https://techcommunity.microsoft.com/t5/internet-of-things-blog/iot-edge-v1-1-eol-what-does-that-mean-for-me/ba-p/3662137). Although the solution does not stop working past end of life, there are no plans to update it. |To run the latest version of Azure IoT Edge [LTSs](../iot-edge/version-history.md#version-history) with the latest updates and features on their Azure Stack Edge, we **recommend** that you deploy a [customer self-managed IoT Edge solution](azure-stack-edge-gpu-deploy-iot-edge-linux-vm.md) that runs on a Linux VM. For more information, see [Move workloads from managed IoT Edge on Azure Stack Edge to an IoT Edge solution on a Linux VM](azure-stack-edge-move-to-self-service-iot-edge.md). |

+|**27.**|AKS on Azure Stack Edge |When you update your AKS on Azure Stack Edge deployment from a previous preview version to 2303 release, there is an additional nodepool rollout. |The update may take longer. |

+|**28.**|Azure portal |When the Arc deployment fails in this release, you will see a generic *NO PARAM* error code, as all the errors are not propagated in the portal. |There is no workaround for this behavior in this release. |

+|**29.**|AKS on Azure Stack Edge |In this release, you can't modify the virtual networks once the AKS cluster is deployed on your Azure Stack Edge cluster.| To modify the virtual network, you will need to delete the AKS cluster, then modify virtual networks, and then recreate AKS cluster on your Azure Stack Edge. |

+|**30.**|AKS on Azure Stack Edge |In this release, attaching the PVC takes a long time. As a result, some pods that use persistent volumes (PVs) come up slowly after the host reboots. |A workaround is to restart the nodepool VM by connecting via the Windows PowerShell interface of the device. |

+## Next steps

+- [Update your device](azure-stack-edge-gpu-install-update.md)

+- Device software version: Azure Stack Edge 2309 (3.2.2380.1652)

+- Device Kubernetes version: Azure Stack Kubernetes Edge 2309 (3.2.2380.1652)

+- Kubernetes server version: v1.25.5

+- Azure Arc version: 1.11.7

+- GPU driver version: 530.30.02

+- CUDA version: 12.1

+For information on what's new in this update, go to [Release notes](azure-stack-edge-gpu-2309-release-notes.md).

+**To apply the 2309 update, your device must be running version 2203 or later.**

+- You can update to 2203 from 2207 or later, and then install 2309.

+From the local UI, you will have to run each update separately: update the device version to 2303, update Kubernetes version to 2210, update Kubernetes version to 2303, and then the third update gets both the device version and Kubernetes version to 2309.

+To ensure that resources are available for customers, Microsoft Dev Box has a limit on the number of each type of resource that can be used in a subscription. This limit is called a quota.

+az devcenter dev dev-box stop --name <YourDevBoxName> --dev-center-name <YourDevCenterName> --project-name <YourProjectName> --user-id "me" --hibernate true

+* Disaster Recovery\*

+(\*) Certain regions are restricted in supporting customer scenarios for disaster recovery. Please check the [Reliability in Azure Data Manager for Energy](reliability-energy-data-services.md) for more details on the regions which support disaster recovery.

+Disaster Recovery |No| Yes\*

+(\*) Certain regions are restricted in supporting customer scenarios for disaster recovery. Please check the [Reliability in Azure Data Manager for Energy](reliability-energy-data-services.md) for more details on the regions which support disaster recovery.

+> [!IMPORTANT]

+> Disaster recovery is currently not available in Brazil South region. For more information please contact your Microsoft sales or customer representative.

+You can easily create a Developer tier resource by going to Azure Marketplace, [create portal](https://portal.azure.com/#create/Microsoft.AzureDataManagerforEnergy), and select your desired tier.

+| Brazil South | |

+Below is the list of primary and secondary regions for regions where disaster recovery is supported:

+> [!IMPORTANT]

+> In the following regions, disaster recovery is not available. For more information please contact your Microsoft sales or customer representative.

+> 1. Brazil South

+> [Reliability in Azure](../reliability/availability-zones-overview.md)

+Topic spaces are used to simplify access control management by enabling you to scope publish or subscribe access for a client group, to a group of topics at once instead of managing access for each individual topic. To publish or subscribe to any MQTT topic, you need to:

+ New-AzExpressRouteCircuit -Name $Name -ResourceGroupName $RGName -Location $Location -SkuTier $SkuTier -SkuFamily $SkuFamily -BandwidthInGbps $BandwidthInGbps -ExpressRoutePort $ERPort -AuthorizationKey $ERDirectAuthorization.AuthorizationKey

+ Title: Deploy and configure Azure Firewall in a hybrid network by using the Azure portal

+description: In this article, you learn how to deploy and configure Azure Firewall by using the Azure portal.

+# Deploy and configure Azure Firewall in a hybrid network by using the Azure portal

+You can use Azure Firewall to control network access in a hybrid network by using rules that define allowed and denied network traffic.

+- **VNet-Hub**: The firewall is in this virtual network.

+- **VNet-Spoke**: The spoke virtual network represents the workload located on Azure.

+- **VNet-Onprem**: The on-premises virtual network represents an on-premises network. In an actual deployment, you can connect to it by using either a virtual private network (VPN) connection or an Azure ExpressRoute connection. For simplicity, this article uses a VPN gateway connection, and an Azure-located virtual network represents an on-premises network.

+

+If you want to use Azure PowerShell instead to complete the procedures in this article, see [Deploy and configure Azure Firewall in a hybrid network by using Azure PowerShell](tutorial-hybrid-ps.md).

+> This article uses classic Azure Firewall rules to manage the firewall. The preferred method is to use an [Azure Firewall Manager policy](../firewall-manager/policy-overview.md). To complete this procedure by using an Azure Firewall Manager policy, see [Tutorial: Deploy and configure Azure Firewall and policy in a hybrid network using the Azure portal](tutorial-hybrid-portal-policy.md).

+A hybrid network uses the hub-and-spoke architecture model to route traffic between Azure virtual networks and on-premises networks. The hub-and-spoke architecture has the following requirements:

+- Set **Use this virtual network's gateway or Route Server** when you're peering **VNet-Hub** to **VNet-Spoke**. In a hub-and-spoke network architecture, a gateway transit allows the spoke virtual networks to share the VPN gateway in the hub, instead of deploying VPN gateways in every spoke virtual network.

+ Additionally, routes to the gateway-connected virtual networks or on-premises networks automatically propagate to the routing tables for the peered virtual networks via the gateway transit. For more information, see [Configure VPN gateway transit for virtual network peering](../vpn-gateway/vpn-gateway-peering-gateway-transit.md).

+- Set **Use the remote virtual network's gateways or Route Server** when you peer **VNet-Spoke** to **VNet-Hub**. If **Use the remote virtual network's gateways or Route Server** is set and **Use this virtual network's gateway or Route Server** on remote peering is also set, the spoke virtual network uses gateways of the remote virtual network for transit.

+- To route the spoke subnet traffic through the hub firewall, you can use a user-defined route (UDR) that points to the firewall with the **Virtual network gateway route propagation** option disabled. Disabling this option prevents route distribution to the spoke subnets, so learned routes can't conflict with your UDR. If you want to keep **Virtual network gateway route propagation** enabled, make sure that you define specific routes to the firewall to override routes that are published from on-premises over Border Gateway Protocol (BGP).

+- Configure a UDR on the hub gateway subnet that points to the firewall IP address as the next hop to the spoke networks. No UDR is required on the Azure Firewall subnet, because it learns routes from BGP.

+The [Create the routes](#create-the-routes) section later in this article shows how to create these routes.

+Azure Firewall must have direct internet connectivity. If your **AzureFirewallSubnet** subnet learns a default route to your on-premises network via BGP, you must override it by using a 0.0.0.0/0 UDR with the `NextHopType` value set as `Internet` to maintain direct internet connectivity.

+> [!NOTE]

+> You can configure Azure Firewall to support forced tunneling. For more information, see [Azure Firewall forced tunneling](forced-tunneling.md).

+Traffic between directly peered virtual networks is routed directly, even if a UDR points to Azure Firewall as the default gateway. To send subnet-to-subnet traffic to the firewall in this scenario, a UDR must contain the target subnet network prefix explicitly on both subnets.

+1. On the Azure portal home page, select **Resource groups** > **Create**.

+1. For **Subscription**, select your subscription.

+1. For **Resource group**, enter **RG-fw-hybrid-test**.

+1. For **Region**, select a region. All resources that you create later must be in the same region.

+1. Select **Review + Create**.

+1. Select **Create**.

+Now, create the virtual network.

+> The size of the **AzureFirewallSubnet** subnet is /26. For more information about the subnet size, see [Azure Firewall FAQ](firewall-faq.yml#why-does-azure-firewall-need-a--26-subnet-size).

+1. On the Azure portal home page, select **Create a resource**.

+1. In the search box, enter **virtual network**.

+1. Select **Virtual network**, and then select **Create**.

+1. For **Virtual network name**, enter **VNet-Hub**.

+1. For **Region**, select the region that you used previously.

+1. For **IPv4 Address space**, delete the default address and enter **10.5.0.0/16**.

+1. Under **Subnets**, delete the default subnet.

+1. On the **Add a subnet** page, for **Subnet template**, select **Azure Firewall**.

+Create a second subnet for the gateway:

+1. For **Starting address**, accept the default value of **10.5.1.0**.

+1. For **Subnet size**, accept the default value of **/27**.

+1. On the Azure portal home page, select **Create a resource**.

+1. In the search box, enter **virtual network**.

+1. Select **Virtual network**, and then select **Create**.

+1. For **Resource group**, select **RG-fw-hybrid-test**.

+1. For **Name**, enter **VNet-Spoke**.

+1. For **Region**, select the region that you used previously.

+1. For **IPv4 Address space**, delete the default address and enter **10.6.0.0/16**.

+1. Under **Subnets**, delete the default subnet.

+1. For **Name**, enter **SN-Workload**.

+1. For **Starting address**, accept the default value of **10.6.0.0**.

+1. For **Subnet size**, accept the default value of **/24**.

+1. On the Azure portal home page, select **Create a resource**.

+1. In the search box, enter **virtual network**.

+1. Select **Virtual network**, and then select **Create**.

+1. For **Resource group**, select **RG-fw-hybrid-test**.

+1. For **Name**, enter **VNet-Onprem**.

+1. For **Region**, select the region that you used previously.

+1. For **IPv4 Address space**, delete the default address and enter **192.168.0.0/16**.

+1. Under **Subnets**, delete the default subnet.

+1. For **Name**, enter **SN-Corp**.

+1. For **Starting address**, accept the default value of **192.168.0.0**.

+1. For **Subnet size**, accept the default value of **/24**.

+Now, create a second subnet for the gateway:

+1. For **Starting address**, accept the default value of **192.168.1.0**.

+1. For **Subnet size**, accept the default value of **/27**.

+Deploy the firewall into the firewall hub's virtual network:

+1. On the Azure portal home page, select **Create a resource**.

+1. In the search box, enter **firewall**.

+1. Select **Firewall**, and then select **Create**.

+ |**Subscription**| Select your subscription.|

+ |**Resource group**|Enter **RG-fw-hybrid-test**. |

+ |**Name**|Enter **AzFW01**.|

+ |**Region**|Select the region that you used before.|

+ |**Firewall SKU** |Select **Standard**.|

+ |**Firewall management**|Select **Use Firewall rules (classic) to manage this firewall**.|

+ |**Choose a virtual network**|Select **Use existing** > **VNet-Hub**.|

+ |**Public IP address**|Select **Add new** > **fw-pip**. |

+1. Select **Review + create**.

+1. Review the summary, and then select **Create** to create the firewall.

+ The firewall takes a few minutes to deploy.

+1. After deployment finishes, go to the **RG-fw-hybrid-test** resource group and select the **AzFW01** firewall.

+1. Note the private IP address. You use it later when you create the default route.

+First, add a network rule to allow web traffic:

+1. On the **AzFW01** page, select **Rules (classic)**.

+1. Select the **Network rule collection** tab.

+1. Select **Add network rule collection**.

+1. For **Name**, enter **RCNet01**.

+1. For **Priority**, enter **100**.

+1. For **Rule collection action**, select **Allow**.

+1. Under **Rules IP Addresses**, for **Name**, enter **AllowWeb**.

+1. For **Protocol**, select **TCP**.

+1. For **Source**, enter **192.168.0.0/24**.

+1. For **Destination Address**, enter **10.6.0.0/16**.

+1. For **Destination Ports**, enter **80**.

+Now, add a rule to allow RDP traffic. On the second rule row, enter the following information:

+1. For **Name**, enter **AllowRDP**.

+1. For **Source**, enter **192.168.0.0/24**.

+1. For **Destination Address**, enter **10.6.0.0/16**.

+1. For **Destination Ports**, enter **3389**.

+Create the VPN gateway for the hub virtual network. Network-to-network configurations require a route-based VPN type. Creating a VPN gateway can often take 45 minutes or more, depending on the SKU that you select.

+1. On the Azure portal home page, select **Create a resource**.

+1. In the search box, enter **virtual network gateway**.

+1. Select **Virtual network gateway**, and then select **Create**.

+1. For **Name**, enter **GW-hub**.

+1. For **Region**, select the same region that you used previously.

+1. For **Gateway type**, select **VPN**.

+1. For **VPN type**, select **Route-based**.

+1. For **SKU**, select **Basic**.

+1. For **Virtual network**, select **VNet-Hub**.

+1. For **Public IP address**, select **Create new** and enter **VNet-Hub-GW-pip** for the name.

+1. Accept the remaining defaults, and then select **Review + create**.

+1. Review the configuration, and then select **Create**.

+Create the VPN gateway for the on-premises virtual network. Network-to-network configurations require a route-based VPN type. Creating a VPN gateway can often take 45 minutes or more, depending on the SKU that you select.

+1. On the Azure portal home page, select **Create a resource**.

+1. In the search box, enter **virtual network gateway**.

+1. Select **Virtual network gateway**, and then select **Create**.

+1. For **Name**, enter **GW-Onprem**.

+1. For **Region**, select the same region that you used previously.

+1. For **Gateway type**, select **VPN**.

+1. For **VPN type**, select **Route-based**.

+1. For **SKU**, select **Basic**.

+1. For **Virtual network**, select **VNet-Onprem**.

+1. For **Public IP address**, select **Create new** and enter **VNet-Onprem-GW-pip** for the name.

+1. Accept the remaining defaults, and then select **Review + create**.

+1. Review the configuration, and then select **Create**.

+In the following steps, you create the connection from the hub virtual network to the on-premises virtual network. The examples show a shared key, but you can use your own value for the shared key. The important thing is that the shared key must match for both connections. Creating a connection can take a short while to complete.

+1. Select **Connections** in the left column.

+1. Select **Add**.

+1. For the connection name, enter **Hub-to-Onprem**.

+1. For **Connection type**, select **VNet-to-VNet** .

+1. For **First virtual network gateway**, select **GW-hub**.

+1. For **Second virtual network gateway**, select **GW-Onprem**.

+1. For **Shared key (PSK)**, enter **AzureA1b2C3**.

+Create the virtual network connection between on-premises and the hub. The following steps are similar to the previous ones, except that you create the connection from **VNet-Onprem** to **VNet-Hub**. Make sure that the shared keys match. The connection is established after a few minutes.

+1. Select **Connections** in the left column.

+1. Select **Add**.

+1. For the connection name, enter **Onprem-to-Hub**.

+1. For **Connection type**, select **VNet-to-VNet**.

+1. Select **Next: Settings**.

+1. For **First virtual network gateway**, select **GW-Onprem**.

+1. For **Second virtual network gateway**, select **GW-hub**.

+1. For **Shared key (PSK)**, enter **AzureA1b2C3**.

+### Verify the connections

+After about five minutes, the status of both connections should be **Connected**.

+

+Now, peer the hub and spoke virtual networks:

+1. Open the **RG-fw-hybrid-test** resource group and select the **VNet-Hub** virtual network.

+1. In the left column, select **Peerings**.

+1. Select **Add**.

+1. Under **This virtual network**:

+ |**Peering link name**|Enter **HubtoSpoke**.|

+ |**Traffic to remote virtual network**|Select **Allow**.|

+ |**Traffic forwarded from remote virtual network**|Select **Allow**.|

+ |**Virtual network gateway**|Select **Use this virtual network's gateway**.|

+1. Under **Remote virtual network**:

+ |**Peering link name**|Enter **SpoketoHub**.|

+ |**Virtual network deployment model**|Select **Resource manager**.|

+ |**Subscription**|Select your subscription.|

+ |**Virtual network**|Select **VNet-Spoke**.|

+ |**Traffic to remote virtual network**|Select **Allow**.|

+ |**Traffic forwarded from remote virtual network**|Select **Allow**.|

+ |**Virtual network gateway**|Select **Use the remote virtual network's gateway**.|

+1. Select **Add**.

+The following screenshot shows the settings to use when you peer hub and spoke virtual networks:

+In the following steps, you create these routes:

+To create the routes:

+1. On the Azure portal home page, select **Create a resource**.

+1. In the search box, enter **route table**.

+1. Select **Route table**, and then select **Create**.

+1. For the resource group, select **RG-fw-hybrid-test**.

+1. For **Region**, select the same location that you used previously.

+1. For the name, enter **UDR-Hub-Spoke**.

+1. Select **Review + Create**.

+1. Select **Create**.

+1. After the route table is created, select it to open the route table page.

+1. Select **Routes** in the left column.

+1. Select **Add**.

+1. For the route name, enter **ToSpoke**.

+1. For **Destination IP addresses/CIDR ranges**, enter **10.6.0.0/16**.

+1. For the next hop type, select **Virtual appliance**.

+1. For the next hop address, enter the firewall's private IP address that you noted earlier.

+Now, associate the route to the subnet:

+1. Select **Associate**.

+1. Under **Virtual network**, select **VNet-Hub**.

+1. Select **OK**.

+Create the default route from the spoke subnet:

+1. On the Azure portal home page, select **Create a resource**.

+1. In the search box, enter **route table**.

+1. Select **Route table**, and then select **Create**.

+1. For the resource group, select **RG-fw-hybrid-test**.

+1. For **Region**, select the same location that you used previously.

+1. For the name, enter **UDR-DG**.

+1. For **Propagate gateway route**, select **No**.

+1. Select **Review + Create**.

+1. Select **Create**.

+1. After the route table is created, select it to open the route table page.

+1. Select **Routes** in the left column.

+1. Select **Add**.

+1. For the route name, enter **ToHub**.

+1. For **Destination IP addresses/CIDR ranges**, enter **0.0.0.0/0**.

+1. For the next hop type, select **Virtual appliance**.

+1. For the next hop address, enter the firewall's private IP address that you noted earlier.

+Associate the route to the subnet:

+1. Select **Associate**.

+1. Under **Virtual network**, select **VNet-Spoke**.

+1. Select **OK**.

+Create the spoke workload and on-premises virtual machines, and place them in the appropriate subnets.

+Create a virtual machine in the spoke virtual network that runs Internet Information Services (IIS) and has no public IP address:

+1. On the Azure portal home page, select **Create a resource**.

+1. Under **Popular Marketplace products**, select **Windows Server 2019 Datacenter**.

+1. Enter these values for the virtual machine:

+ - **Resource group**: Select **RG-fw-hybrid-test**.

+ - **Virtual machine name**: Enter **VM-Spoke-01**.

+ - **Region**: Select the same region that you used previously.

+ - **User name**: Enter a username.

+ - **Password**: Enter a password.

+1. For **Public inbound ports**, select **Allow selected ports**, and then select **HTTP (80)** and **RDP (3389)**.

+1. Select **Next: Disks**.

+1. Accept the defaults and select **Next: Networking**.

+1. For the virtual network, select **VNet-Spoke**. The subnet is **SN-Workload**.

+1. For **Public IP**, select **None**.

+1. Select **Next: Management**.

+1. Select **Next: Monitoring**.

+1. For **Boot diagnostics**, select **Disable**.

+1. On the Azure portal, open Azure Cloud Shell and make sure that it's set to **PowerShell**.

+1. Run the following command to install IIS on the virtual machine, and change the location if necessary:

+Create a virtual machine that you use to connect via remote access to the public IP address. From there, you can connect to the spoke server through the firewall.

+1. On the Azure portal home page, select **Create a resource**.

+1. Under **Popular**, select **Windows Server 2019 Datacenter**.

+1. Enter these values for the virtual machine:

+ - **Resource group**: Select **Existing**, and then select **RG-fw-hybrid-test**.

+ - **Virtual machine name**: Enter **VM-Onprem**.

+ - **Region**: Select the same region that you used previously.

+ - **User name**: Enter a username.

+ - **Password**: Enter a user password.

+1. For **Public inbound ports**, select **Allow selected ports**, and then select **RDP (3389)**.

+1. Select **Next: Disks**.

+1. Accept the defaults and select **Next: Networking**.

+1. For the virtual network, select **VNet-Onprem**. The subnet is **SN-Corp**.

+1. Select **Next: Management**.

+1. Select **Next: Monitoring**.

