+The connection between the private endpoint and the app uses a secure [Private Link](../private-link/private-link-overview.md). Private endpoint is only used for incoming traffic to your app. Outgoing traffic doesn't use this private endpoint. You can inject outgoing traffic to your network in a different subnet through the [virtual network integration feature](./overview-vnet-integration.md).

+Each slot of an app is configured separately. You can plug up to 100 private endpoints per slot. You can't share a private endpoint between slots. The subresource name of a slot is `sites-<slot-name>`.

+- Private endpoint and public access can coexist on an app. For more information, see [overview of access restrictions](./overview-access-restrictions.md#how-it-works)

+- You can eliminate the data exfiltration risk from the virtual network by removing all Network Security Group (NSG) rules where destination is tag Internet or Azure services.

+When you use private endpoint for App Service apps, the requested URL must match the name of your app. By default `<app-name>.azurewebsites.net`. When you're using [unique default hostname](#dnl-note) your app name has the format `<app-name>-<random-hash>.<region>.azurewebsites.net`. In the examples below _mywebapp_ could also represent the full regionalized unique hostname.

+By default, without private endpoint, the public name of your web app is a canonical name to the cluster. For example, the name resolution is:

+After this DNS configuration, you can reach your app privately with the default name mywebapp.azurewebsites.net. You must use this name, because the default certificate is issued for *.azurewebsites.net.

+For the Kudu console, or Kudu REST API (deployment with Azure DevOps Services self-hosted agents for example) you must create two records pointing to the private endpoint IP in your Azure DNS private zone or your custom DNS server. The first is for your app, the second is for the SCM of your app.

+If the virtual network is in a different subscription than the app, you must ensure that the subscription with the virtual network is registered for the `Microsoft.Web` resource provider. You can explicitly register the provider [by following this documentation](../azure-resource-manager/management/resource-providers-and-types.md#register-resource-provider) but you also automatically register the provider when you create the first web app in a subscription.

+* When you use Azure Function in Elastic Premium plan with private endpoint, to run or execute the function in Azure portal you must have direct network access or you receive an HTTP 403 error. In other words, your browser must be able to reach the private endpoint to execute the function from the Azure portal.

+* Apps that you configure with private endpoints can't receive public traffic coming from subnets with `Microsoft.Web` service endpoint enabled and can't use [service endpoint-based access restriction rules](./overview-access-restrictions.md#access-restriction-rules-based-on-service-endpoints).

+> [!NOTE]

+>

+> Latency might be observed in the metric data, as all metrics are aggregated at one-minute intervals. This latency may vary for different application gateway instances based on the metric start time.

+Azure Application Gateway Standard v2 SKU supports buffering Requests from clients or Responses (from the backend servers). Based on the processing capabilities of the clients that interact with your application gateway, you can use these buffers to configure the speed of packet delivery.

+Application Gateway's response buffer can collect all or parts of the response packets sent by the backend server, before delivering them to the clients. By default, the Response buffering is enabled on Application Gateway which is useful to accommodate slow clients. This setting allows you to conserve the backend TCP connections as they can be closed once Application Gateway receives complete response and work according to the client's processing speed. This way, your Application Gateway continues to deliver the response as per the clientΓÇÖs pace.

+In a similar way, Application Gateway's Request buffer can temporarily store the entire or parts of the request body, and then forward a larger upload request at once to the backend server. By default, Request buffering setting is enabled on Application Gateway and is useful to offload the processing function of reassembling the smaller packets of data on the backend server.

+>By default, both Request and Response buffers are enabled on your Application Gateway resource but you can choose to configure them separately. Further, the settings are applied at a resource level and can't be managed separately for each listener.

+You can keep either the Request or Response buffer, enabled or disabled, based on your requirements and the observed performance of the client systems that communicate with your Application Gateway.

+> We strongly recommend that you test and evaluate the performance before rolling this out on the production gateways.

+### PowerShell method

+**New application gateway**

+```PowerShell

+$AppGw02 = New-AzApplicationGateway -Name "ApplicationGateway02" -ResourceGroupName "ResourceGroup02" -Location $location -BackendAddressPools $pool -BackendHttpSettingsCollection $poolSetting01 -FrontendIpConfigurations $fipconfig -GatewayIpConfigurations $gipconfig -FrontendPorts $fp01 -HttpListeners $listener01 -RequestRoutingRules $rule01 -Sku $sku -EnableRequestBuffering:$false -EnableResponseBuffering:$false

+```

+**Update an existing application gateway**

+```PowerShell

+$appgw = Get-AzApplicationGateway -Name $appgwName -ResourceGroupName $rgname

+$appgw.EnableRequestBuffering = $false

+$appgw.EnableResponseBuffering = $false

+Set-AzApplicationGateway -ApplicationGateway $appgw

+```

+- Currently, these changes aren't supported through Portal and PowerShell.

+- Request buffering can't be disabled if you're running the WAF SKU of Application Gateway. The WAF requires the full request to buffer as part of processing, therefore, even if you disable request buffering within Application Gateway the WAF still buffers the request. Response buffering isn't impacted by the WAF.

+Objective: Accelerate Generative AI (Gen AI) adoption and optimize AI models and use cases through rapid experimentation.

+> [!NOTE]

+>

+> **Azure Maps Creator retirement**

+>

+> The Azure Maps Creator indoor map service is now deprecated and will be retired on 9/30/25. For more information, see [End of Life Announcement of Azure Maps Creator](https://aka.ms/AzureMapsCreatorDeprecation).

+> [!NOTE]

+>

+> **Azure Maps Creator retirement**

+>

+> The Azure Maps Creator indoor map service is now deprecated and will be retired on 9/30/25. For more information, see [End of Life Announcement of Azure Maps Creator](https://aka.ms/AzureMapsCreatorDeprecation).

+> [!NOTE]

+>

+> **Azure Maps Creator retirement**

+>

+> The Azure Maps Creator indoor map service is now deprecated and will be retired on 9/30/25. For more information, see [End of Life Announcement of Azure Maps Creator](https://aka.ms/AzureMapsCreatorDeprecation).

+> [!NOTE]

+>

+> **Azure Maps Creator retirement**

+>

+> The Azure Maps Creator indoor map service is now deprecated and will be retired on 9/30/25. For more information, see [End of Life Announcement of Azure Maps Creator](https://aka.ms/AzureMapsCreatorDeprecation).

+* Central India

+* Qatar Central

+* South India

+* West Europe

+You're limited to 512 variables in a Bicep file. For more information, see [Template limits](../templates/best-practices.md#template-limits).

+* 512 variables

+ <GeoCodeRegionNameMap GeoCode="fc" RegionName="France Central" />

+[Learn](../private-endpoints.md) to create and add DNS zones for Azure Backup private endpoints using geo-codes.

+ Title: Azure CDN Standard from Microsoft (classic) retirement FAQ

+description: Common questions about the retirement of Azure CDN Standard from Microsoft (classic).

+# Azure CDN Standard from Microsoft (classic) retirement FAQ

+Azure Front Door introduced two new tiers named Standard and Premium on March 29, 2022. These tiers offer improvements over the current product offerings of Azure CDN Standard from Microsoft (classic), incorporating capabilities such as Azure Private Link integration, Bot management, advanced Web Application Firewall (WAF) enhancements with DRS 2.1, anomaly scoring-based detection and bot management, out-of-the-box reports and enhanced diagnostic logs, a simplified pricing model, and much more.

+In our ongoing efforts to provide the best product experience and streamline our portfolio of products and tiers, we're announcing the retirement of the Azure CDN Standard from Microsoft (classic) tier. This retirement will affect the public cloud and the Azure Government regions of Arizona and Texas, effective September 30, 2027. We strongly recommend all users of Azure CDN Standard from Microsoft (classic) to transition to Azure Front Door Standard and Premium.

+## Frequently asked questions

+### When is the retirement for Azure CDN Standard from Microsoft (classic)?

+Azure CDN Standard from Microsoft (classic) will be retired on September 30, 2027.

+### Why is Azure CDN Standard from Microsoft (classic) being retired?

+Azure CDN Standard from Microsoft (classic) is a legacy Content Delivery Network service that provides static caching capabilities. In March 2022, we announced the general availability of Azure Front Door Standard and Premium. These new tiers serve as a modern Content Delivery Network platform that supports both dynamic and static scenarios with enhanced Web Application Firewall capabilities, Private Link integration, simplified pricing model and many more enhancements. As part of our plans to offer the best product experience and simplify our product portfolio, we're announcing the retirement of Azure CDN Standard from Microsoft (classic) tier.

+### What advantages does migrating to Azure Front Door Standard or Premium tier offer?

+Azure Front Door Standard and Premium tiers represent the enhanced versions of Azure CDN Standard from Microsoft (classic). They maintain the same Service Level Agreement (SLA) and offer more benefits, including:

+* A unified static and dynamic delivery platform, with simplified cost model.

+* Enhanced security features, such as[Private Link integration](../frontdoor/private-link.md), advanced WAF enhancements with DRS 2.1, anomaly scoring based detection and bot management, and many more to come.

+* Deep integration with Azure services to deliver secure, accelerated, and user friendly end-to-end cloud solutions. These integrations include:

+ * DNS deterministic name library integrations to prevent subdomain take over

+ * [Prevalidated domain integration with PaaS service with one-time domain validation](../frontdoor/standard-premium/how-to-add-custom-domain.md#associate-the-custom-domain-with-your-azure-front-door-endpoint).

+ * [One-click enablement on Static Web Apps](../static-web-apps/front-door-manual.md)

+ * Use [managed identities](../frontdoor/managed-identity.md) to access Azure Key Vault certificates

+ * Azure Advisor integration to provide best practice recommendations

+* Improved capabilities such as simplified, more flexible [rules engine](../frontdoor/front-door-rules-engine.md) with regular expressions and server variables, enhanced and richer [analytics](../frontdoor/standard-premium/how-to-reports.md) and [logging](../frontdoor/front-door-diagnostics.md) capabilities, and more.

+* The ability to update separate resources without updating the whole Azure Front Door instance through DevOps tools.

+* Access to all future features and updates on Azure Front Door Standard and Premium tier.

+For more information supported features, see [comparison between Azure Front Door and Azure CDN services](../frontdoor/front-door-cdn-comparison.md).

+### How does the performance of the Azure Front Door Standard or Premium tier compare to that of Azure CDN Standard from Microsoft (classic)?

+The Azure Front Door Standard and Premium tier have the same Service Level Agreement (SLA). Our goal is to ensure Azure Front Door Standard and Premium delivers optimal performance and reliability.

+### What will happen after September 30, 2027 when the service is retired?

+After the service is retired, you'll lose the ability to:

+* Create or manage Azure CDN Standard from Microsoft (classic) resources.

+* Access the data through the Azure portal or the APIs/SDKs/client tools.

+* Receive service updates to Azure CDN Standard from Microsoft (classic) or APIs/SDKs/Client tools.

+* Receive support for issues on Azure CDN Standard from Microsoft (classic) through phone, email, or web.

+### How can the migration be completed without causing downtime to my applications? Where can I learn more about the migration to Azure Front Door Standard or Premium?

+We offer a zero-downtime migration tool. The following resources are available to assist you in understand and perform the migration process:

+* Familiarize yourself with the [zero-downtime migration tool](tier-migration.md). It's important to pay attention to the section of **Breaking changes when migrating to Standard or Premium tier** and **resource mapping**.

+* Learn the process of migrating from Azure CDN Standard from Microsoft (classic) to Standard or Premium tier using the [Azure portal](migrate-tier.md).

+### How will migrating to Azure Front Door Standard or Premium affect the Total Cost Ownership (TCO)?

+For more information, see the [pricing comparison](../frontdoor/compare-cdn-front-door-price.md) between Azure Front Door tier.

+### Which clouds does Azure CDN Standard from Microsoft (classic) retirement apply to?

+Currently, Azure CDN Standard from Microsoft (classic) retirement affects the public cloud and Azure Government in the regions of Arizona and Texas.

+### Can I make updates to Azure CDN Standard from Microsoft (classic) resources?

+You can still update your existing Azure CDN Standard from Microsoft (classic) resources using the Azure portal, Terraform, and all command line tools until September 30, 2027. However, you won't be able to create new Azure CDN Standard from Microsoft (classic) resources starting October 1, 2025. We strongly recommend you migrate to Azure Front Door Standard or Premium tier as soon as possible.

+### Can I roll back to Azure CDN Standard from Microsoft (classic) after migration?

+No, once migration is completed successfully, it can't be rolled back to classic. If you encounter any issues, you can raise a support ticket for assistance.

+### How will the Azure CDN Standard from Microsoft (classic) resources be handled after migration?

+We recommend you delete the Azure CDN Standard from Microsoft (classic) resource once migration successfully completes. Azure Front Door sends notification through Azure Advisor to remind users to delete the migrated classic resources.

+### What are the available resources for support and feedback?

+If you have a support plan and you need technical assistance, you can create a [support request](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/newsupportrequest) with the following information:

+* *Issue type*, select **Technical**.

+* *Subscription*, select the subscription you need assistance with.

+* *Service*, select **My services**, then select **Azure CDN**.

+* *Resource*, select the **Azure CDN resource**.

+* *Summary*, describe the problem youΓÇÖre experiencing with the migration.

+* *Problem type*, select **Migrating Microsoft CDN to Front Door Standard or Premium**

+## Next steps

+- Migrate from Azure CDN Standard from Microsoft (classic) to Standard or Premium tier using the [Azure portal](migrate-tier.md)

+ :::image type="content" source="./media/migrate-tier/validate-cdn-profile.png" alt-text="Screenshot of the validated compatibility section of the migration page.":::

+ :::image type="content" source="./media/migrate-tier/prepare-for-migration.png" alt-text="Screenshot of the selected tier for the new Front Door profile.":::

+ :::image type="content" source="./media/migrate-tier/preparation-success.png" alt-text="Screenshot of the link to view the new read-only Front Door profile.":::

+You can use the Azure Communication Services Calling SDK to add Enhanced Emergency dialing and Public Safety Answering Point (PSAP) callback support to your applications in the United States (US), Puerto Rico (PR), the United Kingdom (GB), Canada (CA), Denmark (DK) and Australiua (AU). The capability to dial 911 (in US, PR, and CA), to dial 112 (in DK), to dial 000 (in AU) and to dial 999 or 112 (in GB) and receive a callback might be a requirement for your application. Verify the emergency calling requirements with your legal counsel.

+Calls to an emergency number are routed over the Microsoft network. Microsoft assigns a temporary phone number as the Call Line Identity (CLI) when a user places an emergency call from US, PR, GB, CA, DK or AU. Microsoft temporarily maintains a mapping of the phone number to the caller's identity.

+1. An Azure Communication Services user identity dials an emergency number by using the Calling SDK.

+ - Microsoft supports US, PR, GB, CA, DK or AU country/region codes for emergency number dialing.

+- [Add emergency calling to your app](../../quickstarts/telephony/emergency-calling.md)

+[azure-functions-doc]: ../logic-apps/call-azure-functions-from-workflows.md "Integrate logic app workflows with Azure Functions"

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+[file-system-doc]: file-system.md "Connect to an on-premises file system"

+PUT https://management.azure.com/providers/Microsoft.Subscription/aliases/sampleAlias?api-version=2021-10-01

+>Currently, the system-assigned managed identity authentication is supported in data flows through the use of advanced properties in JSON format.

+| subscriptionId | Specify the subscription id for the Azure Cosmos DB instance | No for Copy Activity, Yes for Mapping Data Flow |

+| tenantId | Specify the tenant id for the Azure Cosmos DB instance | No for Copy Activity, Yes for Mapping Data Flow |

+| resourceGroup | Specify the resource group name for the Azure Cosmos DB instance | No for Copy Activity, Yes for Mapping Data Flow |

+ "database": "<database name>",

+ "subscriptionId": "<subscription id>",

+ "tenantId": "<tenant id>",

+ "resourceGroup": "<resource group>"

+|[Mapping data flow](concepts-data-flow-overview.md) (source/sink)|&#9312; |Γ£ô |

+## Mapping data flow properties

+When transforming data in mapping data flow, you can read and write to tables from Microsoft Fabric Warehouse.

+For more information, see the [source transformation](data-flow-source.md) and [sink transformation](data-flow-sink.md) in mapping data flows.

+### Microsoft Fabric Warehouse as the source

+Settings specific to Microsoft Fabric Warehouse are available in the Source Options tab of the source transformation.

+| Name | Description | Required | Allowed Values | Data flow script property |

+| : | :-- | :- |:-- |:- |

+| Input | Select whether you point your source at a table (equivalent of Select * from tablename) or enter a custom SQL query or retrieve data from a Stored Procedure. Query: If you select Query in the input field, enter a SQL query for your source. This setting overrides any table that you've chosen in the dataset. **Order By** clauses aren't supported here, but you can set a full SELECT FROM statement. You can also use user-defined table functions. **select * from udfGetData()** is a UDF in SQL that returns a table. This query will produce a source table that you can use in your data flow. Using queries is also a great way to reduce rows for testing or for lookups.SQL Example: ```Select * from MyTable where customerId > 1000 and customerId < 2000``` | Yes | Table or Query or Stored Procedure | format: 'table' |

+| Batch size | Enter a batch size to chunk large data into reads. In data flows, this setting will be used to set Spark columnar caching. This is an option field, which will use Spark defaults if it is left blank. | No | Numeral values | batchSize: 1234|

+| Isolation Level | The default for SQL sources in mapping data flow is read uncommitted. You can change the isolation level here to one of these values:ΓÇó Read Committed ΓÇó Read Uncommitted ΓÇó Repeatable Read ΓÇó Serializable ΓÇó None (ignore isolation level) | Yes | ΓÇó Read Committed ΓÇó Read Uncommitted ΓÇó Repeatable Read ΓÇó Serializable ΓÇó None (ignore isolation level) | isolationLevel|

+>[!NOTE]

+>Read via staging is not supported. CDC support for Microsoft Fabric Warehouse source is currently not available.

+### Microsoft Fabric Warehouse as the sink

+Settings specific to Microsoft Fabric Warehouse are available in the Settings tab of the sink transformation.

+| Name | Description | Required | Allowed Values | Data flow script property |

+| : | :-- | :- |:-- |:- |

+| Update method | Determines what operations are allowed on your database destination. The default is to only allow inserts. To update, upsert, or delete rows, an alter-row transformation is required to tag rows for those actions. For updates, upserts and deletes, a key column or columns must be set to determine which row to alter. | Yes | true or false | insertable deletable upsertable updateable |

+| Table action | Determines whether to recreate or remove all rows from the destination table prior to writing.ΓÇó None: No action will be done to the table. ΓÇó Recreate: The table will get dropped and recreated. Required if creating a new table dynamically.ΓÇó Truncate: All rows from the target table will get removed. | No | None or recreate or truncate | recreate: true truncate: true |

+| Enable staging | The staging storage is configured in [Execute Data Flow activity](control-flow-execute-data-flow-activity.md). When you use managed identity authentication for your storage linked service, learn the needed configurations for [Azure Blob](connector-azure-blob-storage.md#managed-identity) and [Azure Data Lake Storage Gen2](connector-azure-data-lake-storage.md#managed-identity) respectively.If your Azure Storage is configured with VNet service endpoint, you must use managed identity authentication with "allow trusted Microsoft service" enabled on storage account, refer to [Impact of using VNet Service Endpoints with Azure storage](/azure/azure-sql/database/vnet-service-endpoint-rule-overview#impact-of-using-virtual-network-service-endpoints-with-azure-storage).| No | true or false |staged: true |

+| Batch size | Controls how many rows are being written in each bucket. Larger batch sizes improve compression and memory optimization, but risk out of memory exceptions when caching data. | No | Numeral values | batchSize: 1234|

+| Use sink schema | By default, a temporary table will be created under the sink schema as staging. You can alternatively uncheck the **Use sink schema** option and instead, in **Select user DB schema**, specify a schema name under which Data Factory will create a staging table to load upstream data and automatically clean them up upon completion. Make sure you have create table permission in the database and alter permission on the schema. | No | true or false | stagingSchemaName|

+| Pre and Post SQL scripts | Enter multi-line SQL scripts that will execute before (pre-processing) and after (post-processing) data is written to your Sink database| No | SQL scripts | preSQLs:['set IDENTITY_INSERT mytable ON'] postSQLs:['set IDENTITY_INSERT mytable OFF'],|

+### Error row handling

+By default, a data flow run will fail on the first error it gets. You can choose to Continue on error that allows your data flow to complete even if individual rows have errors. The service provides different options for you to handle these error rows.

+

+Transaction Commit: Choose whether your data gets written in a single transaction or in batches. Single transaction will provide better performance and no data written will be visible to others until the transaction completes. Batch transactions have worse performance but can work for large datasets.

+

+Output rejected data: If enabled, you can output the error rows into a csv file in Azure Blob Storage or an Azure Data Lake Storage Gen2 account of your choosing. This will write the error rows with three additional columns: the SQL operation like INSERT or UPDATE, the data flow error code, and the error message on the row.

+

+Report success on error: If enabled, the data flow will be marked as a success even if error rows are found.

+>[!NOTE]

+>For Microsoft Fabric Warehouse Linked Service, the supported authentication type for Service Principal is 'Key'; 'Certificate' authentication is not supported.

+For a list of data stores supported as sources and sinks by the copy activity, see [Supported data stores](copy-activity-overview.md#supported-data-stores-and-formats).

+ai-usage: ai-assisted

+In this tutorial, you create a data factory by using the Azure Data Factory user interface (UI). *The pipeline in this data factory copies data securely from Azure Blob storage to an Azure SQL database (both allowing access to only selected networks) by using private endpoints in [Azure Data Factory Managed Virtual Network](managed-virtual-network-private-endpoint.md).* The configuration pattern in this tutorial applies to copying from a file-based data store to a relational data store. For a list of data stores supported as sources and sinks, see the [Supported data stores and formats](./copy-activity-overview.md) table. The private endpoints feature is available across all tiers of Azure Data Factory, so no specific tier is required to utilize them. For more details on pricing and tiers, please refer to the [Azure Data Factory pricing page](https://azure.microsoft.com/pricing/details/data-factory/data-pipeline/).

+- Learn how to [Troubleshoot Data Box and Data Box Heavy issues](data-box-troubleshoot.md).

+Alternatively, you can fork the repo [Leveraging ADE's Extensibility Model With Terraform](https://github.com/Azure/ade-extensibility-model-terraform) to build and push the Terraform image to a provided ACR.

+This quickstart shows you how to create an ExpressRoute circuit in three different resiliency types: **Maximum Resiliency**, **High Resiliency**, and **Standard Resiliency** using Azure PowerShell. You'll learn how to check the status, update, delete, or deprovision a circuit using PowerShell cmdlets.

+### Get the list of resilient locations

+If you're creating an ExpressRoute circuit with a resiliency type of **Maximum Resiliency**, you need to know the list of resilient locations. Here are the steps to retrieve this information:

+#### Clone the script

+```azurepowershell-interactive

+# Clone the setup script from GitHub.

+git clone https://github.com/Azure-Samples/azure-docs-powershell-samples/

+# Change to the directory where the script is located.

+CD azure-docs-powershell-samples/expressroute/

+```

+#### Run resilient locations script

+Run the **Get-AzExpressRouteResilientLocations.ps1** script to get the list of resilient locations. The following example shows how to get the resilient locations for a specific subscription sorted by distance from Silicon Valley:

+```azurepowershell-interactive

+$SubscriptionId = Get-AzureSubscription -SubscriptionName "<SubscriptionName>"

+highAvailabilitySetup/Get-AzExpressRouteResilientLocations.ps1 -SubscriptionId $SubscriptionId -RelativeLocation "silicon valley"

+```

+If you don't specify the location, you get a list of all resilient locations.

+If you don't already have a resource group, you must create one before you create your ExpressRoute circuit. You can do so by running the **New-AzResourceGroup** cmdlet:

+$resourceGroupName = (New-AzResourceGroup -Name "ExpressRouteResourceGroup" -Location "West US").ResourceGroupName

+If you already have a resource group, you can use **Get-AzResourceGroup** to get the resource group name into a variable:

+```azurepowershell-interactive

+$resourceGroupName = (Get-AzResourceGroup -Name "<ResourceGroupName>").ResourceGroupName

+```

+# [**Maximum Resiliency**](#tab/maximum)

+**Maximum Resiliency** (Recommended) provides the highest level of resiliency for your ExpressRoute connection. It provides two ExpressRoute circuits with local redundancy in two different ExpressRoute edge locations.

+The following example shows how to create two ExpressRoute circuits through Equinix with local redundancy in Silicon Valley and Washington DC. If you're using a different provider and different settings, replace that information when you make your request.

+> [!NOTE]

+> This example uses the **New-AzHighAvailabilityExpressRouteCircuits.ps1** script. You must clone the script from GitHub to create the circuits. For more information, see [Clone the script](#clone-the-script).

+```azurepowershell-interactive

+$SubscriptionId = Get-AzureSubscription -SubscriptionName "<SubscriptionName>"

+highAvailabilitySetup/New-AzHighAvailabilityExpressRouteCircuits.ps1 -SubscriptionId $SubscriptionId -ResourceGroupName $resourceGroupName -Location "westus" -Name1 $circuit1Name -Name2 $circuit2Name -SkuFamily1 "MeteredData" -SkuFamily2 "MeteredData" -SkuTier1 "Standard" -SkuTier2 "Standard" -ServiceProviderName1 "Equinix" -ServiceProviderName2 "Equinix" -PeeringLocation1 "Silicon Valley" -PeeringLocation2 "Washington DC" -BandwidthInMbps 1000

+```

+> [!NOTE]

+> Maximum Resiliency provides maximum protection against location wide outages and connectivity failures in an ExpressRoute location. This option is strongly recommended for all critical and production workloads.

+# [**High Resiliency**](#tab/high)

+**High Resiliency** provides resiliency against location wide outages through a single ExpressRoute circuit across two locations in a metropolitan area.

+The following example shows how to create an ExpressRoute circuit through Equinix in Amsterdam Metro. If you're using a different provider and different settings, replace that information when you make your request. Use the following example to request a new service key.

+```azurepowershell-interactive

+New-AzExpressRouteCircuit -Name "ExpressRouteARMCircuit" -ResourceGroupName "ExpressRouteResourceGroup" -Location "West EU" -SkuTier Standard -SkuFamily MeteredData -ServiceProviderName "Equinix" -PeeringLocation "Amsterdam Metro" -BandwidthInMbps 200

+```

+# [**Standard Resiliency**](#tab/standard)

+**Standard Resiliency** provides a single ExpressRoute circuit with local redundancy at a single ExpressRoute location.

+The following example shows how to create an ExpressRoute circuit through Equinix in Silicon Valley. If you're using a different provider and different settings, replace that information when you make your request. Use the following example to request a new service key.

+2. Run [Approve-AzPrivateEndpointConnection](/powershell/module/az.network/approve-azprivateendpointconnection) to approve the private endpoint connection details. Use the *Name* value from the output in the previous step for approving the connection.

+Learn about [Private Link service with storage account](../storage/common/storage-private-endpoints.md).

+description: This article provides process and technical guidance for customers interested in moving from Azure Automanage Best Practices to Azure Policy.