+1. For **Boot diagnostics**, select **Disable**.

+1. Note the private IP address for the **VM-Spoke-01** virtual machine.

+1. On the Azure portal, connect to the **VM-Onprem** virtual machine.

+1. Open a web browser on **VM-Onprem**, and browse to `http://<VM-Spoke-01 private IP>`.

+ The **VM-Spoke-01** webpage should open.

+ 

+1. From the **VM-Onprem** virtual machine, open a remote access connection to **VM-Spoke-01** at the private IP address.

+ Your connection should succeed, and you should be able to sign in.

+Now that you've verified that the firewall rules are working, you can:

+- Browse to the web server on the spoke virtual network.

+- Connect to the server on the spoke virtual network by using RDP.

+Next, change the action for the collection of firewall network rules to **Deny**, to verify that the firewall rules work as expected:

+3. Select the **Network rule collection** tab, and select the **RCNet01** rule collection.

+Close any existing remote access connections. Run the tests again to test the changed rules. They should all fail this time.

+You can keep your firewall resources for further testing. If you no longer need them, delete the **RG-fw-hybrid-test** resource group to delete all firewall-related resources.

+[Monitor Azure Firewall logs](./firewall-diagnostics.md)

+ Title: Deploy and configure Azure Firewall in a hybrid network by using PowerShell

+description: In this article, you learn how to deploy and configure Azure Firewall by using Azure PowerShell.

+# Deploy and configure Azure Firewall in a hybrid network by using Azure PowerShell

+You can use Azure Firewall to control network access in a hybrid network by using rules that define allowed and denied network traffic.

+- **VNet-Hub**: The firewall is in this virtual network.

+- **VNet-Spoke**: The spoke virtual network represents the workload located on Azure.

+- **VNet-Onprem**: The on-premises virtual network represents an on-premises network. In an actual deployment, you can connect to it by using either a virtual private network (VPN) connection or an Azure ExpressRoute connection. For simplicity, this article uses a VPN gateway connection, and an Azure-located virtual network represents an on-premises network.

+

+If you want to use the Azure portal instead to complete the procedures in this article, see [Deploy and configure Azure Firewall in a hybrid network by using the Azure portal](tutorial-hybrid-portal.md).

+This article requires that you run PowerShell locally. You must have the Azure PowerShell module installed. Run `Get-Module -ListAvailable Az` to find the version. If you need to upgrade, see [Install the Azure PowerShell module](/powershell/azure/install-azure-powershell). After you verify the PowerShell version, run `Login-AzAccount` to create a connection with Azure.

+- A user-defined route (UDR) on the spoke subnet that points to the Azure Firewall IP address as the default gateway. Virtual network gateway route propagation must be *disabled* on this route table.

+ No UDR is required on the Azure Firewall subnet, because it learns routes from Border Gateway Protocol (BGP).

+- Be sure to set `AllowGatewayTransit` when you're peering **VNet-Hub** to **VNet-Spoke**. Set `UseRemoteGateways` when you're peering **VNet-Spoke** to **VNet-Hub**.

+The [Create the routes](#create-the-routes) section later in this article shows how to create these routes.

+>Azure Firewall must have direct internet connectivity. If your **AzureFirewallSubnet** subnet learns a default route to your on-premises network via BGP, you must configure Azure Firewall in forced tunneling mode. If this is an existing Azure Firewall instance that can't be reconfigured in forced tunneling mode, we recommend that you add a 0.0.0.0/0 UDR on the **AzureFirewallSubnet** subnet with the `NextHopType` value set as `Internet` to maintain direct internet connectivity.

+Traffic between directly peered virtual networks is routed directly, even if a UDR points to Azure Firewall as the default gateway. To send subnet-to-subnet traffic to the firewall in this scenario, a UDR must contain the target subnet network prefix explicitly on both subnets.

+To review the related Azure PowerShell reference documentation, see [New-AzFirewall](/powershell/module/az.network/new-azfirewall).

+The following example declares the variables by using the values for this article. In some cases, you might need to replace some values with your own to work in your subscription. Modify the variables if needed, and then copy and paste them into your PowerShell console.

+# Variables for the firewall hub virtual network

+$VNetnameHub = "VNet-Hub"

+$GWHubpipName = "VNet-Hub-GW-pip"

+Create the firewall hub virtual network:

+Request a public IP address to be allocated to the VPN gateway that you'll create for your virtual network. Notice that the `AllocationMethod` value is `Dynamic`. You can't specify the IP address that you want to use. It's dynamically allocated to your VPN gateway.

+```azurepowershell

+$gwpip1 = New-AzPublicIpAddress -Name $GWHubpipName -ResourceGroupName $RG1 `

+-Location $Location1 -AllocationMethod Dynamic

+Create the on-premises virtual network:

+Request a public IP address to be allocated to the gateway that you'll create for the virtual network. Notice that the `AllocationMethod` value is `Dynamic`. You can't specify the IP address that you want to use. It's dynamically allocated to your gateway.

+```azurepowershell

+$gwOnprempip = New-AzPublicIpAddress -Name $GWOnprempipName -ResourceGroupName $RG1 `

+-Location $Location1 -AllocationMethod Dynamic

+Now, deploy the firewall into the hub virtual network:

+# Get a public IP for the firewall

+Configure network rules:

+$Rule3 = New-AzFirewallNetworkRule -Name "AllowPing" -Protocol ICMP -SourceAddress $SNOnpremPrefix `

+ -DestinationAddress $VNetSpokePrefix -DestinationPort

+Create the VPN gateway configuration for the hub virtual network. The VPN gateway configuration defines the subnet and the public IP address to use.

+```azurepowershell

+$vnet1 = Get-AzVirtualNetwork -Name $VNetnameHub -ResourceGroupName $RG1

+$subnet1 = Get-AzVirtualNetworkSubnetConfig -Name "GatewaySubnet" -VirtualNetwork $vnet1

+$gwipconf1 = New-AzVirtualNetworkGatewayIpConfig -Name $GWIPconfNameHub `

+-Subnet $subnet1 -PublicIpAddress $gwpip1

+```

+Now, create the VPN gateway for the hub virtual network. Network-to-network configurations require a `VpnType` value of `RouteBased`. Creating a VPN gateway can often take 45 minutes or more, depending on the SKU that you select.

+Create the VPN gateway configuration for the on-premises virtual network. The VPN gateway configuration defines the subnet and the public IP address to use.

+```azurepowershell

+-Subnet $subnet2 -PublicIpAddress $gwOnprempip

+```

+Now, create the VPN gateway for the on-premises virtual network. Network-to-network configurations require a `VpnType` value of `RouteBased`. Creating a VPN gateway can often take 45 minutes or more, depending on the SKU that you select.

+Create the VPN connections between the hub and on-premises gateways.

+In this step, you create the connection from the hub virtual network to the on-premises virtual network. The examples show a shared key, but you can use your own values for the shared key. The important thing is that the shared key must match for both connections. Creating a connection can take a short while to complete.

+Create the virtual network connection from on-premises to the hub. This step is similar to the previous one, except that you create the connection from **VNet-Onprem** to **VNet-Hub**. Make sure that the shared keys match. The connection is established after a few minutes.

+```azurepowershell

+New-AzVirtualNetworkGatewayConnection -Name $ConnectionNameOnprem -ResourceGroupName $RG1 `

+-VirtualNetworkGateway1 $vnetOnpremgw -VirtualNetworkGateway2 $vnetHubgw -Location $Location1 `

+-ConnectionType Vnet2Vnet -SharedKey 'AzureA1b2C3'

+```

+You can verify a successful connection by using the `Get-AzVirtualNetworkGatewayConnection` cmdlet, with or without `-Debug`.

+Use the following cmdlet example, but configure the values to match your own. If you're prompted, select `A` to run `All`. In the example, `-Name` refers to the name of the connection that you want to test.

+After the cmdlet finishes, view the values. The following example shows a connection status of `Connected`, along with ingress and egress bytes:

+```output

+Now, peer the hub and spoke virtual networks:

+Use the following commands to create these routes:

+#Now, create the default route

+Create the spoke workload and on-premises virtual machines, and place them in the appropriate subnets.

+Create a virtual machine in the spoke virtual network that runs Internet Information Services (IIS), has no public IP address, and allows pings in. When you're prompted, enter a username and password for the virtual machine.

+#Create a host firewall rule to allow pings in

+ -Location $Location1

+```

+Create a simple virtual machine that you can use to connect via remote access to the public IP address. From there, you can connect to the on-premises server through the firewall. When you're prompted, enter a username and password for the virtual machine.

+1. Get and then note the private IP address for the **VM-spoke-01** virtual machine:

+ ```azurepowershell

+ $NIC.IpConfigurations.privateipaddress

+ ```

+1. From the Azure portal, connect to the **VM-Onprem** virtual machine.

+1. Open a Windows PowerShell command prompt on **VM-Onprem**, and ping the private IP for **VM-spoke-01**. You should get a reply.

+1. Open a web browser on **VM-Onprem**, and browse to `http://<VM-spoke-01 private IP>`. The IIS default page should open.

+1. From **VM-Onprem**, open a remote access connection to **VM-spoke-01** at the private IP address. Your connection should succeed, and you should be able to sign in by using your chosen username and password.

+Now that you've verified that the firewall rules are working, you can:

+- Ping the server on the spoke virtual network.

+- Browse to web server on the spoke virtual network.

+- Connect to the server on the spoke virtual network by using RDP.

+Next, run the following script to change the action for the collection of firewall network rules to `Deny`:

+Close any existing remote access connections. Run the tests again to test the changed rules. They should all fail this time.

+You can keep your firewall resources for the next tutorial. If you no longer need them, delete the **FW-Hybrid-Test** resource group to delete all firewall-related resources.

+[Monitor Azure Firewall logs](./firewall-diagnostics.md)

+| X-Azure-FDID | *X-Azure-FDID: 55ce4ed1-4b06-4bf1-b40e-4638452104da* <br/> A reference string that identifies the request came from a specific Front Door resource. The value can be seen in the Azure portal or retrieved using the management API. You can use this header in combination with IP ACLs to lock down your endpoint to only accept requests from a specific Front Door resource. See the FAQ for [more detail](front-door-faq.yml#what-are-the-steps-to-restrict-the-access-to-my-backend-to-only-azure-front-door-) |

+We recommend you ensure only Azure Front Door edges can communicate with your web application. Doing so will ensure no one can bypass the Azure Front Door protection and access your application directly. To accomplish this lockdown, see [How do I lock down the access to my backend to only Azure Front Door?](./front-door-faq.yml#what-are-the-steps-to-restrict-the-access-to-my-backend-to-only-azure-front-door-).

+Azure Resource Graph gives the ability to query at scale with complex filtering, grouping and sorting. Azure Resource Graph supports the policy resources table, which contains policy resources such as definitions, assignments and exemptions. Review our [sample queries.](../../resource-graph/samples/samples-by-table.md#policyresources)

+The Resource Graph explorer portal experience allows downloads of query results to CSV using the ["Download to CSV"](../../resource-graph/first-query-portal.md#download-query-results-as-a-csv-file) toolbar option.

+With export, data is exported in multiple files each containing resources of only one type. The number of resources in an individual file will be limited. The maximum number of resources is based on system performance. It is currently set to 5,000, but can change. The result is that you may get multiple files for a resource type, which will be enumerated (for example, `Patient-1.ndjson`, `Patient-2.ndjson`).

+ Title: Data encryption in Device Update for Azure IoT Hub

+description: Understand how Device Update for IoT Hub encrypts data.

+# Data encryption for Device Update for IoT Hub

+Device Update for IoT Hub provides data protection through encryption at rest and in-transit as it's written in the datastores; the data is encrypted when read and decrypted when written.

+Data in a new Device Update account is encrypted with Microsoft-managed keys by default.

+Device Update also supports use of your own encryption keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Customer-managed keys offer greater flexibility to manage access controls.

+You must use one of the following Azure key stores to store your customer-managed keys:

+- Azure Key Vault

+- Azure Key Vault Managed Hardware Security Module (HSM)

+You can either create your own keys and store them in the key vault or managed HSM, or you can use the Azure Key Vault APIs to generate keys. The CMK is then used for all the instances in the Device Update account.

+> [!NOTE]

+> This capability requires the creation of a new Device Update Account and Instance ΓÇô Standard SKU. This is not available for the free SKU of Device update.

+ In Azure, [availability zones](../reliability/availability-zones-overview.md#zonal-and-zone-redundant-services) provide resiliency, distributed availability, and active-active-active zone scalability. To increase availability for your logic app workloads, you can [enable availability zone support](./set-up-zone-redundancy-availability-zones.md), but only when you create your logic app. You'll need at least three separate availability zones in any Azure region that supports and enables zone redundancy. The Azure Logic Apps platform distributes these zones and logic app workloads across these zones. This capability is a key requirement for enabling resilient architectures and providing high availability if datacenter failures happen in a region. For more information, see [Build solutions for high availability using availability zones](/azure/architecture/high-availability/building-solutions-for-high-availability).

+- Component definition `is_deterministic` = true

+For managed online endpoints, Azure Machine Learning reserves 20% of your compute resources for performing upgrades on some VM SKUs. If you request a given number of instances in a deployment, you must have a quota for `ceil(1.2 * number of instances requested for deployment) * number of cores for the VM SKU` available to avoid getting an error. For example, if you request 10 instances of a [Standard_DS3_v2](/azure/virtual-machines/dv2-dsv2-series) VM (that comes with 4 cores) in a deployment, you should have a quota for 48 cores (`12 instances * 4 cores`) available. To view your usage and request quota increases, see [View your usage and quotas in the Azure portal](how-to-manage-quotas.md#view-your-usage-and-quotas-in-the-azure-portal).

+Azure Machine Learning provides a [shared quota](how-to-manage-quotas.md#azure-machine-learning-shared-quota) pool from which all users can access quota to perform testing for a limited time. When you use the studio to deploy Llama models (from the model catalog) to a managed online endpoint, Azure Machine Learning allows you to access this shared quota for a short time.

+To deploy a _Llama-2-70b_ or _Llama-2-70b-chat_ model, however, you must have an [Enterprise Agreement subscription](/azure/cost-management-billing/manage/create-enterprise-subscription) before you can deploy using the shared quota. For more information on how to use the shared quota for online endpoint deployment, see [How to deploy foundation models using the studio](how-to-use-foundation-models.md#deploying-using-the-studio).

+If you're deploying a Llama model from the model catalog but don't have enough quota available for the deployment, Azure Machine Learning allows you to use quota from a shared quota pool for a limited time. For _Llama-2-70b_ and _Llama-2-70b-chat_ model deployment, access to the shared quota is available only to customers with [Enterprise Agreement subscriptions](/azure/cost-management-billing/manage/create-enterprise-subscription). For more information on shared quota, see [Azure Machine Learning shared quota](how-to-manage-quotas.md#azure-machine-learning-shared-quota).

+> This docker image should be built from prompt flow base image that is `mcr.microsoft.com/azureml/promptflow/promptflow-runtime-stable:<newest_version>`. If possible use the [latest version of the base image](https://mcr.microsoft.com/v2/azureml/promptflow/promptflow-runtime/tags/list).

+image = ImageSettings(reference='mcr.microsoft.com/azureml/promptflow/promptflow-runtime-stable:<newest_version>')

+- [Develop a chat flow](how-to-develop-a-chat-flow.md)

+ git clone https://github.com/<user-name>/llmops-gha-demo

+ Title: Building resilient applications

+description: Learn about best practices for high availability and disaster recovery for Azure Managed Instance for Apache Cassandra

+keywords: azure high availability disaster recovery cassandra resiliency

+# Best practices for high availability and disaster recovery

+Azure Managed Instance for Apache Cassandra provides automated deployment and scaling operations for managed open-source Apache Cassandra datacenters. Apache Cassandra is a great choice for building highly resilient applications due to it's distributed nature and masterless architecture ΓÇô any node in the database can provide the exact same functionality as any other node ΓÇô contributing to CassandraΓÇÖs robustness and resilience. This article provides tips on how to optimize high availability and how to approach disaster recover.

+## Availability zones

+Cassandra's masterless architecture brings fault tolerance from the ground up, and Azure Managed Instance for Apache Cassandra provides support for [availability zones](../availability-zones/az-overview.md#azure-regions-with-availability-zones) in selected regions to enhance resiliency at the infrastructure level. Given a replication factor of 3, availability zone support ensures that each replica is in a different availability zone, thus preventing a zonal outage from impacting your database/application. We recommend enabling availability zones where possible.

+## Multi-region redundancy

+Cassandra's architecture, coupled with Azure availability zones support, gives you some level of fault tolerance and resiliency. However, it's important to consider the impact of regional outages for your applications. We highly recommend deploying [multi region clusters](create-multi-region-cluster.md) to safeguard against region level outages. Although they are rare, the potential impact is severe.

+For business continuity, it is not sufficient to only make the database multi-region. Other parts of your application also need to be deployed in the same manner either by being distributed, or with adequate mechanisms to fail over. If your users are spread across many geo locations, a multi-region data center deployment for your database has the added benefit of reducing latency, since all nodes in all data centers across the cluster can then serve both reads and writes from the region that is closest to them. However, if the application is configured to be "active-active", it's important to consider how [CAP theorem](https://cassandra.apache.org/doc/latest/cassandra/architecture/guarantees.html#what-is-cap) applies to the consistency of your data between replicas (nodes), and the trade-offs required to delivery high availability.

+In CAP theorem terms, Cassandra is by default an AP (Available Partition-tolerant) database system, with highly [tunable consistency](https://cassandra.apache.org/doc/4.1/cassandra/architecture/dynamo.html#tunable-consistency). For most use cases, we recommend using local_quorum for reads.

+- In active-passive for writes there's a trade-off between reliability and performance: for reliability we recommend QUORUM_EACH but for most users LOCAL_QUORUM or QUORUM is a good compromise. Note however that in the case of a regional outage, some writes might be lost in LOCAL_QUORUM.

+- In the case of an application being run in parallel QUORUM_EACH writes are preferred for most cases to ensure consistency between the two data centers.

+- If your goal is to favor consistency (lower RPO) rather than latency or availability (lower RTO), this should be reflected in your consistency settings and replication factor. As a rule of thumb, the number of quorum nodes required for a read plus the number of quorum nodes required for a write should be greater than the replication factor. For example, if you have a replication factor of 3, and quorum_one on reads (1 node), you should do quorum_all on writes (3 nodes), so that the total of 4 is greater than the replication factor of 3.

+## Replication

+We recommend auditing `keyspaces` and their replication settings from time to time to ensure the required replication between data centers has been configured. In the early stages of development, we recommend testing that everything works as expected by doing simple tests using `cqlsh`. For example, inserting a value while connected to one data center and reading it from the other.

+In particular, when setting up a second data center where an existing data center already has data, it's important to determine that all the data has been replicated and the system is ready. We recommend monitoring replication progress through our [DBA commands with `nodetool netstats`](dba-commands.md#how-to-run-a-nodetool-command). An alternate approach would be to count the rows in each table, but keep in mind that with big data sizes, due to the distributed nature of Cassandra, this can only give a rough estimate.

+## Balancing the cost of disaster recovery

+If your application is "active-passive", we still generally recommend that you deploy the same capacity in each region so that your application can fail over instantly to a "hot standby" data center in a secondary region. This ensures no performance degradation in the case of a regional outage. Most Cassandra [client drivers](https://cassandra.apache.org/doc/latest/cassandra/getting_started/drivers.html) provide options to initiate application level failover. By default, they assume regional outage means that the application is also down, in which case failover should happen at the load balancer level.

+However, to reduce the cost of provisioning a second data center, you may prefer to deploy a smaller SKU, and fewer nodes, in your secondary region. When an outage occurs, scaling up is made easier in Azure Managed Instance for Apache Cassandra by [turnkey vertical and horizontal scaling](create-cluster-portal.md#scale-a-datacenter). While your applications failover to your secondary region, you can manually [scale out](create-cluster-portal.md#horizontal-scale) and [scale up](create-cluster-portal.md#vertical-scale) the nodes in your secondary data center. In this case, your secondary data center acts as a lower cost warm standby. Taking this approach would need to be balanced against the time required to restore your system to full capacity in the event of an outage. It's important to test and practice what happens when a region is lost.

+ > [!NOTE]

+ > Scaling up nodes is much faster than scaling out. Keep this in mind when considering the balance between vertical and horizontal scale, and the number of nodes to deploy in your cluster.

+## Backup schedules

+Backups are automatic in Azure Managed Instance for Apache Cassandra, but you can pick your own schedule for the daily backups. We recommend choosing times with less load. Though backups are configured to only consume idle CPU, they can in some circumstances trigger [compactions](https://cassandra.apache.org/doc/latest/cassandra/operating/compaction/https://docsupdatetracker.net/index.html) in Cassandra, which can lead to an increase in CPU usage. Compactions can happen anytime with Cassandra, and depend on workload and chosen compaction strategy.

+ > [!IMPORTANT]

+ > The intention of backups is purely to mitigate accidental data loss or data corruption. We do **not** recommend backups as a disaster recovery strategy. Backups are not geo-redundant, and even if they were, it can take a very long time to recover a database from backups. Therefore, we strongly recommend a multi-region deployments, coupled with enabling availability zones where possible, to mitigate against disaster scenarios, and to be able to recover effectively from them. This is particularly important in the rare scenarios where the failed region cannot be covered, where without multi-region replication, all data may be lost.

+ :::image type="content" source="./media/resilient-applications/backup.png" alt-text="Screenshot of backup schedule configuration page." lightbox="./media/resilient-applications/backup.png" border="true":::

+## Next steps

+In this article, we laid out some best practices for building resilient applications with Cassandra.

+> [!div class="nextstepaction"]

+> [Create a cluster using Azure Portal](create-cluster-portal.md)

+ --connection-name myConnection \

+ --location location

+ Title: Azure Private 5G Core 2308 release notes

+description: Discover what's new in the Azure Private 5G Core 2308 release

+# Azure Private 5G Core 2308 release notes

+The following release notes identify the new features, critical open issues, and resolved issues for the 2308 release of Azure Private 5G Core (AP5GC). The release notes are continuously updated, with critical issues requiring a workaround added as theyΓÇÖre discovered. Before deploying this new version, review the information contained in these release notes.

+This article applies to the AP5GC 2308 release (2308.0-4). This release is compatible with the Azure Stack Edge Pro 1 GPU and Azure Stack Edge Pro 2 running the ASE 2303 and ASE 2309 releases and is supported by the 2023-06-01 and 2022-11-01 [Microsoft.MobileNetwork](/rest/api/mobilenetwork) API versions.

+For more details about compatibility, see [Packet core and Azure Stack Edge compatibility](azure-stack-edge-packet-core-compatibility.md).

+With this release, there's a new naming scheme and Packet Core versions are now called ΓÇÿ2308.0-1ΓÇÖ rather than ΓÇÿPMN-2308.ΓÇÖ

+> [!WARNING]

+> For this release, it's important that the packet core version is upgraded to the AP5GC 2308 release before the upgrading to the ASE 2309 release. Upgrading to ASE 2309 before upgrading to Packet Core 2308.0.1 causes a total system outage. Recovery requires you to delete and re-create the AKS cluster on your ASE.

+## Support lifetime

+Packet core versions are supported until two subsequent versions have been released (unless otherwise noted), which is typically two months after the release date. You should plan to upgrade your packet core in this time frame to avoid losing support.

+### Currently supported packet core versions

+The following table shows the support status for different Packet Core releases.

+| Release | Support Status |

+||-|

+| AP5GC 2308 | Supported until AP5GC 2311 released |

+| AP5GC 2307 | Supported until AP5GC 2310 released |

+| AP5GC 2306 and earlier | Out of Support |

+## What's new

+### 10 DNs

+In this release, the number of supported data networks (DNs) increases from three to 10, including with layer 2 traffic separation. If more than 6 DNs are required, a shared switch for access and core traffic is needed.

+To add a data network to your packet core, see [Modify a packet core instance](modify-packet-core.md).

+### Default MTU values

+In this release, the default MTU values are changed as follows:

+- UE MTU: 1440 (was 1300)

+- Access MTU: 1500 (was 1500)

+- Data MTU: 1440 (was 1500)

+Customers upgrading to 2308 see a change in the MTU values on their packet core.

+When the UE MTU is set to any valid value (see API Spec), then the other MTUs are set to:

+- Access MTU: UE MTU + 60

+- Data MTU: UE MTU

+

+Rollbacks to Packet Core versions earlier than 2308 are not possible if the UE MTU field is changed following an upgrade.

+To change the UE MTU signaled by the packet core, see [Modify a packet core instance](modify-packet-core.md).

+### MTU Interop setting

+In this release the MTU Interop setting is deprecated and can't be set for Packet Core versions 2308 and above.

+<!-- Removed as no issues fixed in the AP5GC2308 release>

+## Issues fixed in the AP5GC 2308 release

+The following table provides a summary of issues fixed in this release.

+ |No. |Feature | Issue |

+ |--|--|--|

+ | 1 | | |

+<-->

+## Known issues in the AP5GC 2308 release

+ |No. |Feature | Issue | Workaround/comments |

+ |--|--|--|--|

+ | 1 | Packet Forwarding | A slight(0.01%) increase in packet drops is observed in latest AP5GC release installed on ASE Platform Pro2 with ASE-2309 for throughput higher than 3.0 Gbps. | None |

+ | 2 | Local distributed tracing | In Multi PDN session establishment/Release call flows with different DNs, the distributed tracing web GUI fails to display some of 4G NAS messages (Activate/deactivate Default EPS Bearer Context Request) and some S1AP messages (ERAB request, ERAB Release). | None |

+ | 3 | Local distributed tracing | When a web proxy is enabled on the Azure Stack Edge appliance that the packet core is running on and Azure Active Directory is used to authenticate access to AP5GC Local Dashboards, the traffic to Azure Active Directory doesn't transmit via the web proxy. If there's a firewall blocking traffic that does not go via the web proxy then enabling Azure Active Directory causes the packet core install to fail. | Disable Azure Active Directory and use password based authentication to authenticate access to AP5GC Local Dashboards instead. |

+ | 4 | Packet Forwarding | In scenarios of sustained high load (for example, continuous setup of 100's of TCP flows per second) in 4G setups, AP5GC may encounter an internal error, leading to a short period of service disruption resulting in some call failures. | In most cases, the system will recover on its own and be able to handle new requests after a few seconds' disruption. For existing connections that are dropped the UEs need to re-establish the connection. |

+The following table provides a summary of known issues carried over from the previous releases.

+ |No. |Feature | Issue | Workaround/comments |

+ |--|--|--|--|

+ | 1 | Local Dashboards | When a web proxy is enabled on the Azure Stack Edge appliance that the packet core is running on and Azure Active Directory is used to authenticate access to AP5GC Local Dashboards, the traffic to Azure Active Directory doesn't transmit via the web proxy. If there's a firewall blocking traffic that doesn't go via the web proxy then enabling Azure Active Directory causes the packet core install to fail. | Disable Azure Active Directory and use password based authentication to authenticate access to AP5GC Local Dashboards instead. |

+

+## Next steps

+- [Upgrade the packet core instance in a site - Azure portal](upgrade-packet-core-azure-portal.md)

+- [Upgrade the packet core instance in a site - ARM template](upgrade-packet-core-arm-template.md)

+| 2308 | 2303, 2309 | 2303, 2309 |

+zone_pivot_groups: ase-pro-version

+ | The IP address for the control plane interface on the access network. For 5G, this interface is the N2 interface; for 4G, it's the S1-MME interface. You identified this address in [Allocate subnets and IP addresses](complete-private-mobile-network-prerequisites.md?pivots=ase-pro-gpu#allocate-subnets-and-ip-addresses). </br></br> This IP address must match the value you used when deploying the AKS-HCI cluster on your Azure Stack Edge Pro device. You did this as part of the steps in [Order and set up your Azure Stack Edge Pro device(s)](complete-private-mobile-network-prerequisites.md?pivots=ase-pro-gpu#order-and-set-up-your-azure-stack-edge-pro-devices). |**N2 address (Signaling)** (for 5G) or **S1-MME address** (for 4G). |

+ | The virtual network name on port 5 on your Azure Stack Edge Pro GPU corresponding to the control plane interface on the access network. For 5G, this interface is the N2 interface; for 4G, it's the S1-MME interface. | **ASE N2 virtual subnet** (for 5G) or **ASE S1-MME virtual subnet** (for 4G). |

+ | The virtual network name on port 5 on your Azure Stack Edge Pro GPU corresponding to the user plane interface on the access network. For 5G, this interface is the N3 interface; for 4G, it's the S1-U interface. | **ASE N3 virtual subnet** (for 5G) or **ASE S1-U virtual subnet** (for 4G). |

+ |Value |Field name in Azure portal |

+ |||

+ | The IP address for the control plane interface on the access network. For 5G, this interface is the N2 interface; for 4G, it's the S1-MME interface. You identified this address in [Allocate subnets and IP addresses](complete-private-mobile-network-prerequisites.md?pivots=ase-pro-2#allocate-subnets-and-ip-addresses). </br></br> This IP address must match the value you used when deploying the AKS-HCI cluster on your Azure Stack Edge Pro device. You did this as part of the steps in [Order and set up your Azure Stack Edge Pro device(s)](complete-private-mobile-network-prerequisites.md?pivots=ase-pro-2#order-and-set-up-your-azure-stack-edge-pro-devices). |**N2 address (Signaling)** (for 5G) or **S1-MME address** (for 4G). |

+ | The virtual network name on port 3 on your Azure Stack Edge Pro 2 corresponding to the control plane interface on the access network. For 5G, this interface is the N2 interface; for 4G, it's the S1-MME interface. | **ASE N2 virtual subnet** (for 5G) or **ASE S1-MME virtual subnet** (for 4G). |

+ | The virtual network name on port 3 on your Azure Stack Edge Pro 2 corresponding to the user plane interface on the access network. For 5G, this interface is the N3 interface; for 4G, it's the S1-U interface. | **ASE N3 virtual subnet** (for 5G) or **ASE S1-U virtual subnet** (for 4G). |

+ |Value |Field name in Azure portal |

+ |||

+ | The name of the data network. This could be an existing data network or a new one you'll create during packet core configuration. |**Data network name**|

+ | The virtual network name on port 6 (or port 5 if you plan to have more than six data networks) on your Azure Stack Edge Pro GPU device corresponding to the user plane interface on the data network. For 5G, this interface is the N6 interface; for 4G, it's the SGi interface. | **ASE N6 virtual subnet** (for 5G) or **ASE SGi virtual subnet** (for 4G). |

+ | The network address of the subnet from which dynamic IP addresses must be allocated to user equipment (UEs), given in CIDR notation. You won't need this address if you don't want to support dynamic IP address allocation for this site. You identified this in [Allocate user equipment (UE) IP address pools](complete-private-mobile-network-prerequisites.md?pivots=ase-pro-gpu#allocate-user-equipment-ue-ip-address-pools). The following example shows the network address format. </br></br>`192.0.2.0/24` </br></br>Note that the UE subnets aren't related to the access subnet. |**Dynamic UE IP pool prefixes**|

+ | The network address of the subnet from which static IP addresses must be allocated to user equipment (UEs), given in CIDR notation. You won't need this address if you don't want to support static IP address allocation for this site. You identified this in [Allocate user equipment (UE) IP address pools](complete-private-mobile-network-prerequisites.md?pivots=ase-pro-gpu#allocate-user-equipment-ue-ip-address-pools). The following example shows the network address format. </br></br>`203.0.113.0/24` </br></br>Note that the UE subnets aren't related to the access subnet. |**Static UE IP pool prefixes**|

+ | The Domain Name System (DNS) server addresses to be provided to the UEs connected to this data network. You identified this in [Allocate subnets and IP addresses](complete-private-mobile-network-prerequisites.md?pivots=ase-pro-gpu#allocate-subnets-and-ip-addresses). </br></br>This value may be an empty list if you don't want to configure a DNS server for the data network. In this case, UEs in this data network will be unable to resolve domain names. | **DNS Addresses** |

+ |Whether Network Address and Port Translation (NAPT) should be enabled for this data network. NAPT allows you to translate a large pool of private IP addresses for UEs to a small number of public IP addresses. The translation is performed at the point where traffic enters the data network, maximizing the utility of a limited supply of public IP addresses. </br></br>When NAPT is disabled, static routes to the UE IP pools via the appropriate user plane data IP address for the corresponding attached data network must be configured in the data network router. </br></br>If you want to use [UE-to-UE traffic](private-5g-core-overview.md#ue-to-ue-traffic) in this data network, keep NAPT disabled. |**NAPT**|

+ | The virtual network name on port 4 (or port 3 if you plan to have more than six data networks) on your Azure Stack Edge Pro 2 device corresponding to the user plane interface on the data network. For 5G, this interface is the N6 interface; for 4G, it's the SGi interface. | **ASE N6 virtual subnet** (for 5G) or **ASE SGi virtual subnet** (for 4G). |

+ | The network address of the subnet from which dynamic IP addresses must be allocated to user equipment (UEs), given in CIDR notation. You won't need this address if you don't want to support dynamic IP address allocation for this site. You identified this in [Allocate user equipment (UE) IP address pools](complete-private-mobile-network-prerequisites.md?pivots=ase-pro-2#allocate-user-equipment-ue-ip-address-pools). The following example shows the network address format. </br></br>`192.0.2.0/24` </br></br>Note that the UE subnets aren't related to the access subnet. |**Dynamic UE IP pool prefixes**|

+ | The network address of the subnet from which static IP addresses must be allocated to user equipment (UEs), given in CIDR notation. You won't need this address if you don't want to support static IP address allocation for this site. You identified this in [Allocate user equipment (UE) IP address pools](complete-private-mobile-network-prerequisites.md?pivots=ase-pro-2#allocate-user-equipment-ue-ip-address-pools). The following example shows the network address format. </br></br>`203.0.113.0/24` </br></br>Note that the UE subnets aren't related to the access subnet. |**Static UE IP pool prefixes**|

+ | The Domain Name System (DNS) server addresses to be provided to the UEs connected to this data network. You identified this in [Allocate subnets and IP addresses](complete-private-mobile-network-prerequisites.md?pivots=ase-pro-2#allocate-subnets-and-ip-addresses). </br></br>This value may be an empty list if you don't want to configure a DNS server for the data network. In this case, UEs in this data network will be unable to resolve domain names. | **DNS Addresses** |

+- [Create a site - Azure portal](create-a-site.md)

+- [Create a site - ARM template](create-site-arm-template.md)

+ - **Virtual switch**: select **vswitch-port3** for N2, N3 and up to four DNs, and select **vswitch-port4** for up to six DNs.

+ - **Name**: *N2*, *N3*, or *N6-DNX* (where *X* is the DN number 1-10).

+ - **VLAN**: 0

+ - **Subnet mask** and **Gateway**: Use the correct subnet mask and gateway for the IP address configured on the ASE port (even if the gateway is not set on the ASE port itself).

+| All IP traffic | Ports 3 and 4 (Data networks) | Data network user plane data (N6 interface for 5G, SGi for 4G). </br> Only required on port 3 if data networks are configured on that port. |

+The following tables contains the ports you need to open for Azure Private 5G Core local access. This includes local management access and control plane signaling.

+| All IP traffic | Ports 5 and 6 (Data networks) | Data network user plane data (N6 interface for 5G, SGi for 4G). </br> Only required on port 5 if data networks are configured on that port. |

+| 3. | Rack and cable your Azure Stack Edge Pro 2 device. </br></br>When carrying out this procedure, you must ensure that the device has its ports connected as follows:</br></br>- Port 2 - management</br>- Port 3 - access network (and optionally, data networks)</br>- Port 4 - data networks| [Tutorial: Install Azure Stack Edge Pro 2](/azure/databox-online/azure-stack-edge-pro-2-deploy-install?pivots=single-node.md) |

+| 3. | Rack and cable your Azure Stack Edge Pro GPU device. </br></br>When carrying out this procedure, you must ensure that the device has its ports connected as follows:</br></br>- Port 5 - access network (and optionally, data networks)</br>- Port 6 - data networks</br></br>Additionally, you must have a port connected to your management network. You can choose any port from 2 to 4. | [Tutorial: Install Azure Stack Edge Pro with GPU](/azure/databox-online/azure-stack-edge-gpu-deploy-install?pivots=single-node.md) |

+| 4. | Connect to your Azure Stack Edge Pro GPU device using the local web UI. | [Tutorial: Connect to Azure Stack Edge Pro with GPU](/azure/databox-online/azure-stack-edge-gpu-deploy-connect?pivots=single-node.md) |

+| 5. | Configure the network for your Azure Stack Edge Pro GPU device.</br> </br> **Note:** When an ASE is used in an Azure Private 5G Core service, Port 2 is used for management rather than data. The tutorial linked assumes a generic ASE that uses Port 2 for data.</br></br> In addition, you can optionally configure your Azure Stack Edge Pro GPU device to run behind a web proxy. </br></br> Verify the outbound connections from Azure Stack Edge Pro GPU device to the Azure Arc endpoints are opened. </br></br>**Do not** configure virtual switches, virtual networks or compute IPs. | [Tutorial: Configure network for Azure Stack Edge Pro with GPU](/azure/databox-online/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy?pivots=single-node.md)</br></br>[(Optionally) Configure web proxy for Azure Stack Edge Pro](/azure/databox-online/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy?pivots=single-node#configure-web-proxy)</br></br>[Azure Arc Network Requirements](/azure/azure-arc/kubernetes/quickstart-connect-cluster?tabs=azure-cli%2Cazure-cloud)</br></br>[Azure Arc Agent Network Requirements](/azure/architecture/hybrid/arc-hybrid-kubernetes)|

+> You must ensure your Azure Stack Edge Pro GPU device is compatible with the Azure Private 5G Core version you plan to install. See [Packet core and Azure Stack Edge (ASE) compatibility](./azure-stack-edge-packet-core-compatibility.md). If you need to upgrade your Azure Stack Edge Pro GPU device, see [Update your Azure Stack Edge Pro GPU](../databox-online/azure-stack-edge-gpu-install-update.md?tabs=version-2106-and-later).

+zone_pivot_groups: ase-pro-version

+7. Use the information you collected in [Collect access network values](collect-required-information-for-a-site.md#collect-access-network-values) to fill out the fields in the **Access network** section.

+ > [!NOTE]

+ > **ASE N2 virtual subnet** and **ASE N3 virtual subnet** (if this site will support 5G UEs) or **ASE S1-MME virtual subnet** and **ASE S1-U virtual subnet** (if this site will support 4G UEs) must match the corresponding virtual network names on port 5 on your Azure Stack Edge Pro GPU device.

+8. In the **Attached data networks** section, select **Attach data network**. Choose whether you want to use an existing data network or create a new one, then use the information you collected in [Collect data network values](collect-required-information-for-a-site.md?pivots=ase-pro-gpu#collect-data-network-values) to fill out the fields. Note the following:

+ - **ASE N6 virtual subnet** (if this site will support 5G UEs) or **ASE SGi virtual subnet** (if this site will support 4G UEs) must match the corresponding virtual network name on port 5 or 6 on your Azure Stack Edge Pro device.

+ - If you decided not to configure a DNS server, clear the **Specify DNS addresses for UEs?** checkbox.

+ - If you decided to keep NAPT disabled, ensure you configure your data network router with static routes to the UE IP pools via the appropriate user plane data IP address for the corresponding attached data network.

+ :::image type="content" source="media/create-a-site/create-site-attach-data-network.png" alt-text="Screenshot of the Azure portal showing the Attach data network screen.":::

+ Once you've finished filling out the fields, select **Attach**.

+7. Use the information you collected in [Collect access network values](collect-required-information-for-a-site.md#collect-access-network-values) to fill out the fields in the **Access network** section.

+ > **ASE N2 virtual subnet** and **ASE N3 virtual subnet** (if this site will support 5G UEs) or **ASE S1-MME virtual subnet** and **ASE S1-U virtual subnet** (if this site will support 4G UEs) must match the corresponding virtual network names on port 3 on your Azure Stack Edge Pro 2 device.

+8. In the **Attached data networks** section, select **Attach data network**. Choose whether you want to use an existing data network or create a new one, then use the information you collected in [Collect data network values](collect-required-information-for-a-site.md?pivots=ase-pro-2#collect-data-network-values) to fill out the fields. Note the following:

+ - **ASE N6 virtual subnet** (if this site will support 5G UEs) or **ASE SGi virtual subnet** (if this site will support 4G UEs) must match the corresponding virtual network name on port 3 or 4 on your Azure Stack Edge Pro device.

+9. Repeat the previous step for each additional data network you want to configure.

+10. If you decided you want to configure diagnostics packet collection or use a user assigned managed identity for HTTPS certificate for this site, select **Next : Identity >**.

+11. If you decided you want to provide a custom HTTPS certificate in [Collect local monitoring values](collect-required-information-for-a-site.md#collect-local-monitoring-values), select **Next : Local access >**. If you decided not to provide a custom HTTPS certificate at this stage, you can skip this step.

+12. In the **Local access** section, set the fields as follows:

+13. Select **Review + create**.

+14. Azure will now validate the configuration values you've entered. You should see a message indicating that your values have passed validation.

+15. Once your configuration has been validated, you can select **Create** to create the site. The Azure portal will display the following confirmation screen when the site has been created.

+16. Select **Go to resource group**, and confirm that it contains the following new resources:

+17. If you want to assign additional packet cores to the site, for each new packet core resource see [Create additional Packet Core instances for a site using the Azure portal](create-additional-packet-core.md).

+zone_pivot_groups: ase-pro-version

+9. Use the information you collected in [Collect access network values](collect-required-information-for-a-site.md#collect-access-network-values) for the site to fill out the fields in the **Access network** section.