+# Automanage Best Practices to Azure Policy migration planning

+> On September 30, 2027, the Azure Automanage Best Practices service will be retired. Migrate to Azure Policy before that date. For more information on migration, see the [Azure portal](https://ms.portal.azure.com/).

+Azure Policy is a more robust cloud resource governance, enforcement, and compliance offering with full parity with the Azure Automanage Best Practices service. When possible, you should plan to move your content and machines to the new service. This article provides guidance on developing a migration strategy from Azure Automation to machine

+configuration. Azure Policy implements a robust array of features, including:

+- **Granular control and flexibility:** Azure Policy allows for highly granular control over resources. You can create custom policies tailored to your specific regulatory and organizational compliance needs to ensure that every aspect of your infrastructure meets the required standards. This level of customization might not be as easy to achieve with the predefined configurations in Automanage.

+- **Comprehensive compliance management:** Azure Policy offers comprehensive compliance management by continuously assessing and auditing your resources. Detailed reports and dashboards help you to track compliance status. These features help you to quickly detect and rectify noncompliance issues across your environment.

+- **Scalability:** Azure Policy is built to manage large-scale environments efficiently. You can apply policies at different scopes, such as management group, subscription, and resource group levels. This capability helps you to enforce compliance across multiple resources and regions systematically.

+- **Integration with Azure Security Center:** Azure Policy integrates seamlessly with Azure Security Center. You have the ability to manage security policies and ensure that your servers adhere to best practices. This integration provides more insights and recommendations, which further strengthen your security posture.

+Before you begin, read the conceptual overview information on the [Azure Policy][01] webpage.

+## Understand migration

+The best approach to migration is to identify how to map services in an Automanage configuration profile to the respective Azure Policy content first. Then offboard your subscriptions from Automanage. This section outlines the expected steps for migration.

+Automanage designers created an experience for Azure customers to onboard new and existing virtual machines (VMs) to a recommended set of Azure services to ensure compliance with Azure best practices. The capabilities include a configuration profile, a reusable template of management, monitoring, security, and resiliency services that customers can opt into. The profile is assigned to a set of VMs that are onboarded to those services, and customers then receive reports on the state of their machines.

+This functionality is available in Azure Policy as an initiative with various configurable parameters, Azure services, regional availability, compliance states, and remediation actions. Configuration profiles are the main onboarding vehicle for Automanage customers. Just like Azure Policy initiatives, Automanage configuration profiles apply to VMs at the subscription and resource group level. They enable further specification of the zone of

+applicability. The following Automanage feature parities are available in Azure Policy.

+### Azure Monitor agent

+The Azure Monitor agent collects monitoring data from the guest operating system of Azure and hybrid VMs. The agent delivers the data to Azure Monitor for use by features, insights, and other services, such as Microsoft Sentinel and Microsoft Defender for Cloud. The Azure Monitor agent replaces all of the Azure Monitor legacy monitoring agents.

+Deploy this extension by using the following policies:

+- Configure Linux VMs to run the Azure Monitor agent with user-assigned managed-identity-based authentication.

+- Configure Windows machines to associate with a data collection rule or a data collection endpoint.

+- Configure Windows VMs to run the Azure Monitor agent with user-assigned managed-identity-based authentication.

+- Configure Linux machines to associate with a data collection rule or a data collection endpoint.

+- Deploy a dependency agent for Linux VMs with Azure Monitor agent settings.

+- Deploy a dependency agent that you can enable on Windows VMs with Azure Monitor agent settings.

+### Azure Backup

+Azure Backup provides independent and isolated backups to guard against unintended destruction of the data on your VMs. Backups are stored in a Recovery Services vault with built-in management of recovery points. To back up Azure VMs, Backup installs an extension on the VM agent running on the machine.

+Configure Backup by using the following policies:

+- Configure backup on VMs with a specific tag to an existing Recovery Services vault in the same location.

+- Enable Backup for VMs.

+To configure Backup time and duration, create a custom Azure policy based on the properties of the Backup policy resource or by a REST API call. For more information, see [Create Recovery Services backup policies by using the REST API][02].

+### Microsoft Antimalware for Azure

+Microsoft Antimalware for Azure Cloud Services and Virtual Machines offers free real-time protection that helps identify and remove viruses, spyware, and other malicious software. It generates alerts when known malicious or unwanted software tries to install itself or run on your Azure systems. The Azure Guest agent (or the Microsoft Fabric agent) opens the Microsoft Antimalware for Azure extension and applies the antimalware configuration settings that were supplied as input. This step enables the antimalware service with either default or custom configuration settings.

+Deploy the following Microsoft Antimalware for Azure policies in Azure Policy:

+- Configure Microsoft Antimalware for Azure to automatically update protection signatures.

+- Deploy the Microsoft `IaaSAntimalware` extension on Windows servers.

+- Deploy the default Microsoft `IaaSAntimalware` extension for Windows Server.

+You can create a custom Azure policy based on the properties of the Azure `IaaSAntimalware` policy resource or by using an Azure Resource Manager template (ARM template). You can use the custom policy to:

+- Configure excluded files, locations, file extensions, and processes.

+- Enable real-time protection.

+- Schedule a scan, and scan type, day, and time.

+For more information, see [this webpage][03].

+### Azure Monitor Insights and analytics

+Azure Monitor Insights is a suite of tools within Azure Monitor designed to enhance the performance, reliability, and quality of your applications. It offers features like application performance management, monitoring alerts, metrics analysis, diagnostic settings, and logs. With Azure Monitor Insights, you can gain valuable insights into your application's behavior, troubleshoot issues, and optimize performance.

+The following policies provide the same capabilities as Automanage:

+- Assign a built-in user-assigned managed identity to VMs.

+- Configure Linux VMs to run the Azure Monitor agent with user-assigned authentication based on managed identity.

+- Configure Windows VMs to run the Azure Monitor agent with user-assigned authentication based on managed identity.

+- Deploy a dependency agent that you can enable on Windows VMs with Azure Monitor agent settings.

+- Deploy a dependency agent for Linux VMs with Azure Monitor agent settings.

+- Configure Linux machines to associate with a data collection rule or a data collection endpoint.

+- Configure Windows machines to associate with a data collection rule or a data collection endpoint.

+To configure all the previous options, deploy the **Enable Azure Monitor for VMs with Azure

+Monitoring Agent (AMA)** policy initiative.

+Change Tracking and Inventory is a feature within Automation that monitors changes in VMs across Azure, on-premises, and in other cloud environments. It tracks modifications to installed software, files, registry keys, and services on both Windows and Linux systems. Change Tracking and Inventory uses the Log Analytics agent to collect data and then forwards it to Azure Monitor Logs for analysis. It also integrates with Microsoft Defender for Cloud File Integrity Monitoring to enhance security and operational insights.

+Enable change tracking on VMs by using the following policies:

+- Assign built-in user-assigned managed identity to VMs.

+- Configure Windows VMs to install the Azure Monitor agent for Change Tracking and Inventory with user-assigned managed identity.

+- Configure Linux VMs to install the Azure Monitor agent for Change Tracking and Inventory with a user-assigned managed identity.

+- Configure the Change Tracking and Inventory extension for Windows VMs.

+- Configure the Change Tracking and Inventory extension for Linux VMs.

+- Configure Windows VMs to associate with a data collection rule for Change Tracking and Inventory.

+Configure the preceding Azure policies in bulk by using the following Azure Policy initiatives:

+- [Preview]: Enable Change Tracking and Inventory for virtual machine scale sets.

+- [Preview]: Enable Change Tracking and Inventory for VMs.

+- [Preview]: Enable Change Tracking and Inventory for Azure Arc-enabled VMs.

+Microsoft Defender for Cloud provides unified security management and advanced threat protection across hybrid cloud workloads.

+Configure Defender for Cloud in Azure Policy through the following policy initiatives:

+- Configure multiple Microsoft Defender for Endpoint integration settings with Defender for Cloud.

+- Download the Microsoft cloud security benchmark.

+- Configure Defender for Cloud plans.

+### Azure Update Manager

+Azure Update Manager is a service included as part of your Azure subscription. Use it to assess your update status across your environment and manage your Windows and Linux server patching from a single pane of glass, both for on-premises and Azure. It provides a unified solution to help you keep your systems up to date. Update Manager oversees update compliance, deploys critical updates, and offers flexible patching options.

+Configure Update Manager in Azure Policy through the following policies:

+- Configure periodic checking for missing system updates on servers enabled by Azure Arc.

+- Configure machines periodically to check for missing system updates.

+- Schedule recurring updates by using Update Manager.

+- [Preview]: Set prerequisites for scheduling recurring updates on Azure VMs.

+- Configure periodic checking for missing system updates on Azure VMs.

+### Azure Automation account

+Automation is a cloud-based service that provides consistent management across your Azure and non-Azure environments. Use it to automate repetitive tasks, enforce configuration consistency, and manage updates for VMs. By using runbooks and shared assets, you can streamline operations and reduce operational costs.

+Configure Automation in Azure Policy through the following policies:

+- Use managed identity for Automation accounts.

+- Configure private endpoint connections on Automation accounts.

+- Disable public network access for Automation accounts.

+- Configure Automation accounts with private DNS zones.

+- Use customer-managed keys to encrypt data at rest for Automation accounts.

+- Disable the local authentication method for the Automation account.

+- Encrypt Automation account variables.

+- Configure Automation accounts to disable local authentication.

+- Configure Automation accounts to disable public network access.

+- Enable private endpoint connections on Automation accounts.

+### Boot diagnostics

+Boot diagnostics is a debugging feature for Azure VMs that you can use to diagnose VM boot failures. The feature collects serial log information and screenshots so that you can observe the state of your VM as it boots up. After you enable the boot diagnostics feature, the Azure cloud platform can inspect the VM operating system for provisioning errors. The feature helps to provide deeper information on the root causes of startup failures. Boot diagnostics is enabled by default when you create a VM and is enforced by the **Boot Diagnostics should be enabled on virtual machines** policy.

+You can now use Windows Admin Center in the Azure portal to manage the Windows operating system inside an Azure VM. You can also manage operating system functions from the Azure portal and work with files in the VM without using Remote Desktop or PowerShell. You can use an ARM template or a custom Azure Policy for configuration. For more information, see [Manage a Windows VM by using Windows Admin Center in Azure][04].

+### Log Analytics workspace

+Log Analytics is an Azure Monitor feature that monitors your cloud and on-premises resources and applications. Use it to collect and analyze data generated by resources in your cloud and on-premises environments. With Log Analytics, you can search, analyze, and visualize data to identify trends, troubleshoot issues, and monitor your systems.

+On August 31, 2024, both Automation Update Management and the Log Analytics agent that it used were retired. You should have migrated to Azure Update Manager before that date. For guidance on how to migrate to Azure Update Manager, see [Overview of migration from Automation Update Management to Azure Update Manager][05]. We advise you to migrate [now][06] because this feature is no longer supported in Automanage.

+Automanage Best Practices is a free service, so you don't receive a bill from Automanage. If you used Automanage to enable paid services like Azure Monitor Insights, you might incur usage charges. Those services bill you directly.

+Read more about Automanage and pricing on the [Azure Automanage pricing webpage][09].

+Now that you have an overview of Azure Policy and some of the key concepts, here are the suggested next steps:

+- [Review the policy definition structure][07]

+- [Assign a policy definition by using the portal][08]

+In this article, you learn how to use [Azure role-based access control (Azure RBAC)](../../role-based-access-control/index.yml) to assign access to the Azure API for FHIR&reg; data plane. Azure RBAC is the preferred methods for assigning data plane access when data plane users are managed in the Microsoft Entra tenant associated with your Azure subscription. If you're using an external Microsoft Entra tenant, refer to the [local RBAC assignment reference](configure-local-rbac.md).

+To use Azure RBAC, your Azure API for FHIR must be configured to use your Azure subscription tenant for data plane, and there should be no assigned identity object IDs. You can verify your settings by inspecting the **Authentication** of your Azure API for FHIR:

+The **Authority** should be set to the Microsoft Entra tenant associated with your subscription and there should be no GUIDs in the box labeled **Allowed object IDs**. Notice the box is disabled and a label indicates that Azure RBAC should be used to assign data plane roles.

+To grant users, service principals, or groups access to the FHIR data plane, select **Access control (IAM)**, then select **Role assignments** and select **+ Add**.

+In the **Role** selection, search for one of the built-in roles for the FHIR data plane.

+You can choose from among the following.

+* FHIR Data Reader: Can read (and search) FHIR data

+* FHIR Data Writer: Can read, write, and soft delete FHIR data

+* FHIR Data Exporter: Can read and export (`$export` operator) data

+* FHIR Data Contributor: Can perform all data plane operations

+The Azure API for FHIR caches decisions for up to 5 minutes. If you grant a user access to the FHIR server by adding them to the list of allowed object IDs, or you remove them from the list, you should expect it to take up to five minutes for changes in permissions to propagate.

+Azure API for FHIR&reg; supports [cross-origin resource sharing (CORS)](https://wikipedia.org/wiki/Cross-Origin_Resource_Sharing). CORS allows you to configure settings so that applications from one domain (origin) can access resources from a different domain, known as a cross-domain request.

+To configure a CORS setting in the Azure API for FHIR, specify the following settings.

+# Configure database settings

+Azure API for FHIR&reg; uses a database to store its data. Performance of the underlying database depends on the number of Request Units (RU) selected during service provisioning or in database settings after the service has been provisioned.

+Azure API for FHIR borrows the concept of [Request Units (RUs) in Azure Cosmos DB](/azure/cosmos-db/request-units) when setting the performance of underlying database.