+ > **ASE N2 virtual subnet** and **ASE N3 virtual subnet** (if this site supports 5G UEs) or **ASE S1-MME virtual subnet** and **ASE S1-U virtual subnet** (if this site supports 4G UEs) must match the corresponding virtual network names on port 5 on your Azure Stack Edge Pro GPU device.

+9. Use the information you collected in [Collect access network values](collect-required-information-for-a-site.md#collect-access-network-values) for the site to fill out the fields in the **Access network** section.

+ > [!NOTE]

+ > **ASE N2 virtual subnet** and **ASE N3 virtual subnet** (if this site supports 5G UEs) or **ASE S1-MME virtual subnet** and **ASE S1-U virtual subnet** (if this site supports 4G UEs) must match the corresponding virtual network names on port 3 on your Azure Stack Edge Pro 2 device.

+10. In the **Attached data networks** section, select **Attach data network**. Select the existing data network you used for the site then use the information you collected in [Collect data network values](collect-required-information-for-a-site.md#collect-data-network-values) to fill out the fields. Note the following:

+11. Repeat the previous step for each additional data network configured on the site.

+12. If you decided to configure diagnostics packet collection or use a user assigned managed identity for HTTPS certificate for this site, select **Next : Identity >**.

+13. If you decided you want to provide a custom HTTPS certificate in [Collect local monitoring values](collect-required-information-for-a-site.md#collect-local-monitoring-values), select **Next : Local access >**. If you decided not to provide a custom HTTPS certificate for monitoring this site, you can skip this step.

+14. In the **Local access** section, set the fields as follows:

+15. Select **Review + create**.

+16. Azure will now validate the configuration values you've entered. You should see a message indicating that your values have passed validation.

+17. Once your configuration has been validated, you can select **Create** to create the packet core instance. The Azure portal will display a confirmation screen when the packet core instance has been created.

+18. Return to the **Site** overview, and confirm that it contains the new packet core instance.

+zone_pivot_groups: ase-pro-version

+- Carry out the steps in [Complete the prerequisite tasks for deploying a private mobile network](complete-private-mobile-network-prerequisites.md?pivots=ase-pro-gpu) for your new site.

+- Identify the names of the interfaces corresponding to ports 3 and 4 on your Azure Stack Edge Pro device.

+- Collect all of the information in [Collect the required information for a site](collect-required-information-for-a-site.md?pivots=ase-pro-2).

+ | **Control Plane Access Interface Name** | Enter the virtual network name on port 5 on your Azure Stack Edge Pro GPU device corresponding to the control plane interface on the access network. For 5G, this interface is the N2 interface; for 4G, it's the S1-MME interface. |

+ | **User Plane Access Interface Name** | Enter the virtual network name on port 5 on your Azure Stack Edge Pro GPU device corresponding to the user plane interface on the access network. For 5G, this interface is the N3 interface; for 4G, it's the S1-U interface. |

+ | **User Plane Data Interface Name** | Enter the virtual network name on port 6 on your Azure Stack Edge Pro GPU device corresponding to the user plane interface on the data network. For 5G, this interface is the N6 interface; for 4G, it's the SGi interface. |

+2. Select or enter the following values, using the information you retrieved in [Prerequisites](#prerequisites).

+ | Field | Value |

+ |--|--|

+ | **Subscription** | Select the Azure subscription you used to create your private mobile network. |

+ | **Resource group** | Select the resource group containing the mobile network resource representing your private mobile network. |

+ | **Region** | Select the region in which you deployed the private mobile network. |

+ | **Location** | Enter the [code name](region-code-names.md) of the region in which you deployed the private mobile network. |

+ | **Existing Mobile Network Name** | Enter the name of the mobile network resource representing your private mobile network. |

+ | **Existing Data Network Name** | Enter the name of the data network. This value must match the name you used when creating the data network. |

+ | **Site Name** | Enter a name for your site.|

+ | **Azure Stack Edge Device** | Enter the resource ID of the Azure Stack Edge resource in the site. |

+ | **Control Plane Access Interface Name** | Enter the virtual network name on port 3 on your Azure Stack Edge Pro 2 device corresponding to the control plane interface on the access network. For 5G, this interface is the N2 interface; for 4G, it's the S1-MME interface. |

+ | **Control Plane Access Ip Address** | Enter the IP address for the control plane interface on the access network. |

+ | **User Plane Access Interface Name** | Enter the virtual network name on port 3 on your Azure Stack Edge Pro 2 device corresponding to the user plane interface on the access network. For 5G, this interface is the N3 interface; for 4G, it's the S1-U interface. |

+ | **User Plane Data Interface Name** | Enter the virtual network name on port 4 on your Azure Stack Edge Pro 2 device corresponding to the user plane interface on the data network. For 5G, this interface is the N6 interface; for 4G, it's the SGi interface. |

+ |**User Equipment Address Pool Prefix** | Enter the network address of the subnet from which dynamic IP addresses must be allocated to UEs in CIDR notation. You can omit this if you don't want to support dynamic IP address allocation. |

+ |**User Equipment Static Address Pool Prefix** | Enter the network address of the subnet from which static IP addresses must be allocated to UEs in CIDR notation. You can omit this if you don't want to support static IP address allocation. |

+ | **Core Network Technology** | Enter *5GC* for 5G, or *EPC* for 4G. |

+ | **Napt Enabled** | Set this field depending on whether Network Address and Port Translation (NAPT) should be enabled for the data network. |

+ | **Dns Addresses** | Enter the DNS server addresses. You should only omit this if you don't need the UEs to perform DNS resolution, or if all UEs in the network will use their own locally configured DNS servers. |

+ | **Custom Location** | Enter the resource ID of the custom location that targets the Azure Kubernetes Service on Azure Stack HCI (AKS-HCI) cluster on the Azure Stack Edge Pro device in the site. |

+zone_pivot_groups: ase-pro-version

+2. Select or enter the following values, using the information you retrieved in [Prerequisites](#prerequisites).

+2. Select or enter the following values, using the information you retrieved in [Prerequisites](#prerequisites).

+ |Field |Value |

+ |||

+ |**Subscription** | Select the Azure subscription you want to use to create your private mobile network. |

+ |**Resource group** | Create a new resource group. |

+ |**Region** | Select the region in which you're deploying the private mobile network. |

+ |**Location** | Leave this field unchanged. |

+ |**Mobile Network Name** | Enter a name for the private mobile network. |

+ |**Mobile Country Code** | Enter the mobile country code for the private mobile network. |

+ |**Mobile Network Code** | Enter the mobile network code for the private mobile network. |

+ |**Site Name** | Enter a name for your site. |

+ |**Service Name** | Leave this field unchanged. |

+ |**Sim Policy Name** | Leave this field unchanged. |

+ |**Slice Name** | Leave this field unchanged. |

+ |**Sim Group Name** | If you want to provision SIMs, enter the name of the SIM group to which the SIMs will be added. Otherwise, leave this field blank. |

+ |**Sim Resources** | If you want to provision SIMs, paste in the contents of the JSON file containing your SIM information. Otherwise, leave this field unchanged. |

+ | **Azure Stack Edge Device** | Enter the resource ID of the Azure Stack Edge resource in the site. |

+ |**Control Plane Access Interface Name** | Enter the virtual network name on port 3 on your Azure Stack Edge Pro device corresponding to the control plane interface on the access network. For 5G, this interface is the N2 interface; for 4G, it's the S1-MME interface. |

+ |**Control Plane Access Ip Address** | Enter the IP address for the control plane interface on the access network.</br> Note: Please ensure that the N2 IP address specified here matches the N2 address configured on the ASE Portal. |

+ |**User Plane Access Interface Name** | Enter the virtual network name on port 3 on your Azure Stack Edge Pro device corresponding to the user plane interface on the access network. For 5G, this interface is the N3 interface; for 4G, it's the S1-U interface. |

+ |**User Plane Data Interface Name** | Enter the virtual network name on port 4 on your Azure Stack Edge Pro device corresponding to the user plane interface on the data network. For 5G, this interface is the N6 interface; for 4G, it's the SGi interface. |

+ |**User Equipment Address Pool Prefix** | Enter the network address of the subnet from which dynamic IP addresses must be allocated to User Equipment (UEs) in CIDR notation. You can omit this if you don't want to support dynamic IP address allocation. |

+ |**User Equipment Static Address Pool Prefix** | Enter the network address of the subnet from which static IP addresses must be allocated to User Equipment (UEs) in CIDR notation. You can omit this if you don't want to support static IP address allocation. |

+ |**Data Network Name** | Enter the name of the data network. |

+ |**Core Network Technology** | Enter *5GC* for 5G, or *EPC* for 4G. |

+ |**Napt Enabled** | Set this field depending on whether Network Address and Port Translation (NAPT) should be enabled for the data network.|

+ | **Dns Addresses** | Enter the DNS server addresses. You should only omit this if you don't need the UEs to perform DNS resolution, or if all UEs in the network will use their own locally configured DNS servers. |

+ |**Custom Location** | Enter the resource ID of the custom location that targets the Azure Kubernetes Service on Azure Stack HCI (AKS-HCI) cluster on the Azure Stack Edge Pro device in the site.|

+3. Select **Review + create**.

+4. Azure will now validate the configuration values you've entered. You should see a message indicating that your values have passed validation.

+5. Once your configuration has been validated, you can select **Create** to deploy the resources. The Azure portal will display a confirmation screen when the deployment is complete.

+zone_pivot_groups: ase-pro-version

+When deployed on Azure Stack Edge Pro GPU (ASE), AP5GC uses physical port 5 for access signaling and data (5G N2 and N3 reference points/4G S1 and S1-U reference points) and port 6 for core data (5G N6/4G SGi reference points). If more than six data networks are configured, port 5 is also used for core data.

+When deployed on Azure Stack Edge 2 (ASE 2), AP5GC uses physical port 3 for access signaling and data (5G N2 and N3 reference points/4G S1 and S1-U reference points) and port 4 for core data (5G N6/4G SGi reference points). If more than six data networks are configured, port 3 is also used for core data.

+AP5GC supports deployments with or without layer 3 routers on ports 3 and 4. This is useful for avoiding extra hardware at smaller edge sites.

+- It is possible to connect ASE port 3 to RAN nodes directly (back-to-back) or via a layer 2 switch. When using this topology, you must configure the eNodeB/gNodeB address as the default gateway on the ASE network interface.

+- Similarly, it is possible to connect ASE port 4 to your core network via a layer 2 switch. When using this topology, you must set up an application or an arbitrary address on the subnet as gateway on the ASE side.

+- Alternatively, you can combine these approaches. For example, you could use a router on ASE port 4 with a flat layer 2 network on ASE port 3. If a layer 3 router is present in the local network, you must configure it to match the ASE's configuration.

+- Layer 3 network with 7-10 data networks

+ - No more than six data networks can be configured on the same port.

+ - For optimal performance, the data networks with the highest expected load should be configured on port 6.

+There are multiple ways to set up your network for use with AP5GC. The exact setup varies depending on your needs and hardware. This section provides some sample network topologies on ASE Pro 2 hardware.

+- Layer 3 network with N6 Network Address Translation (NAT)

+ This network topology has your ASE connected to a layer 2 device that provides connectivity to the mobile network core and access gateways (routers connecting your ASE to your data and access networks respectively). This topology supports up to six data networks. This solution is commonly used because it simplifies layer 3 routing.

+ :::image type="content" source="media/private-mobile-network-design-requirements/layer-3-network-with-n6-nat.png" alt-text="Diagram of a layer 3 network with N6 Network Address Translation (N A T)." lightbox="media/private-mobile-network-design-requirements/layer-3-network-with-n6-nat.png":::

+- Layer 3 network without Network Address Translation (NAT)

+ This network topology is a similar solution, but UE IP address ranges must be configured as static routes in the data network router with the N6 NAT IP address as the next hop address. As with the the previous solution, this topology supports up to six data networks.

+ :::image type="content" source="media/private-mobile-network-design-requirements/layer-3-network-without-n6-nat.png" alt-text="Diagram of a layer 3 network without Network Address Translation (N A T)." lightbox="media/private-mobile-network-design-requirements/layer-3-network-without-n6-nat.png":::

+- Flat layer 2 network

+ The packet core does not require layer 3 routers or any router-like functionality. An alternative topology could forgo the use of layer 3 gateway routers entirely and instead construct a layer 2 network in which the ASE is in the same subnet as the data and access networks. This network topology can be a cheaper alternative when you donΓÇÖt require layer 3 routing. This requires Network Address Port Translation (NAPT) to be enabled on the packet core.

+ :::image type="content" source="media/private-mobile-network-design-requirements/layer-2-network.png" alt-text="Diagram of a layer 2 network." lightbox="media/private-mobile-network-design-requirements/layer-2-network.png":::

+- Layer 3 network with multiple data networks

+ - AP5GC can support up to ten attached data networks, each with its own configuration for Domain Name System (DNS), UE IP address pools, N6 IP configuration, and NAT. The operator can provision UEs as subscribed in one or more data networks and apply data network-specific policy and quality of service (QoS) configuration.

+ - This topology requires that the N6 interface is split into one subnet for each data network or one subnet for all data networks. This option therefore requires careful planning and configuration to prevent overlapping data network IP ranges or UE IP ranges.

+ :::image type="content" source="media/private-mobile-network-design-requirements/layer-3-network-with-multiple-dns-azure-stack-edge-2.png" alt-text="Diagram of layer 3 network topology with multiple data networks." lightbox="media/private-mobile-network-design-requirements/layer-3-network-with-multiple-dns-azure-stack-edge-2.png":::

+- Layer 3 network with VLAN and physical access/core separation

+ - You can also separate ASE traffic into VLANs, whether or not you choose to add layer 3 gateways to your network. There are multiple benefits to segmenting traffic into separate VLANs, including more flexible network management and increased security.

+ - For example, you could configure separate VLANs for management, access and data traffic, or a separate VLAN for each attached data network.

+ - VLANs must be configured on the local layer 2 or layer 3 network equipment. Multiple VLANs will be carried on a single link from ASE port 3 (access network) and/or 4 (core network), so you must configure each of those links as a VLAN trunk.

+ :::image type="content" source="media/private-mobile-network-design-requirements/layer-3-network-with-vlans-azure-stack-edge-2.png" alt-text="Diagram of layer 3 network topology with V L A N s." lightbox="media/private-mobile-network-design-requirements/layer-3-network-with-vlans-azure-stack-edge-2.png":::

+- Layer 3 network with 7-10 data networks

+ - If you want to deploy more than six VLAN-separated data networks, the additional (up to four) data networks must be deployed on ASE port 3. This requires one shared switch or router that carries both access and core traffic. VLAN tags can be assigned as required to N2, N3 and each of the N6 data networks.

+ - No more than six data networks can be configured on the same port.

+ - For optimal performance, the data networks with the highest expected load should be configured on port 4.

+ :::image type="content" source="media/private-mobile-network-design-requirements/layer-3-network-with-additional-dns-azure-stack-edge-2.png" alt-text="Diagram of layer 3 network topology with 10 data networks." lightbox="media/private-mobile-network-design-requirements/layer-3-network-with-vlans-azure-stack-edge-2.png":::

+| AP5GC 2308 | Supported until AP5GC 2311 released |

+| AP5GC 2307 | Supported until AP5GC 2310 released |

+| AP5GC 2306 and earlier | Out of Support |

+## September 2023

+### Packet core 2308

+**Type:** New release

+**Date available:** September 21, 2023

+The 2308 release for the Azure Private 5G Core packet core is now available. For more information, see [Azure Private 5G Core 2308 release notes](azure-private-5g-core-release-notes-2308.md).

+### 10 DNs

+**Type:** New feature

+**Date available:** September 07, 2023

+In this release, the number of supported data networks (DNs) increases from three to ten, including with layer 2 traffic separation. If more than 6 DNs are required, a shared switch for access and core traffic is needed.

+### Default MTU values

+**Type:** New feature

+**Date available:** September 07, 2023

+In this release, the default MTU values are changed as follows:

+- UE MTU: 1440 (was 1300)

+- Access MTU: 1500 (was 1500)

+- Data MTU: 1440 (was 1500)

+Customers upgrading to 2308 see a change in the MTU values on their packet core.

+When the UE MTU is set to any valid value (see API Spec) then the other MTUs will be set to:

+- Access MTU: UE MTU + 60

+- Data MTU: UE MTU

+

+Rollbacks to Packet Core versions earlier than 2308 are not possible if the UE MTU field is changed following an upgrade.

+### MTU Interop setting

+**Type:** New feature

+**Date available:** September 07, 2023

+In this release, the MTU Interop setting is deprecated and cannot be set for Packet Core versions 2308 and above.

+### UE usage tracking

+**Type:** New feature

+**Date available:** July 31, 2023

+The UE usage tracking messages in Azure Event Hubs are now encoded in AVRO file container format, which enables you to consume these events via Power BI or Azure Stream Analytics (ASA). If you want to enable this feature for your deployment, contact your support representative.

+### Unknown User cause code mapping in 4G deployments

+**Type:** New feature

+**Date available:** July 31, 2023

+In this release, the 4G NAS EMM cause code for ΓÇ£unknown userΓÇ¥ (subscriber not provisioned on AP5GC) changes to ΓÇ£no-suitable-cells-in-ta-15ΓÇ¥ by default. This provides better interworking in scenarios where a single PLMN is used for multiple, independent mobile networks.

+ Title: What are Azure availability zones?

+description: Learn about availability zones and how they work to help you achieve reliability

+# What are availability zones?

+Many Azure regions provide *availability zones*, which are separated groups of datacenters within a region. Availability zones are close enough to have low-latency connections to other availability zones. They're connected by a high-performance network with a round-trip latency of less than 2ms. However, availability zones are far enough apart to reduce the likelihood that more than one will be affected by local outages or weather. Availability zones have independent power, cooling, and networking infrastructure. They're designed so that if one zone experiences an outage, then regional services, capacity, and high availability are supported by the remaining zones. They help your data stay synchronized and accessible when things go wrong.

+Datacenter locations are selected by using rigorous vulnerability risk assessment criteria. This process identifies all significant datacenter-specific risks and considers shared risks between availability zones.

+The following diagram shows several example Azure regions. Regions 1 and 2 support availability zones.

+## Zonal and zone-redundant services

+When you deploy into an Azure region that contains availability zones, you can use multiple availability zones together. By using multiple availability zones, you can keep separate copies of your application and data within separate physical datacenters in a large metropolitan area.

+There are two ways that Azure services use availability zones:

+- **Zonal** resources are pinned to a specific availability zone. You can combine multiple zonal deployments across different zones to meet high reliability requirements. You're responsible for managing data replication and distributing requests across zones. If an outage occurs in a single availability zone, you're responsible for failover to another availability zone.

+- **Zone-redundant** resources are spread across multiple availability zones. Microsoft manages spreading requests across zones and the replication of data across zones. If an outage occurs in a single availability zone, Microsoft manages failover automatically.

+Azure services support one or both of these approaches. Platform as a service (PaaS) services typically support zone-redundant deployments. Infrastructure as a service (IaaS) services typically support zonal deployments. For more information about how Azure services work with availability zones, see [Azure regions with availability zone support](availability-zones-service-support.md#azure-regions-with-availability-zone-support).

+For information on service-specific reliability support using availability zones as well as recommended disaster recovery guidance see [Reliability guidance overview](./reliability-guidance-overview.md).

+## Physical and logical availability zones

+Each datacenter is assigned to a physical zone. Physical zones are mapped to logical zones in your Azure subscription, and different subscriptions might have a different mapping order. Azure subscriptions are automatically assigned their mapping at the time the subscription is created.

+To understand the mapping between logical and physical zones for your subscription, use the [List Locations Azure Resource Manager API](/rest/api/resources/subscriptions/list-locations). You can use the [Azure CLI](/cli/azure/install-azure-cli) or [Azure PowerShell](/powershell/azure/what-is-azure-powershell) to retrieve the information from the API.

+# [CLI](#tab/azure-cli)

+```azurecli

+az rest --method get --uri '/subscriptions/{subscriptionId}/locations?api-version=2022-12-01' --query 'value'

+```

+# [PowerShell](#tab/azure-powershell)

+```azurepowershell

+$subscriptionId = (Get-AzContext).Subscription.ID

+$response = Invoke-AzRestMethod -Method GET -Path "/subscriptions/$subscriptionId/locations?api-version=2022-12-01"

+$locations = ($response.Content | ConvertFrom-Json).value

+```

+## Availability zones and Azure updates

+Microsoft aims to deploy updates to Azure services to a single availability zone at a time. This approach reduces the impact that updates might have on an active workload, because the workload can continue to run in other zones while the update is in process. You need to run your workload across multiple zones to take advantage of this benefit. For more information about how Azure deploys updates, see [Advancing safe deployment practices](https://azure.microsoft.com/blog/advancing-safe-deployment-practices/).

+## Paired and unpaired regions

+Many regions also have a [*paired region*](./cross-region-replication-azure.md#azure-cross-region-replication-pairings-for-all-geographies). Paired regions support certain types of multi-region deployment approaches. Some newer regions have [multiple availability zones and don't have a paired region](./cross-region-replication-azure.md#regions-with-availability-zones-and-no-region-pair). You can still deploy multi-region solutions into these regions, but the approaches you use might be different.

+## Shared responsibility model

+The [shared responsibility model](./overview.md#shared-responsibility) describes how responsibilities are divided between the cloud provider (Microsoft) and you. Depending on the type of services you use, you might take on more or less responsibility for operating the service.

+Microsoft provides availability zones and regions to give you flexibility in how you design your solution to meet your requirements. When you use managed services, Microsoft takes on more of the management responsibilities for your resources, which might even include data replication, failover, failback, and other tasks related to operating a distributed system.

+## Availability zone architectural guidance

+To achieve more reliable workloads:

+- Production workloads should be configured to use availability zones if the region they are in supports availability zones.

+- For mission-critical workloads, you should consider a solution that is *both* multi-region and multi-zone.

+For more detailed information on how to use regions and availability zones in a solution architecture, see [Recommendations for using availability zones and regions](/azure/well-architected/resiliency/regions-availability-zones).

+- [Azure services and regions with availability zones](availability-zones-service-support.md)

+- [Availability zone migration guidance](availability-zones-migration-overview.md)

+- [Availability of service by category](availability-service-by-category.md)

+- [Microsoft commitment to expand Azure availability zones to more regions](https://azure.microsoft.com/blog/our-commitment-to-expand-azure-availability-zones-to-more-regions/)

+- [Build solutions for high availability using availability zones](/azure/architecture/high-availability/building-solutions-for-high-availability)

+| Term | Definition |

+|-|-|

+| Region | A geographic perimeter that contains a set of datacenters. |

+| Datacenter | A facility that contains servers, networking equipment, and other hardware to support Azure resources and workloads. |

+| Availability zone | [A separated group of datacenters within a region.][availability-zones-overview] Each availability zone is independent of the others, with its own power, cooling, and networking infrastructure. [Many regions support availability zones.][azure-regions-with-availability-zone-support] |

+| Paired regions |A relationship between two Azure regions. [Some Azure regions][azure-region-pairs] are connected to another defined region to enable specific types of multi-region solutions. [Newer Azure regions aren't paired.][regions-with-availability-zones-and-no-region-pair] |

+| Region architecture | The specific configuration of the Azure region, including the number of availability zones and whether the region is paired with another region. |

+| Locally redundant deployment | A deployment model in which a resource is deployed into a single region without reference to an availability zone. In a region that supports availability zones, the resource might be deployed in any of the region's availability zones. |

+| Zonal (pinned) deployment | A deployment model in which a resource is deployed into a specific availability zone. |

+| Zone-redundant deployment | A deployment model in which a resource is deployed across multiple availability zones. Microsoft manages data synchronization, traffic distribution, and failover if a zone experiences an outage. |

+| Multi-region deployment| A deployment model in which resources are deployed into multiple Azure regions. |

+| Asynchronous replication | A data replication approach in which data is written and committed to one location. At a later time, the changes are replicated to another location. |

+| Synchronous replication | A data replication approach in which data is written and committed to multiple locations. Each location must acknowledge completion of the write operation before the overall write operation is considered complete. |

+| Active-active | An architecture in which multiple instances of a solution actively process requests at the same time. |

+| Active-passive | An architecture in which one instance of a solution is designated as the *primary* and processes traffic, and one or more *secondary* instances are deployed to serve traffic if the primary is unavailable. |

+SQL Managed Instance offers a zone redundant configuration that uses [Azure availability zones](availability-zones-overview.md#zonal-and-zone-redundant-services) to replicate your instances across multiple physical locations within an Azure region. With zone redundancy enabled, your Business Critical managed instances become resilient to a larger set of failures, such as catastrophic datacenter outages, without any changes to application logic. For more information on the availability model for SQL Database, see [Business Critical service tier zone redundant availability section in the Azure SQL documentation](/azure/azure-sql/database/high-availability-sla?view=azuresql&tabs=azure-powershell&preserve-view=true#premium-and-business-critical-service-tier-zone-redundant-availability).

+Azure Container Apps uses [availability zones](availability-zones-overview.md#zonal-and-zone-redundant-services) in regions where they're available to provide high-availability protection for your applications and data from data center failures.

+Azure Container Apps uses [availability zones](availability-zones-overview.md#zonal-and-zone-redundant-services) in regions where they're available. For a list of regions that support availability zones, see [Availability zone service and regional support](availability-zones-service-support.md).

+>Virtual Machine Scale Sets can only be deployed into one region. If you want to deploy VMs across multiple regions, see [Virtual Machines-Disaster recovery: cross-region failover](./reliability-virtual-machines.md#cross-region-disaster-recovery-and-business-continuity).

+This article contains [specific reliability recommendations for Virtual Machines](#reliability-recommendations), as well as detailed information on VM regional resiliency with [availability zones](#availability-zone-support) and [cross-region disaster recovery and business continuity](#cross-region-disaster-recovery-and-business-continuity).

+## Cross-region disaster recovery and business continuity

+> [Reliability in Azure](/azure/reliability/availability-zones-overview)

+| [Semantic ranking for retail](https://brave-meadow-0f59c9b1e.1.azurestaticapps.net/) | Web app for a fictitious online retailer, "Terra" | Not available |

+There's no query type in Cognitive Search - not even semantic or vector search - that composes new answers. Only the LLM provides generative AI. Here are the capabilities in Cognitive Search that are used to formulate queries:

+| [Semantic ranking](semantic-how-to-query-request.md) | Re-ranks a BM25 result set using semantic models. Produces short-form captions and answers that are useful as LLM inputs. | Easier than scoring profiles, and depending on your content, a more reliable technique for relevance tuning. |

+# Alternatively simply use search_client.search(q, top=3) if not using semantic ranking

+| [**Semantic search**](semantic-search-overview.md) | Relevance (scoring) | Semantic ranking of results, captions, and answers. | Configure semantic ranking using [Search Documents](/rest/api/searchservice/preview-api/search-documents), API versions 2021-04-30-Preview or 2020-06-30-Preview, and Search Explorer (portal). |

+> * [(preview) Disable semantic ranking](#disable-semantic-search)

+## (preview) Disable semantic ranking

+By default, the search engine returns up to the first 50 matches. The top 50 are determined by search score, assuming the query is full text search or semantic. Otherwise, the top 50 are an arbitrary order for exact match queries (where uniform "@searchScore=1.0" indicates arbitrary ranking).

+Billing is based on capacity (SUs) and the costs of running premium features, such as [AI enrichment](cognitive-search-concept-intro.md), [Semantic ranking](semantic-search-overview.md), and [Private endpoints](service-create-private-endpoint.md). Meters associated with premium features are listed in the following table.

+| [Semantic ranking](semantic-search-overview.md) ¹ | Number of queries of "queryType=semantic", billed at a progressive rate. See the [pricing page](https://azure.microsoft.com/pricing/details/search/#pricing). |

+| [Semantic ranking (preview)](semantic-search-overview.md) | Not available on the Free tier. |

+ Title: Configure semantic ranking

+description: Set a semantic query type to attach the deep learning models of semantic ranking.

+Speller was released in tandem with the [semantic ranking](semantic-search-overview.md) and shares the "queryLanguage" parameter, but is otherwise an independent feature with its own prerequisites. There's no sign-up or extra charges for using this feature.

+## Spell correction with semantic ranking

+Source code for this tutorial is in the [optimize-data-indexing/v11](https://github.com/Azure-Samples/azure-search-dotnet-scale/tree/main/optimize-data-indexing/v11) folder in the [Azure-Samples/azure-search-dotnet-samples](https://github.com/Azure-Samples/azure-search-dotnet-samples) GitHub repository.

+> + [Filter and query vector fields](#filter-and-vector-queries)

+POST https://{{search-service-name}}.search.windows.net/indexes/{{index-name}}/docs/search?api-version=2023-07-01-Preview

+## Filter and vector queries

+A query request can include a vector query and a [filter expression](search-filters.md). Filters apply to text and numeric fields, and are useful for including or excluding search documents based on filter criteria. Although a vector field isn't filterable itself, you can attribute a text or numeric field in the same index as "filterable".

+In contrast with full text search, a filter in a pure vector query is effectively processed as a post-query operation. The set of `"k"` nearest neighbors is retrieved, and then combined with the set of filtered results. As such, the value of `"k"` predetermines the surface over which the filter is applied. For `"k": 10`, the filter is applied to 10 most similar documents. For `"k": 100`, the filter iterates over 100 documents (assuming the index contains 100 documents that are sufficiently similar to the query).

+Here's an example of filter expressions combined with a vector query:

+```http

+POST https://{{search-service-name}}.search.windows.net/indexes/{{index-name}}/docs/search?api-version=2023-07-01-Preview

+Content-Type: application/json

+api-key: {{admin-api-key}}

+{

+ "vectors": [

+ {

+ "value": [

+ -0.009154141,

+ 0.018708462,

+ . . .

+ -0.02178128,

+ -0.00086512347

+ ],

+ "fields": "contentVector",

+ "k": 10

+ },

+ ],

+ "select": "title, content, category",

+ "filter": "category eq 'Databases'"

+}

+```

+> [!TIP]

+> If you don't have source fields with text or numeric values, check for document metadata, such as LastModified or CreatedBy properties, that might be useful in a filter.

+Hybrid queries are useful because they add support for filters, orderby, and [semantic search](semantic-how-to-query-request.md) For example, in addition to the vector query, you could search over people or product names or titles, scenarios for which similarity search isn't a good fit.

+POST https://{{search-service-name}}.search.windows.net/indexes/{{index-name}}/docs/search?api-version=2023-07-01-Preview

+POST https://{{search-service-name}}.search.windows.net/indexes/{{index-name}}/docs/search?api-version=2023-07-01-Preview

+You can index vector data as fields in documents alongside alphanumeric content. Vector queries can be issued singly or in combination with filters and other query types, including term queries (hybrid search) and semantic ranking in the same search request.

+## Service Fabric 10.0

+We're excited to announce that the 10.0 release of the Service Fabric runtime has started rolling out to the various Azure regions along with tooling and SDK updates. The updates for .NET SDK, Java SDK, and Service Fabric runtimes can be downloaded from the links provided in Release Notes. The SDK, NuGet packages, and Maven repositories are available in all regions within 7-10 days.

+### Key announcements

+- Enhance Container image pruning.

+- Balancing of a cluster per node type.

+- Expose health check phase and timer for application and cluster upgrade.

+- Support ESE.dll version compatibility in the replica building process.

+- Enable Lease probes.

+- Extend the FabricClient constructor to include "SecurityCredentials" without "HostEndpoints".

+- Security audit of cluster management endpoint settings.

+### Service Fabric 10.0 releases

+| September 09, 2023 | Azure Service Fabric 10.0 Release | [Release notes](https://github.com/microsoft/service-fabric/blob/master/release_notes/Service_Fabric_ReleaseNotes_10.md) |

+- **Inventory file:** An inventory run for a rule generates a CSV or Apache Parquet formatted file. Each such file contains matched objects and their metadata.

+ > Starting in October 2023, inventory runs will produce multiple files if the object count is large. To learn more, see [Multiple inventory file output FAQ](storage-blob-faq.yml#multiple-inventory-file-output).

+All redundancy configurations support immutable storage. For more information about redundancy configurations, see [Azure Storage redundancy](../common/storage-redundancy.md).

+Windows client for NFS is not yet supported.

+- Performing a customer-managed failover on a storage account resets the earliest possible restore point for the storage account. For more details, see [Point-in-time restore](../common/storage-disaster-recovery-guidance.md#point-in-time-restore-inconsistencies).

+Add the following `import` directive to your file to use `ParallelTransferOptions` for a download:

+To learn more about tuning data transfer options, see [Performance tuning for uploads and downloads with Java](storage-blobs-tune-upload-download-java.md).

+You can configure values in [ParallelTransferOptions](/java/api/com.azure.storage.blob.models.paralleltransferoptions) to improve performance for data transfer operations. The following values can be tuned for uploads based on the needs of your app:

+- `blockSize`: The maximum block size to transfer for each request. You can set this value by using the [setBlockSizeLong](/java/api/com.azure.storage.blob.models.paralleltransferoptions#com-azure-storage-blob-models-paralleltransferoptions-setblocksizelong(java-lang-long)) method.

+- `maxSingleUploadSize`: If the size of the data is less than or equal to this value, it's uploaded in a single put rather than broken up into chunks. If the data is uploaded in a single shot, the block size is ignored. You can set this value by using the [setMaxSingleUploadSizeLong](/java/api/com.azure.storage.blob.models.paralleltransferoptions#com-azure-storage-blob-models-paralleltransferoptions-setmaxsingleuploadsizelong(java-lang-long)) method.

+- `maxConcurrency`: The maximum number of parallel requests issued at any given time as a part of a single parallel transfer. You can set this value by using the [setMaxConcurrency](/java/api/com.azure.storage.blob.models.paralleltransferoptions#com-azure-storage-blob-models-paralleltransferoptions-setmaxconcurrency(java-lang-integer)) method.

+Make sure you have the following `import` directive to use `ParallelTransferOptions` for an upload:

+```java

+import com.azure.storage.blob.models.*;

+```

+To learn more about tuning data transfer options, see [Performance tuning for uploads and downloads with Java](storage-blobs-tune-upload-download-java.md).

+ Title: Performance tuning for uploads and downloads with Azure Storage client library for Java

+description: Learn how to tune your uploads and downloads for better performance with Azure Storage client library for Java.

+ms.devlang: java

+# Performance tuning for uploads and downloads with Java

+When an application transfers data using the Azure Storage client library for Java, there are several factors that can affect speed, memory usage, and even the success or failure of the request. To maximize performance and reliability for data transfers, it's important to be proactive in configuring client library transfer options based on the environment your app runs in.

+This article walks through several considerations for tuning data transfer options. When properly tuned, the client library can efficiently distribute data across multiple requests, which can result in improved operation speed, memory usage, and network stability.

+## Performance tuning for uploads

+Properly tuning data transfer options is key to reliable performance for uploads. Storage transfers are partitioned into several subtransfers based on the values of these arguments. The maximum supported transfer size varies by operation and service version, so be sure to check the documentation to determine the limits. For more information on transfer size limits for Blob storage, see [Scale targets for Blob storage](scalability-targets.md#scale-targets-for-blob-storage).

+### Set transfer options for uploads

+You can configure the values in [ParallelTransferOptions](/java/api/com.azure.storage.blob.models.paralleltransferoptions) to improve performance for data transfer operations. The following values can be tuned for uploads based on the needs of your app:

+- [maxSingleUploadSize](#maxsingleuploadsize): The maximum blob size in bytes for a single request upload.

+- [blockSize](#blocksize): The maximum block size to transfer for each request.

+- [maxConcurrency](#maxconcurrency): The maximum number of parallel requests issued at any given time as a part of a single parallel transfer.

+> [!NOTE]

+> The client libraries will use defaults for each data transfer option, if not provided. These defaults are typically performant in a data center environment, but not likely to be suitable for home consumer environments. Poorly tuned data transfer options can result in excessively long operations and even request timeouts. It's best to be proactive in testing these values, and tuning them based on the needs of your application and environment.

+#### maxSingleUploadSize

+The `maxSingleUploadSize` value is the maximum blob size in bytes for a single request upload. This value can be set using the following method:

+- [`setMaxSingleUploadSizeLong(Long maxSingleUploadSize)`](/java/api/com.azure.storage.blob.models.paralleltransferoptions#com-azure-storage-blob-models-paralleltransferoptions-setmaxsingleuploadsizelong(java-lang-long))

+If the size of the data is less than or equal to `maxSingleUploadSize`, the blob is uploaded with a single [Put Blob](/rest/api/storageservices/put-blob) request. If the blob size is greater than `maxSingleUploadSize`, or if the blob size is unknown, the blob is uploaded in chunks using a series of [Put Block](/rest/api/storageservices/put-block) calls followed by [Put Block List](/rest/api/storageservices/put-block-list).

+It's important to note that the value you specify for `blockSize` *does not* limit the value that you define for `maxSingleUploadSize`. The `maxSingleUploadSize` argument defines a separate size limitation for a request to perform the entire operation at once, with no subtransfers. It's often the case that you want `maxSingleUploadSize` to be *at least* as large as the value you define for `blockSize`, if not larger. Depending on the size of the data transfer, this approach can be more performant, as the transfer is completed with a single request and avoids the overhead of multiple requests.

+If you're unsure of what value is best for your situation, a safe option is to set `maxSingleUploadSize` to the same value used for `blockSize`.

+#### blockSize

+The `blockSize` value is the maximum length of a transfer in bytes when uploading a block blob in chunks. This value can be set using the following method:

+- [`setBlockSizeLong(Long blockSize)`](/java/api/com.azure.storage.blob.models.paralleltransferoptions#com-azure-storage-blob-models-paralleltransferoptions-setblocksizelong(java-lang-long))

+The `blockSize` value is the maximum length of a transfer in bytes when uploading a block blob in chunks. As mentioned earlier, this value *does not* limit `maxSingleUploadSize`, which can be larger than `blockSize`.

+To keep data moving efficiently, the client libraries may not always reach the `blockSize` value for every transfer. Depending on the operation, the maximum supported value for transfer size can vary. For more information on transfer size limits for Blob storage, see the chart in [Scale targets for Blob storage](scalability-targets.md#scale-targets-for-blob-storage).

+#### maxConcurrency

+The `maxConcurrency` value is the maximum number of parallel requests issued at any given time as a part of a single parallel transfer. This value can be set using the following method:

+- [`setMaxConcurrency(Integer maxConcurrency)`](/java/api/com.azure.storage.blob.models.paralleltransferoptions#com-azure-storage-blob-models-paralleltransferoptions-setmaxconcurrency(java-lang-integer))

+#### Code example

+Make sure you have the following `import` directive to use `ParallelTransferOptions` for an upload:

+```java

+import com.azure.storage.blob.models.*;

+```

+The following code example shows how to set values for [ParallelTransferOptions](/java/api/com.azure.storage.blob.models.paralleltransferoptions) and include the options as part of a [BlobUploadFromFileOptions](/java/api/com.azure.storage.blob.options.blobuploadfromfileoptions) instance. If you're not uploading from a file, you can set similar options using [BlobParallelUploadOptions](/java/api/com.azure.storage.blob.options.blobparalleluploadoptions). The values provided in this sample aren't intended to be a recommendation. To properly tune these values, you need to consider the specific needs of your app.

+```java

+ParallelTransferOptions parallelTransferOptions = new ParallelTransferOptions()

+ .setBlockSizeLong((long) (4 * 1024 * 1024)) // 4 MiB block size

+ .setMaxConcurrency(2)

+ .setMaxSingleUploadSizeLong((long) 8 * 1024 * 1024); // 8 MiB max size for single request upload

+BlobUploadFromFileOptions options = new BlobUploadFromFileOptions("<localFilePath>");

+options.setParallelTransferOptions(parallelTransferOptions);

+Response<BlockBlobItem> blockBlob = blobClient.uploadFromFileWithResponse(options, null, null);

+```

+In this example, we set the maximum number of parallel transfer workers to 2 using the `setMaxConcurrency` method. We also set `maxSingleUploadSize` to 8 MiB using the `setMaxSingleUploadSizeLong` method. If the blob size is smaller than 8 MiB, only a single request is necessary to complete the upload operation. If the blob size is larger than 8 MiB, the blob is uploaded in chunks with a maximum chunk size of 4 MiB, which we set using the `setBlockSizeLong` method.

+### Performance considerations for uploads

+During an upload, the Storage client libraries split a given upload stream into multiple subuploads based on the configuration options defined by `ParallelTransferOptions`. Each subupload has its own dedicated call to the REST operation. For a `BlobClient` object, this operation is [Put Block](/rest/api/storageservices/put-block). The Storage client library manages these REST operations in parallel (depending on transfer options) to complete the full upload.

+> [!NOTE]

+> Block blobs have a maximum block count of 50,000 blocks. The maximum size of your block blob, then, is 50,000 times `block_size`.

+#### Buffering during uploads

+The Storage REST layer doesnΓÇÖt support picking up a REST upload operation where you left off; individual transfers are either completed or lost. To ensure resiliency for stream uploads, the Storage client libraries buffer data for each individual REST call before starting the upload. In addition to network speed limitations, this buffering behavior is a reason to consider a smaller value for `blockSize`, even when uploading in sequence. Decreasing the value of `blockSize` decreases the maximum amount of data that is buffered on each request and each retry of a failed request. If you're experiencing frequent timeouts during data transfers of a certain size, reducing the value of `blockSize` reduces the buffering time, and may result in better performance.

+## Performance tuning for downloads

+Properly tuning data transfer options is key to reliable performance for downloads. Storage transfers are partitioned into several subtransfers based on the values defined in `ParallelTransferOptions`.

+### Set transfer options for downloads

+The following values can be tuned for downloads based on the needs of your app:

+- `blockSize`: The maximum block size to transfer for each request. You can set this value by using the [setBlockSizeLong](/java/api/com.azure.storage.common.paralleltransferoptions#com-azure-storage-common-paralleltransferoptions-setblocksizelong(java-lang-long)) method.