+Throughput must be provisioned to ensure that sufficient system resources are always available for your database. How many RUs you need for your application depends on operations you perform. Operations can range from simple read and writes to more complex queries.

+> As different operations consume a different number of RUs, we return the actual number of RUs consumed in every API call in the response header. This way you can profile the number of RUs consumed by your application.

+> A higher RU value means higher Azure API for FHIR throughput and higher cost of the service.

+Azure API for FHIR&reg; supports the `$export` command, which allows you to export the data out of an Azure API for FHIR instance to a storage account.

+Next, select the storage account in Azure API for FHIR as a default storage account for `$export`.

+After you complete this final step, youΓÇÖre ready to export the data by using the `$export` command.

+> Only storage accounts in the same subscription as Azure API for FHIR can be registered as the destination for `$export` operations.

+This article explains how to configure the Azure API for FHIR&reg; to use a secondary Microsoft Entra tenant for data access. Use this mode only if it isn't possible for you to use the Microsoft Entra tenant associated with your subscription.

+Local role-based access control (RBAC) allows you to use a service principal in the secondary Microsoft Entra tenant with your FHIR server. You can create a new service principal through the Azure portal, PowerShell or CLI commands, or use an existing service principal. The process is also known as [application registration](../register-application.md). You can review and modify the service principals through Microsoft Entra ID from the portal or using scripts.

+The following PowerShell and CLI scripts, which are tested and validated in Visual Studio Code, create a new service principal (or client application), and add a client secret. The service principal ID is used for local RBAC and the application ID and client secret is used to access the FHIR service later.

+You can configure the Azure API for FHIR to use a secondary Microsoft Entra tenant in the **Authentication** blade.

+In the authority box, enter a valid secondary Microsoft Entra tenant. Once the tenant is validated, the **Allowed object IDs** box should be activated and you can enter one or a list of Microsoft Entra service principal object IDs. These IDs can be the identity object IDs of:

+The Azure API for FHIR caches decisions for up to 5 minutes. If you grant a user access to the FHIR server by adding them to the list of allowed object IDs, or you remove them from the list, you should expect it to take up to five minutes for changes in permissions to propagate.

+In this article, you learned how to assign FHIR data plane access using an external (secondary) Microsoft Entra tenant. Next learn about additional settings for the Azure API for FHIR.

+Private link enables you to access Azure API for FHIR&reg; over a private endpoint, which is a network interface that connects you privately and securely using a private IP address from your virtual network. With private link, you can access our services securely from your virtual network as a first party service without having to go through a public Domain Name System (DNS). This article describes how to create, test, and manage your private endpoint for Azure API for FHIR.

+Before creating a private endpoint, you need to create Azure resources that first.

+- Resource Group ΓÇô The Azure resource group that contains the virtual network and private endpoint.

+- Virtual Network (VNet) ΓÇô The VNet to which your client services and Private Endpoint will be connected.

+To create a private endpoint, a developer with role-based access control (RBAC) permissions on the FHIR resource can use the Azure portal, [Azure PowerShell](../../private-link/create-private-endpoint-powershell.md), or [Azure CLI](../../private-link/create-private-endpoint-cli.md). This article guides you through the steps on using Azure portal. Azure portal is recommended as it automates the creation and configuration of the Private DNS Zone. For more information, see [Private Link Quick Start Guides](../../private-link/create-private-endpoint-portal.md).

+With Private Link configured, you can access the FHIR server in the same VNet or a different VNet that is peered to the VNet for the FHIR server. Use the following steps to configure VNet peering and Private Link DNS zone configuration.

+You can configure VNet peering from the portal or using PowerShell, CLI scripts, and an Azure Resource Manager (ARM) template. The second VNet can be in the same or different subscriptions, and in the same or different regions. Make sure that you grant the **Network contributor** role. For more information on VNet Peering, see [Create a virtual network peering](../../virtual-network/create-peering-different-subscriptions.md).

+For more information on how a private link DNS zone resolves the private endpoint IP address to the fully qualified domain name (FQDN) of the resource, such as the FHIR server, see [Azure Private Endpoint DNS configuration](../../private-link/private-endpoint-dns.md).

+You can add more VNet links if needed, and view all VNet links you added from the portal.

+Private endpoints can only be deleted from the Azure portal from the **Overview** blade or by selecting the **Remove** option under the **Networking Private endpoint connections** tab. Selecting **Remove** deletes the private endpoint and the associated NIC. If you delete all private endpoints to the FHIR resource and the public network, access is disabled and no request will make it to your FHIR server.

+You can use the **nslookup** tool to verify connectivity. If the private link is configured properly, you should see the FHIR server URL resolves to the valid private IP address, as follows. Note that the IP address **168.63.129.16** is a virtual public IP address used in Azure. For more information, see [What is IP address 168.63.129.16](../../virtual-network/what-is-ip-address-168-63-129-16.md).

+If the private link isn't configured properly, you may instead see the public IP address and a few aliases including the Traffic Manager endpoint. This indicates that the private link DNS zone canΓÇÖt resolve to the valid private IP address of the FHIR server. When VNet peering is configured, one possible reason is that the second peered VNet hasn't been added to the private link DNS zone. As a result, you see the HTTP error 403, "Access to xxx was denied", when trying to access the /metadata endpoint of the FHIR server.

+In this article, you learned how to configure the private link and VNet peering. You also learned how to troubleshoot the private link and VNet configurations.

+Based on your private link setup, and for more information about registering your applications, refer to the following.

+|For FHIR instances created after August 15,2024, diagnostic logs aren't available in log analytics workspace. |September 19,2024 9:00 am PST| -- | -- |

+|For FHIR instances created after August 15,2024, changes in private link configuration at the workspace level causes FHIR service to be stuck in 'Updating' state. |September 24,2024 9:00 am PST| To fix this issue create support ticket with FHIR service team| -- |

+|Changes in private link configuration at the workspace level don't propagate to the child services.|September 4,2024 9:00 am PST| To fix this issue a service reprovisioning is required. To reprovision the service, reach out to FHIR service team| September 17,2024 9:00am PST|

+|Customers accessing the FHIR Service via a private endpoint are experiencing difficulties, specifically receiving a 403 error when making API calls from within the vNet. This problem affects FHIR instances provisioned after August 19th that utilize private link.|August 22,2024 11:00 am PST|-- | September 3,2024 9:00 am PST|

+|FHIR Applications were down in EUS2 region|January 8, 2024 2 pm PST|--|January 8,2024 4:15 pm PST|

+|API queries to FHIR service returned Internal Server error in UK south region |August 10,2023 9:53 am PST|--|August 10,2023 10:43 am PST|

+ Title: "End-to-end high-performance computing (HPC) lift and shift architecture overview"

+description: Learn about how to conduct a lift and shift migration of HPC infrastructure and workloads from an on-premises environment to the cloud.

+# End-to-end HPC lift and shift architecture overview

+"Lift and shift" in the context of High-Performance Computing (HPC) mostly refers to the process of migrating an on-premises environment and workload to the cloud. Ideally, modifications are kept to a minimum (for example, applications, job schedulers, and their configurations should remain mostly the same). Adjustments on storage and hardware are natural to happen because resources are different from on-premises to cloud platforms. With the lift and shift approach, organizations can start benefiting from the cloud more quickly.

+The following figure represents a typical on-premises HPC cluster in a production environment, which the hardware manufacturer often delivers. Such on-premises environment comprises a set of compute nodes, which may or may not work with virtual machine images and containers. Such nodes execute workloads managed by a job scheduler, which can be Slurm, PBS, or LSF typically. The workloads come from multiple users that have identity management associated with them. Usually there are home directories, scratch disks, and long term storage. Some form of monitoring to check the performance of jobs and health of compute nodes are also available. Users can access the environment via command line, browsers, or some kind of remote visualization technology. The entire environment is hosted in a private network, so users have some mechanism to access the computing facility, either via VPN or via portal.

+As we see throughout this document, the environment in the cloud following the Infrastructure-as-a-Service model, conceptually speaking, isn't so different. Some technologies need some updates and some steps during the migration from on-premises to the cloud are necessary.

+This document therefore:

+- Goes through the options for the migration process;

+- Provides pointers to products and best practices for each component;

+- And provides recommendations to avoid pitfalls in the process.

+Before jumping into the architecture description, it's relevant to understand

+the different personas in this context, their needs, and expectations.

+## Personas and user experience

+There are different people who need to access the HPC environment. Their activities and how they interact with the environment vary quite a bit.

+### End-user (engineer / scientist / researcher)

+This persona represents the subject matter expert (for example, biologist, physicist, engineer, etc.) who wants to run experiments (that is, submit jobs) and analyze results. End-users interact with system administrators to fine-tune the computing environment whenever needed. They may have some experience using CLI-based tools, but some of them may rely only on web portals or graphical user interfaces via VDI to submit their jobs and interact with the generated results.

+**New responsibilities in cloud HPC environment:**

+- End-user shouldn't have any new responsibilities based on the work from both the HPC Administrator and Cloud Administrator. Depending on the on-premises environment, end-users have access to a larger capacity and variety of computing resources to become more productive.

+### HPC administrator

+This persona represents the one who has HPC expertise and is responsible for deploying the initial computing infrastructure and adapting it according to business and end-user needs. This persona is also responsible for verifying the health of the system and performing troubleshooting. HPC administrators are comfortable accessing the architecture and its components via CLI, SDKs, and web portals. They're also the first point of contact when end-users face any challenge with the computing environment.

+**New responsibilities in cloud HPC environment:**

+- Managing cloud resources and services (for example, virtual machines, storage, networking) via cloud management platforms.

+- Implementing and managing clusters and resources via new resource orchestration tools (for example, CycleCloud).

+- Optimizing application deployment by understanding infrastructure details (that is, VM types, storage, and network options).

+- Optimizing resource utilization and costs by using cloud-specific features such as autoscaling and spot instances.

+### Cloud administrator

+This persona works with the HPC administrator to help deploy and maintain the computing infrastructure. This persona isn't (necessarily) an HPC expert, but a Cloud expert with deep knowledge of the overall company IT infrastructure, including network configurations/policies, user access rights, and user devices. Depending on the case, the HPC administrator and Cloud administrator may be the same person.

+**New responsibilities in cloud HPC environment:**

+- Collaborating with HPC administrators to ensure seamless integration of HPC workloads with cloud infrastructure.

+- Monitoring and managing cloud infrastructure performance, security, and compliance.

+- Helping with the configuration of cloud-based networking and storage solutions to support HPC workloads.

+### Business manager / owner

+This persona represents the one who is responsible for the business, which includes taking care of budget and projects to meet organizational goals. For this persona, the accounting component of the architecture is relevant to understand costs for each project. This persona works with HPC admins and end-users to understand platform needs, including storage, network, computing resources. They also plan for future workloads.

+**New responsibilities in cloud HPC environment:**

+- Analyzing detailed cost reports and usage metrics provided by cloud service providers to manage budgets and forecast expenses.

+- Making strategic decisions based on cloud resource usage and cost optimization opportunities.

+- Planning and approving cloud infrastructure investments to support future HPC workloads and business objectives.

+## Lift and shift architecture overview

+A production HPC environment in the cloud comprises several components. There are some core components to stand up an environment, such as a job scheduler, a resource provider, an entry pointer for the user to access the environment, compute and storage devices, among others. As the environment gets into production, monitoring, observability, health checks, security, identity management, accountability, different storage options, among other components, start to play a critical role.

+There are also extensions that could be in place, such as sign-in nodes, data movers, use of containers, license managers, among others that are dependent on the installation.

+This production-level environment may have various components to be set up. Therefore, environment deployers and managers become key to automate its initial deployment and upgrade it along the way, respectively. More advanced installations can also have environment templates (or specifications) with software versions and configurations that are more optimal and tested properly. Once the environment is in production with all the required components in place, over time, adjustments may be required to meet user demands, including changes in VM types or storage options/capabilities.

+## Instantiating the lift and shift HPC cloud architecture

+Here we provide more details for each architecture component, including pointers to official Azure products, tech blogs with some best practices, git repositories, and links to non-product solutions.

+**Quick start.** For a quick start solution to create an HPC environment in the cloud with basic building blocks, we recommend using [Azure CycleCloud Slurm workspace](https://techcommunity.microsoft.com/t5/azure-high-performance-computing/introducing-azure-cyclecloud-slurm-workspace-preview/ba-p/4158433).

+ Title: "Production-level environment migration guide overview"

+description: Learn about what a production-level environment migration entails.

+# Production-level environment migration guide overview

+When you move an HPC infrastructure from the on-premises environment to the cloud, there are various aspects to be taken into account. This document provides guidance on how to create such HPC environment in the cloud. We recommend

+a two-phase approach. First, a proof-of-concept, and then a production-level environment. Once the production environment is up and running, only certain components should be modified over time, including changes on VM types and storage capabilities to best meet the varying requirements of users, projects, and business.

+In this article and the following articles, we guide you through a product-level environment migration.

+## Prerequisites

+You need an Azure subscription to provision cloud resources.

+## Migrating from on-premises to the cloud: production level

+After the proof-of-concept phase, planning is required to get ready for creating a production-level HPC environment. This new environment can represent part of the on-premises infrastructure (for example, an HPC cluster from a group of clusters or queue/partition from an existing cluster), or the entire computing capability.

+Due to component dependencies, the deployment of this HPC cloud environment is based on a sequence of deployments, which consists of:

+1. Basic infrastructure, which includes creation of a resource group, network access and

+ network security rules;

+1. Base services, which include identity management, job scheduler and resource;

+ provisioner, along with their respective configurations;

+1. Storage;

+1. Compute nodes' specifications;

+1. End user entry point.