+- `maxConcurrency`: The maximum number of parallel requests issued at any given time as a part of a single parallel transfer. You can set this value by using the [setMaxConcurrency](/java/api/com.azure.storage.common.paralleltransferoptions#com-azure-storage-common-paralleltransferoptions-setmaxconcurrency(java-lang-integer)) method.

+#### Code example

+Make sure you have the following `import` directive to use `ParallelTransferOptions` for a download:

+```java

+import com.azure.storage.common.*;

+```

+The following code example shows how to set values for [ParallelTransferOptions](/java/api/com.azure.storage.common.paralleltransferoptions) and include the options as part of a [BlobDownloadToFileOptions](/java/api/com.azure.storage.blob.options.blobdownloadtofileoptions) instance.

+```java

+ParallelTransferOptions parallelTransferOptions = new ParallelTransferOptions()

+ .setBlockSizeLong((long) (4 * 1024 * 1024)) // 4 MiB block size

+ .setMaxConcurrency(2);

+BlobDownloadToFileOptions options = new BlobDownloadToFileOptions("<localFilePath>");

+options.setParallelTransferOptions(parallelTransferOptions);

+blobClient.downloadToFileWithResponse(options, null, null);

+```

+### Performance considerations for downloads

+During a download, the Storage client libraries split a given download request into multiple subdownloads based on the configuration options defined by `ParallelTransferOptions`. Each subdownload has its own dedicated call to the REST operation. Depending on transfer options, the client libraries manage these REST operations in parallel to complete the full download.

+## Next steps

+- To understand more about factors that can influence performance for Azure Storage operations, see [Latency in Blob storage](storage-blobs-latency.md).

+- To see a list of design considerations to optimize performance for apps using Blob storage, see [Performance and scalability checklist for Blob storage](storage-performance-checklist.md).

+ Title: Performance tuning for uploads and downloads with Azure Storage client library for Python

+# Performance tuning for uploads and downloads with Python

+ Title: Performance tuning for uploads and downloads with Azure Storage client library for .NET

+# Performance tuning for uploads and downloads with .NET

+| [Logging in Azure Monitor](./monitor-blob-storage.md) | &#x2705; | &#x2705; | &#x2705; | &#x2705; |

+| [Logging in Azure Monitor](./monitor-blob-storage.md) | &#x2705; | &#x2705; | &#x2705; | &#x2705; |

+After an account failover to the secondary region, it's possible to initiate a failback from the new primary back to the new secondary with PowerShell or Azure CLI (version 2.30.0 or later). For more information, see [How customer-managed storage account failover works](storage-failover-customer-managed-unplanned.md).

+If you performed an account failover for your GRS or RA-GRS account, the account is locally redundant (LRS) in the new primary region after the failover. Conversion to ZRS or GZRS for an LRS account resulting from a failover is not supported. This is true even in the case of so-called failback operations. For example, if you perform an account failover from RA-GRS to LRS in the secondary region, and then configure it again as RA-GRS, it will be LRS in the new secondary region (the original primary). If you then perform another account failover to failback to the original primary region, it will be LRS again in the original primary. In this case, you can't perform a conversion to ZRS, GZRS or RA-GZRS in the primary region. Instead, you'll need to perform a manual migration to add zone-redundancy.

+ Title: Azure storage disaster recovery planning and failover

+description: Azure Storage supports account failover for geo-redundant storage accounts. Create a disaster recovery plan for your storage accounts if the endpoints in the primary region become unavailable.

+# Azure storage disaster recovery planning and failover

+Microsoft strives to ensure that Azure services are always available. However, unplanned service outages may occur. Key components of a good disaster recovery plan include strategies for:

+- [Data protection](../blobs/data-protection-overview.md)

+- [Backup and restore](../../backup/index.yml)

+- [Data redundancy](storage-redundancy.md)

+- [Failover](#plan-for-storage-account-failover)

+- [Designing applications for high availability](#design-for-high-availability)

+This article focuses on failover for globally redundant storage accounts (GRS, GZRS, and RA-GZRS), and how to design your applications to be highly available if there's an outage and subsequent failover.

+Azure Storage maintains multiple copies of your storage account to ensure durability and high availability. Which redundancy option you choose for your account depends on the degree of resiliency you need for your applications.

+With locally redundant storage (LRS), three copies of your storage account are automatically stored and replicated within a single datacenter. With zone-redundant storage (ZRS), a copy is stored and replicated in each of three separate availability zones within the same region. For more information about availability zones, see [Azure availability zones](../../availability-zones/az-overview.md).

+Recovery of a single copy of a storage account occurs automatically with LRS and ZRS.

+### Globally redundant storage and failover

+With globally redundant storage (GRS, GZRS, and RA-GZRS), Azure copies your data asynchronously to a secondary geographic region at least hundreds of miles away. This allows you to recover your data if there's an outage in the primary region. A feature that distinguishes globally redundant storage from LRS and ZRS is the ability to fail over to the secondary region if there's an outage in the primary region. The process of failing over updates the DNS entries for your storage account service endpoints such that the endpoints for the secondary region become the new primary endpoints for your storage account. Once the failover is complete, clients can begin writing to the new primary endpoints.

+RA-GRS and RA-GZRS redundancy configurations provide geo-redundant storage with the added benefit of read access to the secondary endpoint if there is an outage in the primary region. If an outage occurs in the primary endpoint, applications configured for read access to the secondary region and designed for high availability can continue to read from the secondary endpoint. Microsoft recommends RA-GZRS for maximum availability and durability of your storage accounts.

+For more information about redundancy in Azure Storage, see [Azure Storage redundancy](storage-redundancy.md).

+## Plan for storage account failover

+Azure Storage accounts support two types of failover:

+- [**Customer-managed failover**](#customer-managed-failover) - Customers can manage storage account failover if there's an unexpected service outage.

+- [**Microsoft-managed failover**](#microsoft-managed-failover) - Potentially initiated by Microsoft only in the case of a severe disaster in the primary region. ^1,2

+¹Microsoft-managed failover can't be initiated for individual storage accounts, subscriptions, or tenants. For more details see [Microsoft-managed failover](#microsoft-managed-failover). <br/>

+² Your disaster recovery plan should be based on customer-managed failover. **Do not** rely on Microsoft-managed failover, which would only be used in extreme circumstances. <br/>

+Each type of failover has a unique set of use cases, corresponding expectations for data loss, and support for accounts with a hierarchical namespace enabled (Azure Data Lake Storage Gen2). This table summarizes those aspects of each type of failover :

+| Type | Failover Scope | Use case | Expected data loss | HNS supported |

+||--|-|||

+| Customer-managed | Storage account | The storage service endpoints for the primary region become unavailable, but the secondary region is available. <br></br> You received an Azure Advisory in which Microsoft advises you to perform a failover operation of storage accounts potentially affected by an outage. | [Yes](#anticipate-data-loss-and-inconsistencies) | [Yes *(In preview)*](#azure-data-lake-storage-gen2) |

+| Microsoft-managed | Entire region, datacenter or scale unit | The primary region becomes completely unavailable due to a significant disaster, but the secondary region is available. | [Yes](#anticipate-data-loss-and-inconsistencies) | [Yes](#azure-data-lake-storage-gen2) |

+### Customer-managed failover

+If the data endpoints for the storage services in your storage account become unavailable in the primary region, you can fail over to the secondary region. After the failover is complete, the secondary region becomes the new primary and users can proceed to access data in the new primary region.

+To fully understand the impact that customer-managed account failover would have on your users and applications, it is helpful to know what happens during every step of the failover and failback process. For details about how the process works, see [How customer-managed storage account failover works](storage-failover-customer-managed-unplanned.md).

+### Microsoft-managed failover

+In extreme circumstances where the original primary region is deemed unrecoverable within a reasonable amount of time due to a major disaster, Microsoft **may** initiate a regional failover. In this case, no action on your part is required. Until the Microsoft-managed failover has completed, you won't have write access to your storage account. Your applications can read from the secondary region if your storage account is configured for RA-GRS or RA-GZRS.

+> Your disaster recovery plan should be based on customer-managed failover. **Do not** rely on Microsoft-managed failover, which might only be used in extreme circumstances.

+> A Microsoft-managed failover would be initiated for an entire physical unit, such as a region, datacenter or scale unit. It can't be initiated for individual storage accounts, subscriptions, or tenants. For the ability to selectively failover your individual storage accounts, use [customer-managed account failover](#customer-managed-failover).

+### Anticipate data loss and inconsistencies

+> Storage account failover usually involves some data loss, and potentially file and data inconsistencies. In your disaster recovery plan, it's important to consider the impact that an account failover would have on your data before initiating one.

+Because data is written asynchronously from the primary region to the secondary region, there's always a delay before a write to the primary region is copied to the secondary. If the primary region becomes unavailable, the most recent writes may not yet have been copied to the secondary.

+When a failover occurs, all data in the primary region is lost as the secondary region becomes the new primary. All data already copied to the secondary is maintained when the failover happens. However, any data written to the primary that hasn't also been copied to the secondary region is lost permanently.

+The new primary region is configured to be locally redundant (LRS) after the failover.

+You also might experience file or data inconsistencies if your storage accounts have one or more of the following enabled:

+- [Hierarchical namespace (Azure Data Lake Storage Gen2)](#file-consistency-for-azure-data-lake-storage-gen2)

+- [Change feed](#change-feed-and-blob-data-inconsistencies)

+- [Point-in-time restore for block blobs](#point-in-time-restore-inconsistencies)

+The **Last Sync Time** property indicates the most recent time that data from the primary region is guaranteed to have been written to the secondary region. For accounts that have a hierarchical namespace, the same **Last Sync Time** property also applies to the metadata managed by the hierarchical namespace, including ACLs. All data and metadata written prior to the last sync time is available on the secondary, while data and metadata written after the last sync time may not have been written to the secondary, and may be lost. Use this property if there's an outage to estimate the amount of data loss you may incur by initiating an account failover.

+As a best practice, design your application so that you can use the last sync time to evaluate expected data loss. For example, if you're logging all write operations, then you can compare the time of your last write operations to the last sync time to determine which writes haven't been synced to the secondary.

+Replication for storage accounts with a [hierarchical namespace enabled (Azure Data Lake Storage Gen2)](../blobs/data-lake-storage-introduction.md) occurs at the file level. This means if an outage in the primary region occurs, it is possible that only some of the files in a container or directory might have successfully replicated to the secondary region. Consistency for all files in a container or directory after a storage account failover is not guaranteed.

+#### Change feed and blob data inconsistencies

+Storage account failover of geo-redundant storage accounts with [change feed](../blobs/storage-blob-change-feed.md) enabled may result in inconsistencies between the change feed logs and the blob data and/or metadata. Such inconsistencies can result from the asynchronous nature of both updates to the change logs and the replication of blob data from the primary to the secondary region. The only situation in which inconsistencies would not be expected is when all of the current log records have been successfully flushed to the log files, and all of the storage data has been successfully replicated from the primary to the secondary region.

+For information about how change feed works see [How the change feed works](../blobs/storage-blob-change-feed.md#how-the-change-feed-works).

+Keep in mind that other storage account features require the change feed to be enabled such as [operational backup of Azure Blob Storage](../../backup/blob-backup-support-matrix.md#limitations), [Object replication](../blobs/object-replication-overview.md) and [Point-in-time restore for block blobs](../blobs/point-in-time-restore-overview.md).

+#### Point-in-time restore inconsistencies

+Customer-managed failover is supported for general-purpose v2 standard tier storage accounts that include block blobs. However, performing a customer-managed failover on a storage account resets the earliest possible restore point for the account. Data for [Point-in-time restore for block blobs](../blobs/point-in-time-restore-overview.md) is only consistent up to the failover completion time. As a result, you can only restore block blobs to a point in time no earlier than the failover completion time. You can check the failover completion time in the redundancy tab of your storage account in the Azure Portal.

+For example, suppose you have set the retention period to 30 days. If more than 30 days have elapsed since the failover, then you can restore to any point within that 30 days. However, if fewer than 30 days have elapsed since the failover, then you can't restore to a point prior to the failover, regardless of the retention period. For example, if it's been 10 days since the failover, then the earliest possible restore point is 10 days in the past, not 30 days in the past.

+### The time and cost of failing over

+The time it takes for failover to complete after being initiated can vary, although it typically takes less than one hour.

+A customer-managed failover loses its geo-redundancy after a failover (and failback). Your storage account is automatically converted to locally redundant storage (LRS) in the new primary region during a failover, and the storage account in the original primary region is deleted.

+You can re-enable geo-redundant storage (GRS) or read-access geo-redundant storage (RA-GRS) for the account, but note that converting from LRS to GRS or RA-GRS incurs an additional cost. The cost is due to the network egress charges to re-replicate the data to the new secondary region. Also, all archived blobs need to be rehydrated to an online tier before the account can be configured for geo-redundancy, which will incur a cost. For more information about pricing, see:

+- [Bandwidth Pricing Details](https://azure.microsoft.com/pricing/details/bandwidth/)

+- [Azure Storage pricing](https://azure.microsoft.com/pricing/details/storage/blobs/)

+After you re-enable GRS for your storage account, Microsoft begins replicating the data in your account to the new secondary region. Replication time depends on many factors, which include:

+- The number and size of the objects in the storage account. Replicating many small objects can take longer than replicating fewer and larger objects.

+- The available resources for background replication, such as CPU, memory, disk, and WAN capacity. Live traffic takes priority over geo replication.

+- If your storage account contains blobs, the number of snapshots per blob.

+- If your storage account contains tables, the [data partitioning strategy](/rest/api/storageservices/designing-a-scalable-partitioning-strategy-for-azure-table-storage). The replication process can't scale beyond the number of partition keys that you use.

+### Supported storage account types

+All geo-redundant offerings support Microsoft-managed failover. In addition, some account types support customer-managed account failover, as shown in the following table:

+#### Classic storage accounts

+> Customer-managed account failover is only supported for storage accounts deployed using the Azure Resource Manager (ARM) deployment model. The Azure Service Manager (ASM) deployment model, also known as *classic*, isn't supported. To make classic storage accounts eligible for customer-managed account failover, they must first be [migrated to the ARM model](classic-account-migration-overview.md). Your storage account must be accessible to perform the upgrade, so the primary region can't currently be in a failed state.

+> if there's a disaster that affects the primary region, Microsoft will manage the failover for classic storage accounts. For more information, see [Microsoft-managed failover](#microsoft-managed-failover).

+#### Azure Data Lake Storage Gen2

+> [!IMPORTANT]

+>

+> if there's a significant disaster that affects the primary region, Microsoft will manage the failover for accounts with a hierarchical namespace. For more information, see [Microsoft-managed failover](#microsoft-managed-failover).

+### Unsupported features and services

+The following features and services aren't supported for account failover:

+- Azure File Sync doesn't support storage account failover. Storage accounts containing Azure file shares being used as cloud endpoints in Azure File Sync shouldn't be failed over. Doing so will cause sync to stop working and may also cause unexpected data loss in the case of newly tiered files.

+- A storage account containing premium block blobs can't be failed over. Storage accounts that support premium block blobs don't currently support geo-redundancy.

+- Customer-managed failover isn't supported for either the source or the destination account in an [object replication policy](../blobs/object-replication-overview.md).

+- To failover an account with SSH File Transfer Protocol (SFTP) enabled, you must first [disable SFTP for the account](../blobs/secure-file-transfer-protocol-support-how-to.md#disable-sftp-support). If you want to resume using SFTP after the failover is complete, simply [re-enable it](../blobs/secure-file-transfer-protocol-support-how-to.md#enable-sftp-support).

+- Network File System (NFS) 3.0 (NFSv3) isn't supported for storage account failover. You can't create a storage account configured for global-redundancy with NFSv3 enabled.

+### Failover is not for account migration

+Storage account failover shouldn't be used as part of your data migration strategy. Failover is a temporary solution to a service outage. For information about how to migrate your storage accounts, see [Azure Storage migration overview](storage-migration-overview.md).

+### Storage accounts containing archived blobs

+Storage accounts containing archived blobs support account failover. However, after a [customer-managed failover](#customer-managed-failover) is complete, all archived blobs need to be rehydrated to an online tier before the account can be configured for geo-redundancy.

+Azure virtual machines (VMs) don't fail over as part of an account failover. If the primary region becomes unavailable, and you fail over to the secondary region, then you will need to recreate any VMs after the failover. Also, there's a potential data loss associated with the account failover. Microsoft recommends following the [high availability](../../virtual-machines/availability.md) and [disaster recovery](../../virtual-machines/backup-recovery.md) guidance specific to virtual machines in Azure.

+Keep in mind that any data stored in a temporary disk is lost when the VM is shut down.

+Unmanaged disks are stored as page blobs in Azure Storage. When a VM is running in Azure, any unmanaged disks attached to the VM are leased. An account failover can't proceed when there's a lease on a blob. To perform the failover, follow these steps:

+4. Wait until the **Last Sync Time** has updated, and is later than the time at which you deleted the VM. This step is important, because if the secondary endpoint hasn't been fully updated with the VHD files when the failover occurs, then the VM may not function properly in the new primary region.

+### Copying data as an alternative to failover

+If your storage account is configured for read access to the secondary region, then you can design your application to read from the secondary endpoint. If you prefer not to fail over if there's an outage in the primary region, you can use tools such as [AzCopy](./storage-use-azcopy-v10.md) or [Azure PowerShell](/powershell/module/az.storage/) to copy data from your storage account in the secondary region to another storage account in an unaffected region. You can then point your applications to that storage account for both read and write availability.

+## Design for high availability

+It's important to design your application for high availability from the start. Refer to these Azure resources for guidance in designing your application and planning for disaster recovery:

+- [Designing resilient applications for Azure](/azure/architecture/framework/resiliency/app-design): An overview of the key concepts for architecting highly available applications in Azure.

+- [Resiliency checklist](/azure/architecture/checklist/resiliency-per-service): A checklist for verifying that your application implements the best design practices for high availability.

+- [Use geo-redundancy to design highly available applications](geo-redundant-design.md): Design guidance for building applications to take advantage of geo-redundant storage.

+- [Tutorial: Build a highly available application with Blob storage](../blobs/storage-create-geo-redundant-storage.md): A tutorial that shows how to build a highly available application that automatically switches between endpoints as failures and recoveries are simulated.

+Keep in mind these best practices for maintaining high availability for your Azure Storage data:

+- **Disks:** Use [Azure Backup](https://azure.microsoft.com/services/backup/) to back up the VM disks used by your Azure virtual machines. Also consider using [Azure Site Recovery](https://azure.microsoft.com/services/site-recovery/) to protect your VMs if there's a regional disaster.

+- **Block blobs:** Turn on [soft delete](../blobs/soft-delete-blob-overview.md) to protect against object-level deletions and overwrites, or copy block blobs to another storage account in a different region using [AzCopy](./storage-use-azcopy-v10.md), [Azure PowerShell](/powershell/module/az.storage/), or the [Azure Data Movement library](storage-use-data-movement-library.md).

+- **Files:** Use [Azure Backup](../../backup/azure-file-share-backup-overview.md) to back up your file shares. Also enable [soft delete](../files/storage-files-prevent-file-share-deletion.md) to protect against accidental file share deletions. For geo-redundancy when GRS isn't available, use [AzCopy](./storage-use-azcopy-v10.md) or [Azure PowerShell](/powershell/module/az.storage/) to copy your files to another storage account in a different region.

+- **Tables:** use [AzCopy](./storage-use-azcopy-v10.md) to export table data to another storage account in a different region.

+## Track outages

+Customers may subscribe to the [Azure Service Health Dashboard](https://azure.microsoft.com/status/) to track the health and status of Azure Storage and other Azure services.

+Microsoft also recommends that you design your application to prepare for the possibility of write failures. Your application should expose write failures in a way that alerts you to the possibility of an outage in the primary region.

+- [Azure Storage redundancy](storage-redundancy.md)

+- [How customer-managed storage account failover works](storage-failover-customer-managed-unplanned.md)

+ Title: How Azure Storage account customer-managed failover works

+description: Azure Storage supports account failover for geo-redundant storage accounts to recover from a service endpoint outage. Learn what happens to your storage account and storage services during a customer-managed failover to the secondary region if the primary endpoint becomes unavailable.

+# How customer-managed storage account failover works

+Customer-managed failover of Azure Storage accounts enables you to fail over your entire geo-redundant storage account to the secondary region if the storage service endpoints for the primary region become unavailable. During failover, the original secondary region becomes the new primary and all storage service endpoints for blobs, tables, queues and files are redirected to the new primary region. After the storage service endpoint outage has been resolved, you can perform another failover operation to *fail back* to the original primary region.

+This article describes what happens during a customer-managed storage account failover and failback at every stage of the process.

+## Redundancy management during failover and failback

+> [!TIP]

+> To understand the various redundancy states during the storage account failover and failback process in detail, see [Azure Storage redundancy](storage-redundancy.md) for definitions of each.

+When a storage account is configured for GRS or RA-GRS redundancy, data is replicated three times locally within both the primary and secondary regions (LRS). When a storage account is configured for GZRS or RA-GZRS replication, data is zone-redundant within the primary region (ZRS) and replicated three times locally within the secondary region (LRS). If the account is configured for read access (RA), you will be able to read data from the secondary region as long as the storage service endpoints to that region are available.

+During the customer-managed failover process, the DNS entries for the storage service endpoints are changed such that those for the secondary region become the new primary endpoints for your storage account. After failover, the copy of your storage account in the original primary region is deleted and your storage account continues to be replicated three times locally within the original secondary region (the new primary). At that point, your storage account becomes locally redundant (LRS).

+The original and current redundancy configurations are stored in the properties of the storage account to allow you eventually return to your original configuration when you fail back.

+To regain geo-redundancy after a failover, you will need to reconfigure your account as GRS. (GZRS is not an option post-failover since the new primary will be LRS after the failover). After the account is reconfigured for geo-redundancy, Azure immediately begins copying data from the new primary region to the new secondary. If you configure your storage account for read access (RA) to the secondary region, that access will be available but it may take some time for replication from the primary to make the secondary current.

+> [!WARNING]

+> After your account is reconfigured for geo-redundancy, it may take a significant amount of time before existing data in the new primary region is fully copied to the new secondary.

+>

+> **To avoid a major data loss**, check the value of the [**Last Sync Time**](last-sync-time-get.md) property before failing back. Compare the last sync time to the last times that data was written to the new primary to evaluate potential data loss.

+The failback process is essentially the same as the failover process except Azure restores the replication configuration to its original state before it was failed over (the replication configuration, not the data). So, if your storage account was originally configured as GZRS, the primary region after faillback becomes ZRS.

+After failback, you can configure your storage account to be geo-redundant again. If the original primary region was configured for LRS, you can configure it to be GRS or RA-GRS. If the original primary was configured as ZRS, you can configure it to be GZRS or RA-GZRS. For additional options, see [Change how a storage account is replicated](redundancy-migration.md).

+## How to initiate a failover

+To learn how to initiate a failover, see [Initiate a storage account failover](storage-initiate-account-failover.md).

+> [!CAUTION]

+> Storage account failover usually involves some data loss, and potentially file and data inconsistencies. It's important to understand the impact that an account failover would have on your data before initiating one.

+>

+> For details about potential data loss and inconsistencies, see [Anticipate data loss and inconsistencies](storage-disaster-recovery-guidance.md#anticipate-data-loss-and-inconsistencies).

+## The failover and failback process

+This section summarizes the failover process for a customer-managed failover.

+### Failover transition summary

+After a customer-managed failover:

+- The secondary region becomes the new primary

+- The copy of the data in the original primary region is deleted

+- The storage account is converted to LRS

+- Geo-redundancy is lost

+This table summarizes the resulting redundancy configuration at every stage of a customer-managed failover and failback:

+| Original <br> configuration | After <br> failover | After re-enabling <br> geo redundancy | After <br> failback | After re-enabling <br> geo redundancy |

+||--||||

+| GRS | LRS | GRS ¹ | LRS |GRS ¹ |

+| GZRS | LRS | GRS ¹ | ZRS |GZRS ¹ |

+¹ Geo-redundancy is lost during a customer-managed failover and must be manually reconfigured.<br>

+### Failover transition details

+The following diagrams show what happens during customer-managed failover and failback of a storage account that is configured for geo-redundancy. The transition details for GZRS and RA-GZRS are slightly different from GRS and RA-GRS.

+## [GRS/RA-GRS](#tab/grs-ra-grs)

+### Normal operation (GRS/RA-GRS)

+Under normal circumstances, a client writes data to a storage account in the primary region via storage service endpoints (1). The data is then copied asynchronously from the primary region to the secondary region (2). The following image shows the normal state of a storage account configured as GRS when the primary endpoints are available:

+### The storage service endpoints become unavailable in the primary region (GRS/RA-GRS)

+If the primary storage service endpoints become unavailable for any reason (1), the client is no longer able to write to the storage account. Depending on the underlying cause of the outage, replication to the secondary region may no longer be functioning (2), so [some data loss should be expected](storage-disaster-recovery-guidance.md#anticipate-data-loss-and-inconsistencies). The following image shows the scenario where the primary endpoints have become unavailable, but no recovery has occurred yet:

+### The failover process (GRS/RA-GRS)

+To restore write access to your data, you can [initiate a failover](storage-initiate-account-failover.md). The storage service endpoint URIs for blobs, tables, queues, and files remain the same but their DNS entries are changed to point to the secondary region (1) as show in this image:

+Customer-managed failover typically takes about an hour.

+After the failover is complete, the original secondary becomes the new primary (1) and the copy of the storage account in the original primary is deleted (2). The storage account is configured as LRS in the new primary region and is no longer geo-redundant. Users can resume writing data to the storage account (3) as shown in this image:

+To resume replication to a new secondary region, reconfigure the account for geo-redundancy.

+> [!IMPORTANT]

+> Keep in mind that converting a locally redundant storage account to use geo-redundancy incurs both cost and time. For more information, see [The time and cost of failing over](storage-disaster-recovery-guidance.md#the-time-and-cost-of-failing-over).

+After re-configuring the account as GRS, Azure begins copying your data asynchronously to the new secondary region (1) as shown in this image:

+Read access to the new secondary region will not become available again until the issue causing the original outage has been resolved.

+### The failback process (GRS/RA-GRS)

+> [!WARNING]

+> After your account is reconfigured for geo-redundancy, it may take a significant amount of time before the data in the new primary region is fully copied to the new secondary.

+>

+> **To avoid a major data loss**, check the value of the [**Last Sync Time**](last-sync-time-get.md) property before failing back. Compare the last sync time to the last times that data was written to the new primary to evaluate potential data loss.

+Once the issue causing the original outage has been resolved, you can initiate another failover to fail back to the original primary region, resulting in the following:

+1. The current primary region becomes read only.

+1. With customer-initiated failover and failback, your data is not allowed to finish replicating to the secondary region during the failback process. Therefore, it is important to check the value of the [**Last Sync Time**](last-sync-time-get.md) property before failing back.

+1. The DNS entries for the storage service endpoints are changed such that those for the secondary region become the new primary endpoints for your storage account.

+After the failback is complete, the original primary region becomes the current one again (1) and the copy of the storage account in the original secondary is deleted (2). The storage account is configured as locally redundant in the primary region and is no longer geo-redundant. Users can resume writing data to the storage account (3) as shown in this image:

+To resume replication to the original secondary region, configure the account for geo-redundancy again.

+> [!IMPORTANT]

+> Keep in mind that converting a locally redundant storage account to use geo-redundancy incurs both cost and time. For more information, see [The time and cost of failing over](storage-disaster-recovery-guidance.md#the-time-and-cost-of-failing-over).

+After re-configuring the account as GRS, replication to the original secondary region resumes as shown in this image:

+## [GZRS/RA-GZRS](#tab/gzrs-ra-gzrs)

+### Normal operation (GZRS/RA-GZRS)

+Under normal circumstances, a client writes data to a storage account in the primary region via storage service endpoints (1). The data is then copied asynchronously from the primary region to the secondary region (2). The following image shows the normal state of a storage account configured as GZRS when the primary endpoints are available:

+### The storage service endpoints become unavailable in the primary region (GZRS/RA-GZRS)

+If the primary storage service endpoints become unavailable for any reason (1), the client is no longer able to write to the storage account. Depending on the underlying cause of the outage, replication to the secondary region may no longer be functioning (2), [so some data loss should be expected](storage-disaster-recovery-guidance.md#anticipate-data-loss-and-inconsistencies). The following image shows the scenario where the primary endpoints have become unavailable, but no recovery has occurred yet:

+### The failover process (GZRS/RA-GZRS)

+To restore write access to your data, you can [initiate a failover](storage-initiate-account-failover.md). The storage service endpoint URIs for blobs, tables, queues, and files remain the same but their DNS entries are changed to point to the secondary region (1) as show in this image:

+The failover typically takes about an hour.

+After the failover is complete, the original secondary becomes the new primary (1) and the copy of the storage account in the original primary is deleted (2). The storage account is configured as LRS in the new primary region and is no longer geo-redundant. Users can resume writing data to the storage account (3) as shown in this image:

+To resume replication to a new secondary region, reconfigure the account for geo-redundancy.

+Since the account was originally configured as GZRS, reconfiguring geo-redundancy after failover causes the original ZRS redundancy within the new secondary region (the original primary) to be retained. However, the redundancy configuration within the current primary always determines the effective geo-redundancy of a storage account. Since the current primary in this case is LRS, the effective geo-redundancy at this point is GRS, not GZRS.

+> [!IMPORTANT]

+> Keep in mind that converting a locally redundant storage account to use geo-redundancy incurs both cost and time. For more information, see [The time and cost of failing over](storage-disaster-recovery-guidance.md#the-time-and-cost-of-failing-over).

+After re-configuring the account as GRS, Azure begins copying your data asynchronously to the new secondary region (1) as shown in this image:

+Read access to the new secondary region will not become available again until the issue causing the original outage has been resolved.

+### The failback process (GZRS/RA-GZRS)

+> [!WARNING]

+> After your account is reconfigured for geo-redundancy, it may take a significant amount of time before the data in the new primary region is fully copied to the new secondary.

+>

+> **To avoid a major data loss**, check the value of the [**Last Sync Time**](last-sync-time-get.md) property before failing back. Compare the last sync time to the last times that data was written to the new primary to evaluate potential data loss.

+Once the issue causing the original outage has been resolved, you can initiate another failover to fail back to the original primary region, resulting in the following:

+1. The current primary region becomes read only.

+1. With customer-initiated failover and failback, your data is not allowed to finish replicating to the secondary region during the failback process. Therefore, it is important to check the value of the [**Last Sync Time**](last-sync-time-get.md) property before failing back.

+1. The DNS entries for the storage service endpoints are changed such that those for the secondary region become the new primary endpoints for your storage account.

+After the failback is complete, the original primary region becomes the current one again (1) and the copy of the storage account in the original secondary is deleted (2). The storage account is configured as ZRS in the primary region and is no longer geo-redundant. Users can resume writing data to the storage account (3) as shown in this image:

+To resume replication to the original secondary region, configure the account for geo-redundancy again.

+> [!IMPORTANT]

+> Keep in mind that converting a ZRS storage account to use geo-redundancy incurs both cost and time. For more information, see [The time and cost of failing over](storage-disaster-recovery-guidance.md#the-time-and-cost-of-failing-over).

+After re-configuring the account as GZRS, replication to the original secondary region resumes as shown in this image:

+## See also

+- [Disaster recovery planning and failover](storage-disaster-recovery-guidance.md)

+- [Azure Storage redundancy](storage-redundancy.md)

+- [Initiate an account failover](storage-initiate-account-failover.md)

+> An account failover typically results in some data loss. To understand the implications of an account failover and to prepare for data loss, review [Data loss and inconsistencies](storage-disaster-recovery-guidance.md#anticipate-data-loss-and-inconsistencies).

+You can initiate an account failover from the Azure portal, PowerShell, or the Azure CLI.

+- How your data is replicated within the primary region.

+Geo-redundant storage (with GRS or GZRS) replicates your data to another physical location in the secondary region to protect against regional outages. With an account configured for GRS or GZRS, data in the secondary region is not directly accessible to users or applications, unless a failover occurs. The failover process updates the DNS entry provided by Azure Storage so that the secondary endpoint becomes the new primary endpoint for your storage account. During the failover process, your data is inaccessible. After the failover is complete, you can read and write data to the new primary region. For more information, see [How customer-managed storage account failover works](storage-failover-customer-managed-unplanned.md).

+Because data is replicated asynchronously from the primary to the secondary region, the secondary region is typically behind the primary region in terms of write operations. If a disaster were to strike the primary region, it's likely that some data would be lost and that files within a directory or container would not be consistent. For more information about how to plan for potential data loss, see [Data loss and inconsistencies](storage-disaster-recovery-guidance.md#anticipate-data-loss-and-inconsistencies).

+## Optimize for large numbers of files

+Throughput can decrease when transferring large numbers of files. Each copy operation translates to one or more transactions that must be executed in the storage service. When you are transferring a large number of files, consider the number of transactions that need to be executed and any potential impact those transactions can have if other activities are occurring in the storage account at the same time.

+To maximize performance, you can reduce the size of each job by limiting the number of files that are copied in a single job. For download and upload operations, increase concurrency as needed, decrease log activity, and turn off features that incur high performance costs.

+| **Linux** | `export AWS_ACCESS_KEY_ID=<access-key>`<br>`export AWS_SECRET_ACCESS_KEY=<secret-access-key>`|

+These credentials are used to generate pre-signed URLs that are used to copy objects.

+ The Azure File Sync service principal must exist in your Azure AD tenant before you can authorize sync access to a storage account. </br></br> When you create a new Azure subscription today, the Azure File Sync resource provider *Microsoft.StorageSync* is automatically registered with your subscription. Resource provider registration will make a *service principal* for sync available in the Azure Active Directory tenant that governs the subscription. A service principal is similar to a user account in your Azure AD. You can use the Azure File Sync service principal to authorize access to resources via role-based access control (RBAC). The only resources sync needs access to are your storage accounts containing the file shares that are supposed to sync. *Microsoft.StorageSync* must be assigned to the built-in role **Reader and Data access** on the storage account. </br></br> This assignment is done automatically through the user context of the logged on user when you add a file share to a sync group, or in other words, you create a cloud endpoint. When a storage account moves to a new subscription or Azure AD tenant, this role assignment is lost and [must be manually reestablished](#establish-sync-access-to-a-storage-account).

+[Azure Files offers geo-redundancy options](../files/files-redundancy.md#geo-redundant-storage) for storage accounts. These redundancy options can pose problems for storage accounts used with Azure File Sync. The main reason is that replication between geographically distant regions isn't performed by Azure File Sync, but by a storage replication technology built-in to the storage subsystem in Azure. It can't have an understanding of application state and Azure File Sync is an application with files syncing to and from Azure file shares at any given moment. If you opt for any of these geographically disbursed storage redundancy options, you won't lose all of your data in a large-scale disaster. However, you need to account for potential [Data loss and inconsistencies](../common/storage-disaster-recovery-guidance.md#anticipate-data-loss-and-inconsistencies).

+| | | |

+| :::image type="content" source="./media/system-integration/accenture-logo.png" alt-text="The logo of Accenture."::: | **Accenture**<br />Bringing together 45,000+ dedicated professionals, the Accenture Microsoft Business GroupΓÇöpowered by AvanadeΓÇöhelps enterprises to thrive in the era of digital disruption. | [Accenture](https://www.accenture.com/us-en/services/microsoft-index)<br />|

+| :::image type="content" source="./media/system-integration/adatis-logo.png" alt-text="The logo of Adatis."::: | **Adatis**<br />Adatis offers services that specialize in advanced data analytics, from data strategy and consultancy, to world class delivery and managed services. | [Adatis](https://adatis.co.uk/)<br />|

+| :::image type="content" source="./media/system-integration/blue-granite-logo.png" alt-text="The logo of Blue Granite."::: | **Blue Granite**<br />The BlueGranite Catalyst for Analytics is an engagement approach that features their "think big, but start small" philosophy. Starting with collaborative envisioning and strategy sessions, Blue Granite work with clients to discover, create, and realize the value of new modern data and analytics solutions, using the latest technologies on the Microsoft platform. | [Blue Granite](https://powerbi.microsoft.com/en-us/partners/bluegranite/)<br />|

+| :::image type="content" source="./media/system-integration/capax-global-logo.png" alt-text="The logo of Capax Global."::: | **Capax Global**<br />We improve your business by making better use of information you already have. Building custom solutions that align to your business goals, and setting you up for long-term success. We combine well-established patterns and practices with technology while using our team's wide range of industry and commercial software development experience. We share a passion for technology, innovation, and client satisfaction. Our pride for what we do drives the success of our projects and is fundamental to why people partner with us. | [Capax Global](https://www.capaxglobal.com/)<br />|

+| :::image type="content" source="./media/system-integration/coeo-logo.png" alt-text="The logo of Coeo."::: | **Coeo**<br />Coeo's team includes cloud consultants with deep expertise in Azure databases, and BI consultants dedicated to providing flexible and scalable analytic solutions. Coeo can help you move to a hybrid or full Azure solution. | [Coeo](https://www.coeo.com/analytics/)<br />|

+| :::image type="content" source="./media/system-integration/cognizant-logo.png" alt-text="The logo of Cognizant."::: | **Cognizant**<br />As a Microsoft strategic partner, Cognizant has the consulting skills and experience to help customers make the journey to the cloud. For each client project, Cognizant uses its strong partnership with Microsoft to maximize customer benefits from the Azure architecture. | [Cognizant](https://www.cognizant.com/about-cognizant/partners/microsoft)<br />|

+| :::image type="content" source="./media/system-integration/neal-analytics-logo.png" alt-text="The logo of Neal Analytics."::: | **Neal Analytics**<br />Neal Analytics helps companies navigate their digital transformation journey in converting data into valuable assets and a competitive advantage. With our machine learning and data engineering expertise, we use data to drive margin increases and profitable analytics projects. Comprised of consultants specializing in Data Science, Business Intelligence, Azure AI services, practical AI, Data Management, and IoT, Neal Analytics is trusted to solve unique business problems and optimize operations across industries. | [Neal Analytics](https://fractal.ai/)<br />|

+| :::image type="content" source="./media/system-integration/pragmatic-works-logo.png" alt-text="The logo of Pragmatic Works."::: | **Pragmatic Works**<br />Pragmatic Works can help you capitalize on the value of your data by empowering more users and applications on the same dataset. We kickstart, accelerate, and maintain your cloud environment with a range of solutions that fit your business needs. | [Pragmatic Works](https://www.pragmaticworks.com/)<br />|

+> - If you are using Automation Update Management, we recommend that you continue to use the Log Analytics agent and *not* migrate to the Azure Monitor agent until machines and schedules are migrated to Azure Update Manager.

+When creating a new VM for your golden image, make sure to choose an OS that's in the list of [supported virtual machine OS images](prerequisites.md#operating-systems-and-licenses). We recommend using a Windows 10 or 11 multi-session (with or without Microsoft 365) or Windows Server image for pooled host pools. We recommend using Windows 10 or 11 Enterprise images for personal host pools. You can use either Generation 1 or Generation 2 VMs; Gen 2 VMs support features that aren't supported for Gen 1 machines. Learn more about Generation 1 and Generation 2 VMs at [Support for generation 2 VMs on Azure](../virtual-machines/generation-2.md).

+- Don't create a new base VM from an existing custom image. It is better to start with a brand-new source VM.

+| M416ms_v2, M416s_8_v2, M416s_v2| 16 | 20000 |

+ - Tools include [Ansible](#ansible), [Chef](#chef), [Puppet](#puppet), [Bicep](#bicep), and [Azure Resource Manager template](#azure-resource-manager-template).

+## Terraform

+[Terraform](https://www.terraform.io) is an automation tool that allows you to define and create an entire Azure infrastructure with a single template format language - the HashiCorp Configuration Language (HCL). With Terraform, you define templates that automate the process to create network, storage, and VM resources for a given application solution. You can use your existing Terraform templates for other platforms with Azure to ensure consistency and simplify the infrastructure deployment without needing to convert to an Azure Resource Manager template.

+- [Install and configure Terraform with Azure](/azure/developer/terraform/getting-started-cloud-shell).

+- [Create an Azure infrastructure with Terraform](/azure/developer/terraform/create-linux-virtual-machine-with-infrastructure).

+## Azure Automation

+[Azure Automation](https://azure.microsoft.com/services/automation/) uses runbooks to process a set of tasks on the VMs you target. Azure Automation is used to manage existing VMs rather than to create an infrastructure. Azure Automation can run across both Linux and Windows VMs, and on-premises virtual or physical machines with a hybrid runbook worker. Runbooks can be stored in a source control repository, such as GitHub. These runbooks can then run manually or on a defined schedule.

+Azure Automation also provides a Desired State Configuration (DSC) service that allows you to create definitions for how a given set of VMs should be configured. DSC then ensures that the required configuration is applied and the VM stays consistent. Azure Automation DSC runs on both Windows and Linux machines.

+- [Create a PowerShell runbook](../automation/learn/powershell-runbook-managed-identity.md).

+- [Use Hybrid Runbook Worker to manage on-premises resources](../automation/automation-hybrid-runbook-worker.md).

+- [Use Azure Automation DSC](../automation/automation-dsc-getting-started.md).

+## Azure DevOps Services

+[Azure DevOps Services](https://www.visualstudio.com/team-services/) is a suite of tools that help you share and track code, use automated builds, and create a complete continuous integration and development (CI/CD) pipeline. Azure DevOps Services integrates with Visual Studio and other editors to simplify usage. Azure DevOps Services can also create and configure Azure VMs and then deploy code to them.

+Learn more about:

+- [Azure DevOps Services](/azure/devops/user-guide/index).