+In the following articles, we cover each deployment step and the components involved. In the descriptions of the components, we highlight their relevant dependencies in more detail. It's also worth noting that the component deployment steps can be executed in several ways. We provide a few tips to help get started with the deployment components via the Azure portal. But at a production level, we recommend the creation of an environment deployer that leverages infrastructure-as-code (for example, via bicep, Terraform, or Azure CLI). By doing so, one can create an environment in an automated and replicable fashion.

+For each step, certain topics need to be assessed before starting the migration process.

+ Title: "Proof-of-concept migration overview"

+description: Learn about what a proof-of-concept migration entails and follow the guide through one.

+# Proof-of-concept migration overview

+When you move an HPC infrastructure from the on-premises environment to the cloud, there are various aspects to be taken into account. This document provides guidance on how to create such HPC environment in the cloud. We recommend

+a two-phase approach. First, a proof-of-concept, and then a production-level environment. Once the production environment is up and running, only certain components should be modified over time, including changes on VM types and storage capabilities to best meet the varying requirements of users, projects, and business.

+In this article, we guide you through a proof-of-concept migration.

+## Prerequisites

+You need an Azure subscription to provision cloud resources.

+## Migrating from on-premises to the cloud: proof-of-concept (PoC)

+We recommend starting with a proof-of-concept (PoC) by provisioning a simple cluster in Azure, using Azure CycleCloud as a resource orchestrator, with one well-known scheduler, such as Slurm, PBS, or LSF. This approach allows one to start understanding Azure technology, assess the functionality of user applications, and investigate performance/costs trade-offs in comparison to the on-premises environment.

+If one is flexible with the job scheduler, or already uses Slurm scheduler, we recommend using Azure CycleCloud Slurm workspace, which is an offering that helps create a CycleCloud based cluster, with Slurm scheduler, and the basic setup for networking and storage options available. Some details on this process are available in the Resource Orchestrator section from this document.

+ Title: "Deployment step 1: basic infrastructure - network access component"

+description: Learn about the configuration of network access during migration deployment step one.

+# Deployment step 1: basic infrastructure - network access component

+Mechanism to allow users access cloud environment in a secure way. It's a common practice in production environments to have resources with private IP addresses, and with rules to define how resources should be accessed.

+This component should:

+- Allow users to access private network hosting the high performance computing (HPC) environment;

+- Refine network security rules such as source and target ports and IP addresses that can access resources.

+## Define network needs

+* **Estimate cluster size for proper network setup:**

+ - Different subnets have different ranges of IP addresses.

+* **Security rules:**

+ - Understand how users access the HPC environment and security rules to be in places (for example, ports and IPs open/closed).

+## Tools and Services

+* **Private network access:**

+ - In Azure, the two major components to help access private network are Azure Bastion and Azure VPN Gateway.

+* **Network rules:**

+ - Another key component for network setup is Azure Network security groups, which is used to filter network traffic between Azure resources in an Azure virtual network.

+* **DNS:**

+ - Azure DNS Private Resolver allows query Azure DNS private zones from an on-premises environment and vice versa without deploying VM based DNS servers.

+## Best practices for network in HPC lift and shift architecture

+* **Have good understanding on cluster sizes and services to be used:**

+ - Different cluster sizes require different IP ranges, and proper planning helps avoid major changes in parts of the infrastructure. Also, some services may need exclusive subnets, and having clarity on those subnets is essential.

+## Example steps for setup and deployment

+Networking is a vast topic itself. In a production level environment, it's good practice to not use public IP addresses. So one could start by testing such functionality by provisioning a VM and using Bastion.

+For instance

+1. **Provision a VM via portal with no public IP address:**

+ - Follow the standard steps to provision a VM (that is, setup resource group, network, VM image, disk, etc.)

+ - During the VM create, a Virtual Network needs to be created if it's not already available

+ - Make sure the VM doesn't have a public IP address

+2. **Use bastion:**

+ - Once the VM is provisioned, go to the VM via Azure portal

+ - Select the option "Bastion" from "Connect" section.

+ - Select option "Deploy Bastion"

+ - Once the bastion is provisioned, the VM can be access through it.

+## Resources

+- VPN Gateway documentation: [product website](/azure/vpn-gateway/)

+- Azure Bastion documentation: [product website](/azure/bastion/)

+- Network Security groups: [product website](/azure/virtual-network/network-security-groups-overview)

+- Azure DNS Private Resolver: [product website](/azure/dns/dns-private-resolver-overview)

+ Title: "Deployment step 1: basic infrastructure - overview"

+description: Learn about production-level environment migration deployment step one.

+# Deployment step 1: basic infrastructure - overview

+The critical foundational components required to establish a landing zone in the cloud for an HPC environment are outlined here. The focus is on setting up resource groups, networking, and basic storage, which serve as the backbone of a successful HPC lift-and-shift deployment.

+This section provides a clear understanding of the purpose and requirements of these components, along with available tools and best practices tailored to HPC workloads. A quick start guide is also included to help users efficiently deploy and manage these core components, with the expectation that more advanced automation will be implemented as the HPC environment evolves.

+## Resource group

+Resource groups in Azure serve as containers that hold related resources for an Azure solution. In an HPC environment, organizing resources into appropriate resource groups is essential for effective management, access control, and cost tracking.

+## Networking

+When provisioning resources in the cloud, it's important to have an understanding on the virtual networks, subnets, security roles, among other networking-related configurations (for example, DNS). It's important to make sure public IP addresses are avoided, and that technologies such as Azure Bastion and VPNs are used.

+## Storage

+In any Azure subscription, setting up basic storage is essential for managing data, applications, and resources effectively. While more advanced and HPC-specific storage configurations are addressed separately, a solid foundation of basic storage is crucial for general resource management and initial deployment needs.

+For details check the description of the following component:

+- [Resource group](lift-and-shift-step-1-resource-group.md)

+- [Network access](lift-and-shift-step-1-networking.md)

+- [Basic Storage](lift-and-shift-step-1-storage.md)

+Here we describe each component. Each section includes:

+- An overview description of what the component is

+- What the requirements for the component are (that is, what do we need from the component)

+- Tools and services available

+- Best practices for the component in the context of HPC lift & shift

+- An example of a quick start setup

+The goal of the quick start is to have a sense on how to start using the component. As the HPC cloud deployment matures, one is expected to automate the usage of the component, by using, for instance, Infrastructure as Software tools such as Terraform or Bicep.

+ Title: "Deployment step 1: basic infrastructure - resource group component"

+description: Learn about the configuration of resource groups during migration deployment step one.

+# Deployment step 1: basic infrastructure - resource group component

+Resource groups in Azure serve as containers that hold related resources for an Azure solution. In an HPC environment, organizing resources into appropriate resource groups is essential for effective management, access control, and cost tracking.

+## Define resource group needs

+* **Project-based grouping:**

+ - Organize resources by project or workload to simplify management and cost tracking.

+* **Environment-based grouping:**

+ - Separate resources into different groups based on environments (for example, development, testing, production) to apply different policies and controls.

+### This component should

+* **Organize resources:**

+ - Group related HPC resources (for example, VMs, storage accounts, and network components) into resource groups based on project, department, or environment (for example, development, testing, production).

+* **Simplify management:**

+ - Use resource groups to apply access controls, manage resource lifecycles, and monitor costs efficiently.

+## Best practices for resource groups in HPC lift and shift architecture

+* **Consistency in naming conventions:**

+ - Establish and follow consistent naming conventions for resource groups to facilitate easy identification and management.

+* **Resource group policies:**

+ - Apply Azure Policy to resource groups to enforce organizational standards and compliance requirements.

+## Example steps for resource group setup

+1. **Create a resource group:**

+ - Navigate to the Azure portal.

+ - Select "Resource groups" and select "Create."

+ - Provide a name for the resource group and select a subscription and region.

+ - Select "Review + create" and then "Create."

+2. **Add resources to the resource group:**

+ - When creating resources (for example, VMs, storage accounts), assign them to the appropriate resource group.

+ - Use tags to further organize resources within the group for better cost management and reporting.

+## Resources

+- Resource Groups Documentation: [product website](/azure/azure-resource-manager/management/manage-resource-groups-portal)

+- Azure Policy Documentation: [product website](/azure/governance/policy/overview)

+- Azure Tags Documentation: [product website](/azure/azure-resource-manager/management/tag-resources)

+ Title: "Deployment step 1: basic infrastructure - storage component"

+description: Learn about the configuration of basic storage during migration deployment step one.

+# Deployment step 1: basic infrastructure - storage component

+In any Azure subscription, setting up basic storage is essential for managing data, applications, and resources effectively. While more advanced and HPC-specific storage configurations are addressed separately, a solid foundation of basic storage is crucial for general resource management and initial deployment needs.

+## Define basic storage needs

+* **General-purpose storage:**

+ - Create storage accounts to handle non-HPC-specific data such as logs, diagnostic data, and backups.

+* **Security and access control:**

+ - Implement access controls using Azure Active Directory (AD) and role-based access control (RBAC) to manage permissions for different users and services.

+ - Enable encryption for data at rest to ensure compliance with organizational security policies.

+> [!NOTE]

+> For information about HPC specific storage needs, visit the [Storage Overview](lift-and-shift-step-3-overview.md) page.

+### This component should

+* **Establish foundational storage resources:**

+ - Set up basic storage accounts that can be used for general-purpose data storage, such as logs, backups, and configuration files.

+* **Ensure accessibility and security:**

+ - Configure access policies and encryption to ensure that the storage resources are secure and accessible to authorized users and services only.

+## Tools and services

+* **Azure storage accounts:**

+ - Use Azure Storage Accounts to create scalable, secure, and durable storage for general-purpose data.

+ - Configure storage account types based on the type of data being stored (for example, Standard, Premium, Blob, File).

+* **Access control and security:**

+ - Implement RBAC to manage who has access to storage accounts and what they can do with the data.

+ - Enable Azure Storage encryption by default to protect data at rest.

+## Best practices for basic storage in Azure Landing Zone

+* **Consistency in naming conventions:**

+ - Establish and adhere to consistent naming conventions for storage accounts to simplify management and ensure clarity.

+* **Resource tagging:**

+ - Use tags to organize storage accounts by department, project, or purpose to aid in cost management and reporting.

+* **Data redundancy and availability:**

+ - Choose the appropriate redundancy option (for example, LRS, GRS) based on the criticality of the data to ensure high availability and durability.

+* **Cost management:**

+ - Monitor and analyze storage costs regularly using Microsoft Cost Management tools to optimize and control expenses.

+## Example steps for basic storage setup

+1. **Create a storage account:**

+ - Navigate to the Azure portal.

+ - Select "Storage accounts" and select "Create."

+ - Provide a name for the storage account, select a subscription, resource group, and region.

+ - Choose the performance tier (Standard or Premium) and redundancy option (LRS, GRS, etc.).

+ - Select "Review + create" and then "Create."

+2. **Configure access control:**

+ - Once the storage account is created, navigate to the "Access control (IAM)" section.

+ - Assign roles to users or groups to manage permissions (for example, Storage Blob Data Contributor, Storage Account Contributor).

+3. **Enable data encryption:**

+ - By default, Azure Storage accounts have encryption enabled. Verify this setting under "Settings" -> "Encryption" to ensure that data at rest is encrypted.

+## Resources

+- Azure Storage Accounts Documentation: [product website](/azure/storage/common/storage-account-overview)

+- Azure Storage Security Guide: [product website](/azure/storage/common/storage-security-guide)

+- Microsoft Cost Management: [product website](/azure/cost-management-billing/costs/)

+ Title: "Deployment step 2: base services - accounting component"

+description: Learn about the configuration of accounting during migration deployment step two.

+# Deployment step 2: base services - accounting component

+Accounting in HPC environments involves tracking and managing resource usage to ensure efficient utilization, cost management, and compliance. Slurm Accounting is a powerful tool that helps administrators monitor and report on job and resource usage, providing insights into workload performance and user activity.

+## Define accounting needs

+* **Resource usage tracking:**

+ - To ensure efficient utilization, monitor compute node usage, job execution times, and resource allocation.

+ - Track user and group activities to understand workload patterns and resource demands.

+* **Cost management:**

+ - Implement policies to manage and optimize costs by tracking resource consumption.

+ - Use accounting data to allocate costs to different departments, projects, or users based on resource usage.

+* **Compliance and reporting:**

+ - Generate detailed reports on resource usage for compliance with organizational policies and external regulations.

+ - Maintain historical records of job execution and resource consumption for auditing and analysis.

+## Tools and services

+**Slurm accounting:**

+ - Use Slurm Accounting to track and manage job and resource usage in HPC environments.

+ - To collect and store accounting data, configure Slurm Accounting with the necessary settings.

+ - Generate reports and analyze accounting data to optimize resource utilization and cost management.

+## Best practices

+* **Accurate data collection:**

+ - Ensure that Slurm Accounting is properly configured to collect comprehensive data on job and resource usage.

+ - To maintain reliable records, regularly verify the accuracy and completeness of the accounting data.

+* **Effective cost management:**

+ - Use accounting data to identify cost-saving opportunities, such as optimizing job scheduling and resource allocation.

+ - Implement chargeback policies to allocate costs to departments or projects based on actual resource usage.

+* **Compliance and auditing:**

+ - Generate regular reports to comply with organizational policies and external regulations.

+ - To ensure accountability and transparency, maintain historical records and perform periodic audits.

+* **Data analysis and reporting:**

+ - Use accounting data to analyze workload performance and identify trends in resource usage.

+ - Generate custom reports to provide insights to stakeholders and support decision-making.