+## Azure Resource Manager template

+[Azure Resource Manager](../azure-resource-manager/templates/overview.md) is the deployment and management service for Azure. It provides a management layer that enables you to create, update, and delete resources in your Azure subscription. You use management features, like access control, locks, and tags, to secure and organize your resources after deployment.

+- [Deploy Spot VMs using a Resource Manager template](./linux/spot-template.md).

+- [Create a Windows virtual machine from a Resource Manager template](./windows/ps-template.md).

+- [Download the template for a VM](/previous-versions/azure/virtual-machines/windows/download-template).

+- [Create an Azure Image Builder template](./linux/image-builder-json.md).

+## Bicep

+[Bicep](/azure/azure-resource-manager/bicep/) is a domain-specific language (DSL) that uses declarative syntax to deploy Azure resources. In a Bicep file, you define the infrastructure you want to deploy to Azure, and then use that file throughout the development lifecycle to repeatedly deploy your infrastructure. Your resources are deployed in a consistent manner.

+Get started with the [Quickstart](../azure-resource-manager/bicep/quickstart-create-bicep-use-visual-studio-code.md).

+## Ansible

+[Ansible](https://www.ansible.com/) is an automation engine for configuration management, VM creation, or application deployment. Ansible uses an agent-less model, typically with SSH keys, to authenticate and manage target machines. Configuration tasks are defined in playbooks, with several Ansible modules available to carry out specific tasks. For more information, see [How Ansible works](https://www.ansible.com/how-ansible-works).

+- [Install and configure Ansible on Linux for use with Azure](/azure/developer/ansible/install-on-linux-vm).

+- [Create a Linux virtual machine](/azure/developer/ansible/vm-configure).

+- [Manage a Linux virtual machine](/azure/developer/ansible/vm-manage).

+## Chef

+[Chef](https://www.chef.io/) is an automation platform that helps define how your infrastructure is configured, deployed, and managed. Some components include Chef Habitat for application lifecycle automation rather than the infrastructure, and Chef InSpec that helps automate compliance with security and policy requirements. Chef Clients are installed on target machines, with one or more central Chef Servers that store and manage the configurations. For more information, see [An Overview of Chef](https://docs.chef.io/chef_overview.html).

+- [Deploy Chef Automate from the Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/chef-software.chef-automate?tab=Overview).

+- [Install Chef on Windows and create Azure VMs](/azure/developer/chef/windows-vm-configure).

+## Puppet

+[Puppet](https://www.puppet.com) is an enterprise-ready automation platform that handles the application delivery and deployment process. Agents are installed on target machines to allow Puppet Master to run manifests that define the desired configuration of the Azure infrastructure and VMs. Puppet can integrate with other solutions such as Jenkins and GitHub for an improved devops workflow. For more information, see [How Puppet works](https://puppet.com/products/how-puppet-works).

+- [Deploy Puppet](https://puppet.com/docs/puppet/5.5/install_windows.html).

+## Packer

+[Packer](https://www.packer.io) automates the build process when you create a custom VM image in Azure. You use Packer to define the OS and run post-configuration scripts that customize the VM for your specific needs. Once configured, the VM is then captured as a Managed Disk image. Packer automates the process to create the source VM, network and storage resources, run configuration scripts, and then create the VM image.

+Learn how to:

+- [Use Packer to create a Linux VM image in Azure](./linux/build-image-with-packer.md).

+- [Use Packer to create a Windows VM image in Azure](./windows/build-image-with-packer.md).

+* When installing the Linux system, we **recommend** that you use standard partitions rather than LVM (often the default for many installations). This avoids LVM name conflicts with cloned VMs, particularly if an OS disk ever needs to be attached to another identical VM for troubleshooting. [LVM](/previous-versions/azure/virtual-machines/linux/configure-lvm) or [RAID](/previous-versions/azure/virtual-machines/linux/configure-raid) may be used on data disks.

+* Linux kernel versions below 2.6.37 don't support NUMA on Hyper-V with larger VM sizes. This issue primarily impacts older distributions using the upstream Centos 2.6.32 kernel and was fixed in Centos 6.6 (kernel-2.6.32-504). Systems running custom kernels older than 2.6.37 or RHEL-based kernels older than 2.6.32-504 must set the boot parameter `numa=off` on the kernel command-line in grub.conf. For more information, see Red Hat [KB 436883](https://access.redhat.com/solutions/436883).

+> **_Cloud-init >= 21.2 removes the udf requirement_**. However, without the udf module enabled, the cdrom won't mount during provisioning, preventing custom data from being applied. A workaround for this is to apply custom data using user data. However, unlike custom data, user data isn't encrypted. https://cloudinit.readthedocs.io/en/latest/topics/format.html

+ Unless you're creating an image for an older version of CentOS, we recommend to update all the packages to the latest:

+ In addition to the above, we recommend to *remove* the following parameters:

+ The Azure Linux Agent can automatically configure swap space using the local resource disk that is attached to the VM after provisioning on Azure. The local resource disk is a *temporary* disk and might be emptied when the VM is deprovisioned. After installing the Azure Linux Agent (see previous step), modify the following parameters in `/etc/waagent.conf` appropriately:

+Preparing a CentOS 7 virtual machine for Azure is similar to CentOS 6, however there are several significant differences worth noting:

+* The NetworkManager package no longer conflicts with the Azure Linux agent. This package is installed by default, and we recommend that it's not removed.

+ Unless you're creating an image for an older version of CentOS, we recommend to update all the packages to the latest:

+ A reboot may be required after running this command.

+ This will also ensure all console messages are sent to the first serial port, which can assist Azure support with debugging issues. It also turns off the new CentOS 7 naming conventions for NICs. In addition to the above, we recommend to *remove* the following parameters:

+> Make sure the **'udf'** module is enabled. Removing/disabling them will cause a provisioning/boot failure. **(_Cloud-init >= 21.2 removes the udf requirement. Read top of document for more detail.)**

+ if [[ -f /mnt/swapfile ]]; then

+ swapoff /mnt/swapfile

+ rm /mnt/swapfile -f

+ If you want mount, format, and create swap, you can either:

+ - ["ephemeral0.1", "/mnt"]

+7. Linux kernel versions earlier than 2.6.37 don't support NUMA on Hyper-V with larger VM sizes. This issue primarily impacts older distributions using the upstream Red Hat 2.6.32 kernel and was fixed in Red Hat Enterprise Linux (RHEL) 6.6 (kernel-2.6.32-504). Systems running custom kernels older than 2.6.37, or RHEL-based kernels older than 2.6.32-504 must set the boot parameter `numa=off` on the kernel command line in grub.conf. For more information, see [Red Hat KB 436883](https://access.redhat.com/solutions/436883).

+12. Remove users and system accounts, public keys, sensitive data, unnecessary software, and application.

+The Linux Integration Services (LIS) drivers for Hyper-V and Azure are contributed directly to the upstream Linux kernel. Many distributions that include a recent Linux kernel version (such as 3.x) have these drivers available already, or otherwise provide backported versions of these drivers with their kernels. These drivers are constantly being updated in the upstream kernel with new fixes and features, so when possible, we recommend running an [endorsed distribution](endorsed-distros.md) that includes these fixes and updates.

+If you're running a variant of Red Hat Enterprise Linux versions 6.0 to 6.3, then you'll need to install the [latest LIS drivers for Hyper-V](https://go.microsoft.com/fwlink/p/?LinkID=254263&clcid=0x409). Beginning with RHEL 6.4+ (and derivatives), the LIS drivers are already included with the kernel so no additional installation packages are needed.

+If a custom kernel is required, we recommend a recent kernel version (such as 3.8+). For distributions or vendors who maintain their own kernel, you'll need to regularly backport the LIS drivers from the upstream kernel to your custom kernel. Even if you're already running a relatively recent kernel version, we highly recommend keeping track of any upstream fixes in the LIS drivers and backporting them as needed. The locations of the LIS driver source files are specified in the [MAINTAINERS](https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/MAINTAINERS) file in the Linux kernel source tree:

+ Graphical and quiet boot isn't useful in a cloud environment, where we want all logs sent to the serial port. The `crashkernel` option may be left configured if needed but note that this parameter reduces the amount of available memory in the VM by at least 128 MB, which may be problematic for smaller VM sizes.

+4. Ensure that the SSH server is installed and configured to start at boot time. This configuration is usually the default.

+ > Make sure 'udf' and 'vfat' modules are enabled. Removing/disabling them will cause a provisioning/boot failure. **(_Cloud-init >= 21.2 removes the udf requirement. Please read top of document for more detail)**

+ The Azure Linux Agent or Cloud-init can be used to configure swap space using the local resource disk. This resource disk is attached to the VM after provisioning on Azure. The local resource disk is a temporary disk and might be emptied when the VM is deprovisioned. The following blocks show how to configure this swap.

+ > If you are migrating a specific virtual machine and do not wish to create a generalized image, skip the deprovision step. Running the command waagent -force -deprovision+user will render the source machine unusable. This step is intended only to create a generalized image.

+* When installing the Linux system, it's recommended that you use standard partitions rather than LVM (often the default for many installations). This will avoid LVM name conflicts with cloned VMs, particularly if an OS disk ever needs to be attached to another VM for troubleshooting. [LVM](/previous-versions/azure/virtual-machines/linux/configure-lvm) or [RAID](/previous-versions/azure/virtual-machines/linux/configure-raid) may be used on data disks if preferred.

+ > The `walinuxagent` package may remove the `NetworkManager` and `NetworkManager-gnome` packages, if they are installed.

+ > Deprovisioning using the command above doesn't guarantee the image is cleared of all sensitive information and is suitable for redistribution.

+* When installing the Linux system, we recommend that you use standard partitions rather than LVM (often the default for many installations). These standard partitions avoid LVM name conflicts with cloned VMs, particularly if an OS disk ever needs to be attached to another VM for troubleshooting. [LVM](/previous-versions/azure/virtual-machines/linux/configure-lvm) or [RAID](/previous-versions/azure/virtual-machines/linux/configure-raid) may be used on data disks if preferred.

+* Linux kernel versions earlier than 2.6.37 don't support NUMA on Hyper-V with larger VM sizes. This issue primarily impacts older distributions using the upstream Red Hat 2.6.32 kernel and was fixed in Oracle Linux 6.6 and later.

+ In addition to the above, we recommend to *remove* the following parameters:

+ Graphical and quiet boot aren't useful in a cloud environment where we want all the logs to be sent to the serial port.

+ The Azure Linux Agent can automatically configure swap space using the local resource disk that is attached to the VM after provisioning on Azure. The local resource disk is a *temporary* disk and might be emptied when the VM is deprovisioned. After installing the Azure Linux Agent (see previous step), modify the following parameters in /etc/waagent.conf appropriately:

+ ResourceDisk.MountPoint=/mnt

+Preparing an Oracle Linux 7 virtual machine for Azure is similar to Oracle Linux 6, however there are several significant differences worth noting:

+* The NetworkManager package no longer conflicts with the Azure Linux agent. This package is installed by default, and we recommend that it's not removed.

+ Graphical and quiet boot aren't useful in a cloud environment where we want all the logs to be sent to the serial port.

+ swapoff /mnt/swapfile

+ rm /mnt/swapfile -f

+ Previously, the Azure Linux Agent was used automatically to configure swap space by using the local resource disk that is attached to the virtual machine after the virtual machine is provisioned on Azure. However, this is now handled by cloud-init, you **must not** use the Linux Agent to format the resource disk create the swap file, modify the following parameters in `/etc/waagent.conf` appropriately:

+ If you want mount, format, and create swap you can either:

+In this article, you'll learn how to prepare a Red Hat Enterprise Linux (RHEL) virtual machine for use in Azure. The versions of RHEL that are covered in this article are 6.X, 7.X, and 8.X. The hypervisors for preparation that are covered in this article are Hyper-V, kernel-based virtual machine (KVM), and VMware. For more information about eligibility requirements for participating in Red Hat's Cloud Access program, see [Red Hat's Cloud Access website](https://www.redhat.com/en/technologies/cloud-computing/cloud-access) and [Running RHEL on Azure](https://access.redhat.com/ecosystem/ccsp/microsoft-azure). For ways to automate building RHEL images, see [Azure Image Builder](../image-builder-overview.md).

+> Be aware of versions that are End Of Life (EOL) and no longer supported by Redhat. Uploaded images that are at or beyond EOL will be supported on a reasonable business effort basis. Link to Redhat's [Product Lifecycle](https://access.redhat.com/product-life-cycles/?product=Red%20Hat%20Enterprise%20Linux,OpenShift%20Container%20Platform%204)

+* Logical Volume Manager (LVM) is supported and may be used on the OS disk or data disks in Azure virtual machines. However, in general, we recommend using standard partitions on the OS disk rather than LVM. This practice will avoid LVM name conflicts with cloned virtual machines, particularly if you ever need to attach an operating system disk to another identical virtual machine for troubleshooting. See the [LVM](/previous-versions/azure/virtual-machines/linux/configure-lvm) and [RAID](/previous-versions/azure/virtual-machines/linux/configure-raid) documentation.

+> **_Cloud-init >= 21.2 removes the udf requirement_**. However, without the udf module enabled, the cdrom won't mount during provisioning, preventing custom data from being applied. A workaround for this is to apply custom data using user data. However, unlike custom data, user data isn't encrypted. https://cloudinit.readthedocs.io/en/latest/topics/format.html

+> Starting on 30 November 2020, Red Hat Enterprise Linux 6 will reach end of maintenance phase. The maintenance phase is followed by the Extended Life Phase. As Red Hat Enterprise Linux 6 transitions out of the Full/Maintenance Phases, we strongly recommend upgrading to Red Hat Enterprise Linux 7, 8, or 9. If customers must stay on Red Hat Enterprise Linux 6, we recommend adding the Red Hat Enterprise Linux Extended Life Cycle Support (ELS) Add-On.

+ To apply it:<br>

+ Graphical and quiet boots aren't useful in a cloud environment where we want all the logs to be sent to the serial port. You can leave the `crashkernel` option configured if desired. Note that this parameter reduces the amount of available memory in the virtual machine by 128 MB or more. This configuration might be problematic on smaller virtual machine sizes.

+ > If you're migrating a specific virtual machine and don't wish to create a generalized image, skip the deprovision step.

+7. Modify the kernel boot line in your grub configuration to include additional kernel parameters for Azure. To do this modification, open `/etc/default/grub` in a text editor and edit the `GRUB_CMDLINE_LINUX` parameter. For example:

+ Graphical and quiet boots aren't useful in a cloud environment where we want all the logs to be sent to the serial port. You can leave the `crashkernel` option configured if desired. Note that this parameter reduces the amount of available memory in the virtual machine by 128 MB or more, which might be problematic on smaller virtual machine sizes.

+ Previously, the Azure Linux Agent was used to automatically configure swap space by using the local resource disk that is attached to the virtual machine after the virtual machine is provisioned on Azure. However, this is now handled by cloud-init, you **must not** use the Linux Agent to format the resource disk create the swap file, modify the following parameters in `/etc/waagent.conf` appropriately:

+ If you want mount, format, and create swap you can either:

+ Graphical and quiet boots aren't useful in a cloud environment where we want all the logs to be sent to the serial port. You can leave the `crashkernel` option configured if desired. Note that this parameter reduces the amount of available memory in the virtual machine by 128 MB or more, which might be problematic on smaller virtual machine sizes.

+ > If you're migrating a specific virtual machine and don't wish to create a generalized image, set `Provisioning.Agent=disabled` on the `/etc/waagent.conf` config.

+ Previously, the Azure Linux Agent was used to automatically configure swap space by using the local resource disk that is attached to the virtual machine after the virtual machine is provisioned on Azure. However, this is now handled by cloud-init, you **must not** use the Linux Agent to format the resource disk create the swap file, modify the following parameters in `/etc/waagent.conf` appropriately:

+ > If you're migrating a specific virtual machine and don't wish to create a generalized image, skip the deprovision step. Running the command `waagent -force -deprovision+user` will render the source machine unusable, this step is intended only to create a generalized image.

+> Starting on 30 November 2020, Red Hat Enterprise Linux 6 will reach end of maintenance phase. The maintenance phase is followed by the Extended Life Phase. As Red Hat Enterprise Linux 6 transitions out of the Full/Maintenance Phases, we strongly recommend upgrading to Red Hat Enterprise Linux 7, 8, or 9. If customers must stay on Red Hat Enterprise Linux 6, we recommend adding the Red Hat Enterprise Linux Extended Life Cycle Support (ELS) Add-On.

+ To apply it:<br>

+ Graphical and quiet boots aren't useful in a cloud environment where we want all the logs to be sent to the serial port. You can leave the `crashkernel` option configured if desired. Note that this parameter reduces the amount of available memory in the virtual machine by 128 MB or more, which might be problematic on smaller virtual machine sizes.

+1. Download the KVM image of RHEL 7 from the Red Hat website. This procedure uses RHEL 7 as an example.

+8. Modify the kernel boot line in your grub configuration to include additional kernel parameters for Azure. To do this configuration, open `/etc/default/grub` in a text editor and edit the `GRUB_CMDLINE_LINUX` parameter. For example:

+ Graphical and quiet boots aren't useful in a cloud environment where we want all the logs to be sent to the serial port. You can leave the `crashkernel` option configured if desired. Note that this parameter reduces the amount of available memory in the virtual machine by 128 MB or more, which might be problematic on smaller virtual machine sizes.

+To apply it:<br>

+8. Modify the kernel boot line in your grub configuration to include additional kernel parameters for Azure. To do this, open `/etc/default/grub` in a text editor and edit the `GRUB_CMDLINE_LINUX` parameter. For example:

+ Graphical and quiet boots aren't useful in a cloud environment where we want all the logs to be sent to the serial port. You can leave the `crashkernel` option configured if desired. Note that this parameter reduces the amount of available memory in the virtual machine by 128 MB or more, which might be problematic on smaller virtual machine sizes.

+ > If you're migrating a specific virtual machine and don't wish to create a generalized image, skip the deprovision step.

+5. Modify the kernel boot line in your grub configuration to include additional kernel parameters for Azure. To do this modification, open `/etc/default/grub` in a text editor and edit the `GRUB_CMDLINE_LINUX` parameter. For example:

+ Graphical and quiet boots aren't useful in a cloud environment where we want all the logs to be sent to the serial port. You can leave the `crashkernel` option configured if desired. Note that this parameter reduces the amount of available memory in the virtual machine by 128 MB or more, which might be problematic on smaller virtual machine sizes.

+15. Shut down the virtual machine and convert the VMDK file to the VHD format.

+1. Create a kickstart file that includes the following content and save the file. For details about kickstart installation, see the [Kickstart Installation Guide](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/installation_guide/chap-kickstart-installations).

+ - ["ephemeral0.1", "/mnt"]

+> **_Cloud-init >= 21.2 removes the udf requirement_**. However, without the udf module enabled, the cdrom won't mount during provisioning, preventing custom data from being applied. A workaround for this is to apply custom data using user data. However, unlike custom data, user data isn't encrypted. https://cloudinit.readthedocs.io/en/latest/topics/format.html

+ Previously, the Azure Linux Agent was used to automatically configure swap space by using the local resource disk that is attached to the virtual machine after the virtual machine is provisioned on Azure. However, this step is now handled by cloud-init, you **must not** use the Linux Agent to format the resource disk or create the swap file. Use these commands to modify `/etc/waagent.conf` appropriately:

+ If you want to mount, format, and create a swap partition you can either:

+ - ["ephemeral0.1", "/mnt"]

+> Make sure the **'udf'** module is enabled. Removing/disabling them will cause a provisioning/boot failure. **(_Cloud-init >= 21.2 removes the udf requirement. Please read top of document for more detail)**

+> If you're migrating a specific virtual machine and don't wish to create a generalized image, skip the deprovision step.

+ You can then verify the repositories have been added by running the command '`zypper lr`' again. If one of the relevant update repositories isn't enabled, enable it with the following command:

+ The Azure Linux Agent can automatically configure swap space using the local resource disk that is attached to the VM after provisioning on Azure. Note that the local resource disk is a *temporary* disk and might be emptied when the VM is deprovisioned. After installing the Azure Linux Agent (see previous step), modify the following parameters in the "/etc/waagent.conf" as follows:

+> If you're migrating a specific virtual machine and don't wish to create a generalized image, skip the deprovision step.

+It isn't uncommon to see Azure Front Door deployed in front of Application Gateway. In order to make sure the traffic received by Application Gateway comes from the Front Door deployment, the best practice is to check if the `X-Azure-FDID` header contains the expected unique value. For more information on securing access to your application using Azure Front Door, see [How to lock down the access to my backend to only Azure Front Door](../../frontdoor/front-door-faq.yml#what-are-the-steps-to-restrict-the-access-to-my-backend-to-only-azure-front-door-)

+* Lock down access to public IPs on origin and restrict inbound traffic to only allow traffic from Azure Front Door or Application Gateway to origin. Refer to the [guidance on Azure Front Door](../../frontdoor/front-door-faq.yml#what-are-the-steps-to-restrict-the-access-to-my-backend-to-only-azure-front-door-). Application Gateways are deployed in a virtual network, ensure there isn't any publicly exposed IPs.