+## Example Slurm accounting commands

+**Query job accounting data:**

+```bash

+#!/bin/bash

+# Query job accounting data for a specific user and time period

+sacct -S 2023-01-01 -E 2023-01-31 -u john_doe -o JobID,JobName,Account,User,State,Elapsed,TotalCPU

+```

+## Resources

+- Setting up Slurm Job Accounting with Azure CycleCloud and Azure Database for MySQL Flexible Server: [blog post](https://techcommunity.microsoft.com/t5/azure-high-performance-computing/setting-up-slurm-job-accounting-with-azure-cyclecloud-and-azure/ba-p/4083685)

+- Slurm accounting: [external](https://slurm.schedmd.com/accounting.html)

+ Title: "Deployment step 2: base services - identity management component"

+description: Learn about the configuration of identity management during migration deployment step two.

+# Deployment step 2: base services - identity management component

+Component to handle user identity and access levels. Identity management system should:

+- Allow creation/deletion of users and groups;

+- Allow update/reset of password;

+- Support single sign-on.

+## Define identity management needs

+**User IDs, passwords, home directories:**

+ - Users require IDs, passwords, location of their home directories for the all resources they need to access.

+ - Understand where just definitions should be located, which can be on-premises, in the cloud, or a combination of those options

+## Tools and services

+* **Active Directory domain

+ - Some enterprises already use Windows-based Active Directory Domain Services, which could be applied in the new HPC cloud environment.

+* **Microsoft Entra ID**:

+ - Some services can also make use of Microsoft Entra ID, a cloud-based identity and access management service, especially when single sign-on is required.

+## Best practices

+* **Resources to be accessed:**

+ - Have clarity on all resources users need to have access to, including cluster nodes and storage devices.

+* **Performance:**

+ - One can start addressing performance by using the on-premises identity and access service. It's important to verify the performance of such solutions and trade-offs of speed to authenticate and complexity of the service.

+## Example identity management setup

+The following Azure HPC blog post describes in details the steps to authenticate users in an Azure CycleCloud HPC cluster via Active Directory:

+Authenticating Active Directory users to an Azure CycleCloud HPC cluster: [blog post](https://techcommunity.microsoft.com/t5/azure-high-performance-computing/authenticating-active-directory-users-to-an-azure-cyclecloud-hpc/ba-p/3757085)

+## Resources

+- Active Directory Domain

+- Microsoft Entra ID: [product website](/entra/identity/)

+- Authenticating Active Directory users to an Azure CycleCloud HPC cluster: [blog post](https://techcommunity.microsoft.com/t5/azure-high-performance-computing/authenticating-active-directory-users-to-an-azure-cyclecloud-hpc/ba-p/3757085)

+ Title: "Deployment step 2: base services - job scheduler component"

+description: Learn about the configuration of the job scheduler during migration deployment step two.

+# Deployment step 2: base services - job scheduler component

+Job schedulers are responsible for scheduling user jobs, that is, determining where and when jobs should be executed. In the context of the cloud, job schedulers interact with resource orchestrators to acquire/release resources on-demand, which is different from an on-premises environment where resources are fixed and fully available all the time. The most common HPC job schedulers are Slurm, OpenPBS, PBSPro, and LSF.

+## Define job scheduler needs

+* **Scheduler deployment:**

+ - Migrate existing job scheduler configurations to the cloud environment.

+ - Utilize the same scheduler available within CycleCloud or migrate to a different scheduler if necessary.

+* **Configuration management:**

+ - Configure job schedulers to define partitions/queues, Azure SKUs, compute node hostnames, and other parameters.

+ - Automatically update scheduler configurations on-the-fly based on changes in resource availability and job requirements.

+* **Job submission and management:**

+ - Allow end-users to submit jobs for execution according to scheduling and resource access policy rules.

+ - Monitor and manage job queues, resource utilization, and job statuses.

+## Tools and services

+**Job scheduler via CycleCloud:**

+ - Use CycleCloud to deploy and manage HPC job schedulers in the cloud.

+ - Configure job schedulers like Slurm, OpenPBS, PBSPro, and LSF within the CycleCloud environment.

+ - Manage job submissions, queues, and resource allocations through the CycleCloud portal or CLI.

+## Best practices for job schedulers in HPC lift and shift architecture

+* **Efficient scheduler deployment:**

+ - Plan and test the migration of existing job scheduler configurations to the cloud environment to ensure compatibility, performance, and user experience.

+ - Use CycleCloud's built-in support for schedulers like Slurm, OpenPBS, PBSPro, and LSF for a smoother deployment process.

+* **Optimized configuration management:**

+ - To align with changing resource availability and job requirements, regularly update scheduler configurations (for example, scheduler queues/partitions).

+ - Automate configuration changes using scripts and tools to minimize manual intervention and reduce the risk of errors.

+* **Robust job submission and management:**

+ - Implement a user-friendly interface for job submission and management to facilitate end-user interaction with the scheduler.

+ - To identify and address potential issues promptly, continuously monitor job queues, resource utilization, and job statuses.

+* **Scalability and performance:**

+ - Configure dynamic scaling policies to automatically adjust the number of compute nodes based on job demand, optimizing resource utilization and cost.

+ - Use performance metrics and monitoring tools to continuously assess and improve the performance of the job scheduler and the overall HPC environment.

+These best practices help ensure a smooth transition to cloud-based job scheduling, maintaining efficiency, scalability, and performance for HPC workloads.

+## Example steps for setup and deployment

+This section provides an overview on deploying and configuring a job scheduler using Azure CycleCloud. It includes steps for selecting and deploying the scheduler, configuring its settings, and migrating an existing on-premises scheduler to the cloud environment.

+1. **Using CycleCloud to deploy a job scheduler:**

+ - **Deploy job scheduler:**

+ - Navigate to the Azure CycleCloud portal and select the desired job scheduler from the available options (for example, Slurm, PBSPro).

+ - Follow the prompts to deploy the job scheduler, specifying the required parameters such as resource group, location, and virtual network.

+ - Example command for deploying a Slurm scheduler:

+ ```bash

+ cyclecloud create_cluster -n slurm-cluster -c slurm

+ ```

+ - **Configure job scheduler:**

+ - Once the job scheduler is deployed, configure the scheduler settings through the CycleCloud portal.

+ - Define partitions/queues, Azure SKUs, compute node hostnames, and other parameters.

+2. **Migrating existing job scheduler settings to CycleCloud:**

+ **Slurm**

+ - **Export existing configuration:**

+ - Export the configuration of the existing on-premises job scheduler.

+ - Example command for exporting Slurm configuration:

+ ```bash

+ scontrol show config > slurm_config.txt

+ ```

+ - **Evaluate and adjust Slurm configuration:**

+ - Open the exported configuration file and evaluate each setting to determine which ones are necessary and relevant for the cloud environment.

+ - Common settings to consider include:

+ - ControlMachine

+ - SlurmdPort

+ - StateSaveLocation

+ - SlurmdSpoolDir

+ - SlurmctldPort

+ - ProctrackType

+ - AuthType

+ - SchedulerType

+ - SelectType

+ - SelectTypeParameters

+ - AccountingStorageType

+ - JobCompType

+ - **Prepare the CycleCloud Slurm template:**

+ - Open the CycleCloud Slurm template configuration file. You can access this file through the CycleCloud UI under the cluster's configuration settings.

+ - Locate the section where Slurm configurations are specified.

+ - **Add adjusted Slurm settings to CycleCloud Slurm configuration:**

+ - For each relevant setting from your on-premises configuration, add it to the Slurm configuration textbox within the CycleCloud Slurm template. Adjust the values as needed to reflect the cloud environment specifics.

+## Example job scheduler submission

+**Submit Slurm interactive job using srun:**

+```bash

+#!/bin/bash

+# Submit a job using srun

+srun --partition=debug --ntasks=1 --time=00:10:00 --job-name=test_job --output=output.txt my_application

+```

+**Submit Slurm batch script using sbatch:**

+```bash

+#!/bin/bash

+# Create a Slurm batch script

+echo "#!/bin/bash

+#SBATCH --partition=debug

+#SBATCH --ntasks=1

+#SBATCH --time=00:10:00

+#SBATCH --job-name=test_job

+#SBATCH --output=output.txt

+# Run the application

+my_application" > job_script.sh

+# Submit the batch job

+sbatch job_script.sh

+```

+## Resources

+- Azure CycleCloud Scheduling and Autoscaling: [product website](/azure/cyclecloud/concepts/scheduling?view=cyclecloud-8&preserve-view=true)

+- IBM Spectrum LSF: [external](https://www.ibm.com/docs/en/spectrum-lsf/10.1.0)

+- OpenPBS: [external](https://www.openpbs.org/)

+- PBSPro: [external](https://altair.com/pbs-professional)

+- Slurm: [external](https://slurm.schedmd.com/)

+ Title: "Deployment step 2: base services - monitoring component"

+description: Learn about the configuration of monitoring during migration deployment step two.

+# Deployment step 2: base services - monitoring component

+Monitoring is a crucial aspect of managing an HPC environment in the cloud, ensuring optimal performance, reliability, and security. Effective monitoring allows administrators to gain real-time insights into system performance, detect and address issues promptly, and make informed decisions to optimize resource utilization. Key metrics such as CPU and memory usage, job execution times, and network throughput provide valuable information about the health and efficiency of the infrastructure.

+By using tools like Azure Monitor, Azure Managed Grafana, and Azure Managed Prometheus administrators can visualize these metrics, set up alerts for critical events, and analyze logs for troubleshooting. Implementing robust monitoring practices helps maintain high availability, enhances user satisfaction, and ensures that the cloud environment meets the dynamic needs of HPC workloads.

+When migrating HPC workloads to Azure, it's important to replicate and enhance the monitoring capabilities you had on-premises. This process includes tracking the same metrics and possibly adding new ones that are relevant to the cloud environment. Using Azure-specific monitoring tools can provide deeper insights into cloud resources, which are crucial for managing and optimizing cloud infrastructure effectively. For example, in a cloud environment, a valuable new metric to track is cost, which isn't typically monitored in on-premises setups.

+## Define monitoring key metric needs

+* **Common HPC metrics:**

+ - **Infrastructure metrics:** CPU, memory usage, disk I/O, network throughput.

+ - **Application metrics:** Job queue lengths, job failure rates, execution times.

+ - **User metrics:** Active users, job submission rates.

+* **Cloud-specific HPC metrics:**

+ - **Cost metrics:** Cost Per Resource, Monthly Cost, Budget Alerts.

+ - **Scalability metrics:** Autoscaling Events, resource utilization.

+ - **Provisioning metrics:** Provisioning time, provisioning success rate.

+## Tools and services

+* **Azure Monitor:**

+ - Configure Azure Monitor to collect metrics and logs from all resources.

+ - Set up alerts for critical thresholds (for example, CPU usage > 80%).

+ - Use Log Analytics to query and analyze logs.

+* **Azure Managed Grafana:**

+ - Integrate Grafana with Azure Monitor for dashboard visualizations.

+ - Create custom dashboards for different personas (for example, HPC administrators, business managers).

+ -

+* **Azure Managed Prometheus:**

+ - Deploy and manage Prometheus instances in Azure.

+ - Configure Prometheus to scrape metrics from your HPC nodes and applications.

+ - Integrate Prometheus with Grafana for advanced dashboards.

+ -

+* **Azure Moneo:**

+ - Configure Moneo to collect metrics across multi-GPU systems.

+ - Information regarding Moneo can be found on [GitHub](https://github.com/Azure/Moneo)

+## Best practices

+Implementing best practices for monitoring ensures that your HPC environment remains efficient, secure, and resilient. Here are some key best practices to follow:

+* **Regularly review and update monitoring configurations:**

+ - To ensure your monitoring configurations remain aligned with your infrastructure and business needs, schedule periodic reviews of them.

+ - Update thresholds and alert settings based on historical data and changing performance requirements.

+

+* **Implement comprehensive logging:**

+ - To aggregate and analyze log data, use centralized logging solutions like Azure Log Analytics.

+ - Regularly review log data to identify patterns and potential issues before they escalate.

+* **Set up redundancy and failover mechanisms:**

+ - Implement redundancy for critical monitoring components to ensure continuous availability.

+ - Set up failover mechanisms to automatically switch to backup systems if there's a primary system failure.

+* **Automate responses to common issues:**

+ - To create automated responses for common issues, use automation tools like Azure Automation and Logic Apps.

+ - Develop runbooks and workflows that can automatically remediate known problems, such as restarting services or scaling resources.

+* **Monitor security metrics:**

+ - Include security-related metrics in your monitoring setup, such as unauthorized access attempts, configuration changes, and compliance status.

+ - Set up alerts for critical security events to ensure prompt response and mitigation.

+* **Setup health checks**

+ - Implement automated health checks using scripts or Azure Automation.

+ - Monitor health checks and trigger automated responses or alerts for issues.

+ - Set up alerts in Azure Monitor to notify you when autoscaling events occur.

+## Example steps for setup and deployment

+This section provides a comprehensive guide for setting up Azure Monitor and configuring Grafana dashboards to effectively monitor your HPC environment. It includes detailed steps for creating an Azure Monitor workspace, linking it to resources, configuring data collection, deploying Azure Managed Grafana, and setting up alerts and automated health checks.

+### Setting up Azure Monitor

+1. **Navigate to Azure Monitor:**

+ - Go to the [Azure portal](https://portal.azure.com).

+ - In the left-hand navigation pane, select **Monitor**.

+2. **Create an Azure Monitor workspace:**

+ - Select on "Workspaces" under the "Monitoring" section.

+ - Select "Create" to set up a new Azure Monitor workspace.

+ - Provide a name, select a subscription, resource group, and location.

+ - Select "Review + create" and then "Create" to deploy the workspace.

+3. **Link Azure Monitor workspace to resources:**

+ - Go to the resource you want to monitor (for example, a Virtual Machine).

+ - Under the "Monitoring" section, select "Diagnostics settings."

+ - Select "Add diagnostic setting" and configure the logs and metrics to be sent to the Azure Monitor workspace.

+4. **Configure Data Collection:**

+ - In the Azure Monitor section, select "Data Collection Rules" to set up and manage the rules for collecting logs and metrics from various Azure resources.

+> [!NOTE]

+> For detailed information about Azure Monitor, visit the [Azure Monitor Metrics Overview](/azure/azure-monitor/overview) page.

+### Configuring Grafana dashboards

+1. **Deploy Azure Managed Grafana:**

+ - Navigate to the [Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps?filters=azure-managed-grafana).

+ - Search for "Azure Managed Grafana" and choose **Create**.

+ - Fill in the required details such as subscription, resource group, and instance details.

+ - Select **Review + create** and then **Create** to deploy the Grafana instance.

+2. **Connect Grafana to Azure Monitor:**

+ - Once Grafana is deployed, access it through the Azure portal or directly via its public endpoint.

+ - In Grafana, go to "Configuration" -> "Data Sources" -> "Add data source."

+ - Select "Azure Monitor" from the list of available data sources.

+ - Provide the necessary details such as subscription ID, tenant ID, and client ID, and authenticate using Azure credentials.

+3. **Create custom dashboards:**

+ - After the data source is added, go to "Dashboards" -> "Manage" -> "New Dashboard."

+ - Use the panel editor to add visualizations (for example, graphs, charts) based on the metrics collected by Azure Monitor.

+ - Customize the dashboard to display key metrics such as CPU usage, memory usage, disk I/O, network throughput, job queue lengths, and job execution times.

+ - Save the dashboard and share it with relevant stakeholders.

+> [!NOTE]

+> For detailed information about Azure Managed Grafana, visit the [Azure Managed Grafana](/azure/managed-grafana/overview) page.

+### Configuring Prometheus

+**Deploy Azure Managed Prometheus:**

+ - Navigate to the Azure Marketplace

+ - Search for "Azure Managed Prometheus" and select "Create."

+ - Fill in the required details:

+ - Provide necessary information such as subscription, resource group, and instance details.

+ - Review the settings and select "Create" to deploy the instance.

+> [!NOTE]

+> For detailed information about Azure Managed Prometheus, visit the [Azure Monitor managed service for Prometheus](/azure/azure-monitor/essentials/prometheus-metrics-overview) page.

+### Integrate Prometheus with Grafana

+1. **Add Prometheus as a data source in Grafana:**

+ - In Grafana, go to "Configuration" -> "Data Sources" -> "Add data source."

+ - Select "Prometheus" and provide the Prometheus endpoint URL.

+2. **Create Custom Dashboards:**

+ - Go to "Dashboards" -> "Manage" -> "New Dashboard."

+ - Add visualizations based on metrics collected by Prometheus.

+ - Customize and save the dashboard for key metrics display.

+## Creating alerts

+1. Navigate to Azure Monitor and select **Alerts**.

+2. Select **New alert rule** to create a new alert.

+3. Define the scope by selecting the resource you want to monitor (for example, a VM, storage account, or network interface).

+4. Set conditions based on metrics or log data. For example, you might set an alert for CPU usage exceeding 80%, disk space usage above 90%, or a VM being unresponsive.

+ - **Defining Action Groups:**

+ - Specify actions to take when an alert is triggered, such as sending an email, triggering an Azure Function, or executing a webhook.

+ - Create action groups to manage and organize these responses efficiently.

+### Further steps for enhanced monitoring

+1. **Set up alerts:**

+ - In Azure Monitor, go to "Alerts" -> "New alert rule."

+ - Define the scope by selecting the resource you want to monitor.

+ - Set conditions for the alert (for example, CPU usage > 80%).

+ - Configure actions such as sending email notifications or triggering an Azure Function.

+2. **Implement automated health checks:**

+ - Use Azure Automation to create and schedule runbooks that perform health checks on your HPC environment.

+ - Ensure these runbooks check the status of critical services, resource availability, and system performance.

+ - Set up alerts to notify administrators if any health checks fail or indicate issues.

+3. **Regularly review and update monitoring configurations:**

+ - Periodically review the metrics and alerts configured in Azure Monitor and Grafana.

+ - Adjust thresholds, add new metrics, or modify visualizations based on changes in the HPC environment or business requirements.

+ - Train staff on interpreting monitoring dashboards, responding to alerts, and using monitoring tools effectively.

+### Example implementation

+Automated health check script:

+```bash

+#!/bin/bash

+# Check if a VM is running

+vm_status=$(az vm get-instance-view --name <vm-name> --resource-group <resource-group> --query instanceView.statuses[1] --output tsv)

+if [[ "$vm_status" != "PowerState/running" ]]; then

+# Restart VM if not running

+az vm start --name <vm-name> --resource-group <resource-group>

+fi

+```

+## Resources

+- Azure Managed Grafana documentation: [product](/azure/managed-grafana/)

+- AzureHPC Node Health Check: [git](https://github.com/Azure/azurehpc-health-checks)

+- Slurm Job Accounting with Azure CycleCloud: [blog](https://techcommunity.microsoft.com/t5/azure-high-performance-computing/setting-up-slurm-job-accounting-with-azure-cyclecloud-and-azure/ba-p/4083685)

+- Azure CycleCloud log files: [product](/azure/cyclecloud/log_locations?view=cyclecloud-8&preserve-view=true)

+- Monitoring CycleCloud Clusters: [product](/azure/cyclecloud/how-to/monitor-clusters?view=cyclecloud-8&preserve-view=true)

+Azure Moneo: [git](https://github.com/Azure/Moneo)

+ Title: "Deployment step 2: base services - overview"

+description: Learn about production-level environment migration deployment step two.

+# Deployment step 2: base services - overview

+One of the key component's users interact with in an on-premises environment is the job scheduler (for example, Slurm, PBS, and LSF). During a lift-and-shift process, users should retain the same level of interaction with these schedulers. However, the difference is that resources are no longer static; they're provisioned on-demand.

+This section covers the core components related to the job scheduler, including the resource orchestrator for provisioning and setting up resources, identity management for user authentication, monitoring (including node health checks), and accounting to better understand the status and usage of resources. Each component plays a crucial role in ensuring the performance, scalability, and security of the HPC environment. By utilizing familiar on-premises technologies like Active Directory and established application runtimes, organizations can transition to the cloud more smoothly while maintaining continuity. A comprehensive overview of tools, best practices, and quick-start setups is provided, with the goal of progressively automating these services as the cloud environment evolves.

+## User identity

+Using technologies such as Active Directory Services and LDAP, user accounts and properties in use on-premises could be reused in the cloud environment. We recommend you apply the existing on-premises user identity technologies as much as possible.

+## Monitoring

+Monitoring is a vast area, as not only jobs need to be monitored, but the entire infrastructure. Our major recommendation in this service is to consider not only the existing metrics from on-premises environments, but also the new ones going to the cloud, which are related to costs, and to the state the infrastructure. In cloud, resources are provisioned and deprovisioned depending on usage demand, which is different from an on-premises environment. For instance, may be interesting to create alerts for cost-related threshold, which could be per user, department, or project.

+## Node health checks

+Related to monitoring, node health checks are relevant to see if the provisioned cluster nodes pass all health-related tests. We recommend using the node health checks Azure offers for HPC instances. But one may want to add new tests if necessary.

+## Autoscaling rules

+Autoscaling is a key differentiator compared to on-premises environment. Autoscaling rules determine when nodes join or leave a cluster. Always having all expected nodes on may bring efficiency for starting jobs as the nodes. However, when idle, they may become a considerable waste of money. Our recommendation is to keep nodes off when not in use. If the business demands quicker starting times, a buffer with some nodes on may be interesting, but this option has to be properly defined to assess the trade-offs of quick start time of jobs and costs.

+## Applications and runtimes

+Here, we recommend using the existing on-premises technology as much as possible as well. Technologies such as spack, easybuild, EESSI, or even a repository of compiled applications can be reused. However, it's worth noting that the hardware in the cloud may be different what is available in the on-premises environment. Therefore, recompilation and adjustment of scripts are necessary and can bring performance benefits.

+For details check the description of the following components:

+- [Job scheduler](lift-and-shift-step-2-job-scheduler.md)

+- [Resource orchestrator](lift-and-shift-step-2-resource-orchestrator.md)

+- [Identity management](lift-and-shift-step-2-identity.md)

+- [Accounting](lift-and-shift-step-2-accounting.md)

+- [Monitoring](lift-and-shift-step-2-monitor.md)

+Here we describe each component. Each section includes:

+- An overview description of what the component is

+- What the requirements for the component are (that is, what do we need from the component)

+- Tools and services available

+- Best practices for the component in the context of HPC lift & shift

+- An example of a quick start setup

+The goal of the quick start is to have a sense on how to start using the component. As the HPC cloud deployment matures, one is expected to automate the usage of the component, by using, for instance, Infrastructure as Software tools such as Terraform or Bicep.

+ Title: "Deployment step 2: base services - resource orchestrator component"

+description: Learn about the configuration of the resource orchestrator during migration deployment step two.

+# Deployment step 2: base services - resource orchestrator component

+Typically, resources in an on-premises environment are fully available for usage. When you migrate to the cloud, resources need to be provisioned (that is, set-up and configured). This requirement is a core difference between on-premises and cloud environments. Resource orchestrator's provisions the compute nodes and other components (for example, storage and network), **on demand**, to allow the execution of user jobs. In the context of a lift and shift architecture, this component would:

+- Provision resources and install the software for job execution based on end-user job submission requests to the job scheduler.

+- Verify all resources are healthy for job execution.

+When working with lift and shift scenarios, `Azure CycleCloud` can be used to provision a traditional HPC job scheduler in a cloud environment. Azure CycleCloud offers several features to make a smoother transition from on-premises to the cloud environment.

+## Define resource needs

+* **Compute nodes:**

+ - Provision high-performance compute nodes based on job requirements. Configure node types, sizes, and scaling policies to optimize performance and cost.

+* **Job scheduler:**

+ - Integrate with HPC job schedulers like Slurm, PBS Pro, or LSF. Manage job submissions, monitor job status, and optimize job execution.

+* **Login nodes:**

+ - Provide access for users to submit and manage jobs. Configure sign-in nodes to handle user authentication and secure shell (SSH) access to the HPC environment.

+* **Storage:**

+ - Set up storage solutions for job data, results, and logs. Use Azure Managed Lustre, Azure NetApp Files, or Azure Blob Storage based on performance and capacity requirements.

+* **Network:**

+ - Configure network settings for secure and high-performance communication between compute nodes, storage, and other resources. Use Azure Virtual Networks and Network Security Groups (NSG) to manage network traffic.

+## Tools and services

+* **Azure CycleCloud:**

+ - Use Azure CycleCloud for managing and optimizing HPC environments in the cloud.

+ - Deploy and configure HPC clusters through the Azure CycleCloud portal.

+ - Set up and manage compute nodes, job schedulers, and storage resources for efficient HPC workloads.

+* **Dynamic scaling:**

+ - Automatically scale compute resources up or down based on job demand.

+ - Configure scaling policies to specify the minimum and maximum number of nodes.

+ - Set scaling triggers and cooldown periods.

+* **Template-based deployments:**

+ - Use predefined templates to deploy various HPC cluster configurations quickly.

+ - Define compute node types, network configurations, storage options, and installed software in templates.

+ - Customize templates to meet specific requirements, such as including specialized software or configuring specific network settings.

+* **Support for multiple schedulers:**

+ - Integrate CycleCloud with popular HPC job schedulers like Slurm, PBS Pro, and LSF.

+ - Use CycleCloudΓÇÖs built-in scheduler support or configure custom integrations based on existing on-premises setup.

+- **Unified job management:**

+ - Manage jobs across hybrid environments from a single interface.

+ - Submit, monitor, and control jobs running both on-premises and in the cloud.

+ - Use job arrays, dependencies, and other advanced scheduling features to optimize job execution and resource utilization.

+## Best practices

+* **Plan and test:**

+ - Carefully plan your cluster configurations, including node types, storage options, and network settings.

+ - Perform test deployments and workloads to ensure everything is set up correctly before scaling up.

+* **Automate configuration:**

+ - Utilize CycleCloud templates and automation scripts for consistent and repeatable cluster deployments.

+ - Automate updates to cluster configurations to respond quickly to changing requirements or new software versions.

+* **Monitor and optimize:**

+ - Continuously monitor resource utilization and job performance through the CycleCloud portal.

+ - To improve performance and reduce costs, optimize cluster configurations based on monitoring data.

+* **Secure access:**

+ - Implement robust access controls using Azure Active Directory and SSH keys for sign-in nodes.

+ - Ensure that only authorized users can access compute and storage resources.

+* **Documentation and training:**

+ - Maintain detailed documentation of cluster configurations, deployment processes, and operational procedures.

+ - Provide training for HPC administrators and users to ensure effective and efficient use of CycleCloud-managed resources.

+## Example steps for setup and deployment

+This section outlines the steps for installing and configuring Azure CycleCloud, specifically using the CycleCloud Slurm Workspace. It includes instructions for setting up the environment, configuring basic settings, and deploying an HPC cluster with a predefined template.

+1. **Install and configure Azure CycleCloud:**

+ - **Install CycleCloud Slurm workspace:**

+ - Navigate to the Azure Marketplace and search for "Azure CycleCloud Slurm Workspace."

+ - Follow the prompts to deploy the CycleCloud Slurm Workspace, specifying the required parameters such as resource group, location, and virtual network.

+ - After deployment, configure the environment through the CycleCloud portal.

+ - Ensure the Slurm scheduler is set up and ready for job submissions.

+ > [!NOTE]

+ > For detailed information about Azure CycleCloud Slurm Workspace, visit this [blog post](https://techcommunity.microsoft.com/t5/azure-high-performance-computing/introducing-azure-cyclecloud-slurm-workspace-preview/ba-p/4158433).

+ - **Configure the environment:**

+ - Use the CycleCloud CLI or web portal to configure the basic settings, such as cloud provider credentials, default regions, and network configurations.

+ - Storage accounts and other necessary resources for CycleCloud to use for cluster deployments were already deployed using the preceding Cyclecloud Slurm Workspace marketplace solution.

+2. **Create and deploy an HPC cluster:**

+ - **Define Cluster Template:**

+ - Create a cluster template that specifies the compute node types, job scheduler, software packages, and other configuration details.

+ > [!NOTE]

+ > An existing Slurm template will have already been created by the Slurm Workspace deployment setup.

+ - **Deploy the Cluster:**

+ - Use the CycleCloud CLI or web portal to deploy the cluster based on the defined template. Monitor the deployment process to ensure all resources are provisioned and configured correctly.

+ - Example command to deploy a cluster:

+ ```bash

+ cyclecloud create_cluster -f hpc-cluster-template.txt

+ ```

+## Resources

+- Azure CycleCloud Documentation: [product website](/azure/cyclecloud/?view=cyclecloud-8&preserve-view=true)

+- Azure CycleCloud Overview: [product website](/azure/cyclecloud/overview?view=cyclecloud-8&preserve-view=true)

+- Azure CycleCloud Slurm Workspace: [blog post](https://techcommunity.microsoft.com/t5/azure-high-performance-computing/introducing-azure-cyclecloud-slurm-workspace-preview/ba-p/4158433)

+ Title: "Deployment step 3: storage - data migration component"

+description: Learn about data migration during migration deployment step three.

+# Deployment step 3: storage - data migration component

+Process to allow users to migrate data from an on-premises environment to the cloud environment in a secure and reliable way. Moving data closer to the cloud environmentΓÇÖs computing nodes is essential to meet the needs of throughput and IOPS.

+This component should:

+- Retain all existing file and directory structure from source to target.

+- Retain all metadata related to the files, including user and group ownership, permissions, modification time, and access time.

+- Report on the results of the data migration or copy tool.

+- Implement a data migration restart process.

+## Define data migration needs

+* **Data integrity:**

+ - Ensure that all files and directories retain their original structure and metadata during the migration process.

+* **Security:**

+ - Maintain data security throughout the migration process by using encrypted transfer methods and secure access controls.

+* **Performance:**

+ - Optimize the data migration process to handle large volumes of data efficiently, minimizing downtime and disruption.

+## Tools and services

+* **Azure Data Box:**

+ - Use Azure Data Box for large-scale offline data transfers.

+ - Deploy the Data Box appliance to transfer large amounts of data to Azure quickly and safely.

+ - Set up and manage data transfers through the Azure portal.

+* **AzCopy:**

+ - Use AzCopy for command-line data transfer.

+ - Perform high-performance, reliable data transfer between on-premises storage and Azure Blob Storage, Azure Files, and Azure Table Storage.

+ - Support both synchronous and asynchronous transfer modes.

+**Rsync:**

+ - Use rsync for efficient and secure data transfer between on-premises storage and Azure storage.

+ - Retain file and directory structure and file metadata during the transfer.

+ - Utilize rsync options to ensure data integrity and transfer efficiency.

+## Best practices for data migration

+* **Plan and test:**

+ - Thoroughly plan your data migration strategy, including the selection of tools (AzCopy, rsync) and target storage (Blob Storage, Azure NetApp Files, Azure Managed Lustre).

+ - Perform test migrations with a subset of data to validate the process and ensure that the tools and configurations work as expected.

+* **Maintain data integrity:**

+ - Use options in AzCopy and rsync that preserve file metadata (permissions, timestamps, ownership).

+ - Verify the integrity of the migrated data by comparing checksums or using built-in verification tools.

+* **Optimize performance:**

+ - Compress data during transfer (using rsyncΓÇÖs `-z` option) to reduce bandwidth usage.

+ - Use parallel transfers in AzCopy to increase throughput and reduce migration time.

+* **Secure data transfers:**

+ - Encrypt data during transfer to protect it from unauthorized access. Use secure transfer options in AzCopy and rsync.

+ - Ensure that access controls and permissions are correctly set up on both the source and target environments.

+* **Monitor and report:**

+ - Continuously monitor the data migration process to detect any issues early.

+ - Generate and review detailed reports from AzCopy and rsync to ensure that all data migrated successfully and to identify any errors or discrepancies.

+## Example steps for data migration

+This section outlines the steps for using Azure Data Box, AzCopy, and rsync to transfer data from on-premises storage to Azure. It includes detailed instructions for deploying and configuring Azure Data Box, installing and using AzCopy for data transfer, and setting up and using rsync to ensure secure and efficient data migration.

+1. **Using Azure Data Box:**

+ - **Deploy Azure Data Box:**

+ - Navigate to the Azure portal and order an Azure Data Box.

+ - Follow the instructions to set up the Data Box appliance at your on-premises location.

+ - Copy the data to the Data Box and ship it back to Azure.

+ - **Configure data transfer:**

+ - Once the Data Box arrives at the Azure data center, the data is uploaded to your specified storage account.

+ - Verify the data transfer status and integrity through the Azure portal.

+2. **Using AzCopy:**

+ - **Install AzCopy:**

+ - Download and install AzCopy on your on-premises server.

+ - Configure AzCopy with the necessary permissions to access your Azure storage account.

+ - **Perform data transfer:**

+ - Use AzCopy commands to transfer data from on-premises storage to Azure Blob Storage.

+ - Example command for data transfer:

+ ```bash

+ azcopy copy 'https://<storage_account>.blob.core.windows.net/<container>/<path>' '<local_path>' --recursive

+ ```

+ > [!NOTE]

+ > For detailed information about AzCopy, visit [Get started with AzCopy](/azure/storage/common/storage-use-azcopy-v10).

+3. **Using rsync:**

+ - **Install rsync:**

+ - Ensure rsync is installed on your on-premises server. Most Linux distributions include `rsync` by default.

+ - Install rsync on your server if it isn't already installed:

+ ```bash

+ sudo apt-get install rsync # For Debian-based systems

+ sudo yum install rsync # For Red Hat-based systems

+ ```

+ - **Perform data transfer:**

+ - Use rsync to transfer data from on-premises storage to Azure storage.

+ - Example command for data transfer:

+ ```bash

+ rsync -avz /path/to/local/data/ user@remote:/path/to/azure/data/

+ ```

+ - Options explained:

+ - `-a`: Archive mode: preserves permissions, timestamps, symbolic links, and other metadata.

+ - `-v`: Verbose mode: provides detailed output of the transfer process.

+ - `-z`: Compresses data during transfer to reduce bandwidth usage.

+

+ > [!NOTE]

+ > For examples using Rsync, visit [rysnc examples](https://rsync.samba.org/examples.html).

+### Example data migration implementation

+**Data migration script using AzCopy:**

+```bash

+#!/bin/bash

+# Define storage account and container

+storage_account="<storage_account_name>"

+container_name="<container_name>"

+local_path="<local_path>"

+# Perform data transfer using AzCopy

+azcopy copy "https://$storage_account.blob.core.windows.net/$container_name" "$local_path" --recursive

+# Verify transfer and generate report

+azcopy jobs show --latest > migration_report.txt

+```

+**Data Migration Script using rsync:**

+```bash

+#!/bin/bash

+# Define variables

+local_path="/path/to/local/data"

+remote_user="user"

+remote_host="remote"

+remote_path="/path/to/azure/data/"

+# Perform data transfer using rsync

+rsync -avz $local_path $remote_user@$remote_host:$remote_path

+# Verify transfer and generate report

+rsync -avz --dry-run $local_path $remote_user@$remote_host:$remote_path > migration_report.txt

+```

+## Resources

+- [AzCopy](/azure/storage/common/storage-use-azcopy-v10)

+- [Migrate to NFS Azure file shares (rsync, fpsync)](/azure/storage/files/storage-files-migration-nfs?tabs=ubuntu)

+- [Azure Data Box](/azure/databox/)

+- [rsync](https://rsync.samba.org/)

+ Title: "Deployment step 3: storage - overview"

+description: Learn about production-level environment migration deployment step three.

+# Deployment step 3: Storage - Overview

+With the cloud offering a broader range of storage solutions compared to on-premises systems, it's essential to define where different types of dataΓÇösuch as user home directories, project data, and scratch disksΓÇöshould be stored. The section also discusses data migration strategies, whether it involves a one-time transfer or continuous synchronization between on-premises systems and the cloud. Organizations can optimize costs and performance by carefully selecting storage options and utilizing tools for efficient data movement.

+This section highlights the critical considerations for managing storage in an HPC cloud environment, focusing on the variety of cloud storage options and the processes for migrating data. Also, it offers practical guidance for setting up storage and managing data migration, with an emphasis on scalability and automation as the HPC environment evolves.

+## Storage options in the cloud

+Compared to on-premises environment, the variety and capacity for storage options in the cloud increase. A good practice is to define the major places to put data, such as user home directories, project data, scratch disks, and long term storage. As one of the key benefits of cloud is to obtain resources on demand, it's more important at the beginning to define the storage options. As environment evolves, the amount of data required for storage options becomes clearer.

+## Data migration

+To move data in and out of an on-premises system to an HPC environment in Azure, several methods and tools can be employed. Depending on the scenario, data migration might be a one-time copy or involve regular synchronization to keep data up-to-date. Accessing on-premises data from Azure jobs can be managed by using appropriate protocols such as NFS or SMB, considering the effect on networking infrastructure. Additionally, tiering mechanisms can be used to optimize costs by automatically moving data between different storage tiers based on access patterns and data lifecycle policies.

+For details check the description of the following component:

+- [Storage](lift-and-shift-step-3-storage.md)

+- [Data migration](lift-and-shift-step-3-data-migration.md)

+Here we describe each component. Each section includes:

+- An overview description of what the component is

+- What the requirements for the component are (that is, what do we need from the component)

+- Tools and services available

+- Best practices for the component in the context of HPC lift & shift

+- An example of a quick start setup

+The goal of the quick start is to have a sense on how to start using the component. As the HPC cloud deployment matures, one is expected to automate the usage of the component, by using, for instance, Infrastructure as Software tools such as Terraform or Bicep.

+ Title: "Deployment step 3: storage - storage component"

+description: Learn about the configuration of storage during migration deployment step three.

+# Deployment step 3: storage - storage component

+When migrating HPC environments to the cloud, it's essential to define and implement an effective storage strategy that meets your performance, scalability, and cost requirements. An effective storage strategy ensures that your HPC workloads can access and process data efficiently, securely, and reliably. This approach includes considering different types of storage solutions for various needs such as long-term data archiving, high-performance scratch space, and shared storage for collaborative work.

+Proper data management practices, such as lifecycle policies and access controls, help maintain the integrity and security of your data. Additionally, efficient data movement techniques are necessary to handle large-scale data transfers and automate ETL processes to streamline workflows. Here are the key steps and considerations for setting up storage in the cloud:

+## Define storage needs

+* **Storage types:**

+ - **Long-term storage:** Use Azure Blob Storage for data archiving. Azure Blob Storage provides a cost-effective solution for storing large volumes of data that are infrequently accessed but must be retained for compliance or historical purposes. It offers various access tiers (Hot, Cool, and Archive) to optimize costs based on how frequently the data is accessed.

+ - **High-performance storage:** Use Azure Managed Lustre or Azure NetApp Files for scratch space and high IOPS requirements. Azure Managed Lustre is ideal for HPC workloads that require high throughput and low latency, making it suitable for applications that process large datasets quickly.

+ Azure NetApp Files provide enterprise-grade performance and features such as snapshots, cloning, and data replication, which are essential for critical HPC applications.

+ - **Shared storage:** Use Azure Files or NFS on Blob for user home directories and shared data. Azure Files offers fully managed file shares in the cloud that can be accessed via the industry-standard SMB protocol, making it easy for multiple users and applications to share data.

+ NFS on Blob allows for POSIX-compliant shared access to Azure Blob Storage, enabling seamless integration with existing HPC workflows and applications.

+* **Data management:**

+ - **Implement data lifecycle policies:** To manage data movement between hot, cool, and archive tiers, implement data lifecycle policies that automatically move data to the most appropriate storage tier based on usage patterns. This approach helps optimize storage costs by ensuring that frequently accessed data is kept in high-performance storage, while rarely accessed data is moved to more cost-effective archival storage.

+ - **Set up access controls:** Use Azure Active Directory (AD) and role-based access control (RBAC) to set up granular access controls for your storage resources. Azure AD provides identity and access management capabilities, while RBAC allows you to assign specific permissions to users and groups based on their roles. This strategy ensures that only authorized users can access sensitive data, enhancing security and compliance.

+* **Data movement:**

+ - **Azure Data Box:** Use Azure Data Box for large-scale offline data transfers. Azure Data Box is a secure, ruggedized appliance that allows you to transfer large amounts of data to Azure quickly and safely, minimizing the time and cost associated with network-based data transfer.

+ - **Azure Data Factory:** Use Azure Data Factory for orchestrating and automating data movement and transformation. Azure Data Factory provides a fully managed ETL service that allows you to move data between on-premises and cloud storage solutions, schedule data workflows, and transform data as needed.

+ - **AzCopy:** Use AzCopy for command-line data transfer. AzCopy is a command-line utility that provides high-performance, reliable data transfer between on-premises storage and Azure Blob Storage, Azure Files, and Azure Table Storage. It supports both synchronous and asynchronous transfer modes, making it suitable for various data movement scenarios.

+## Tools and services

+* **Azure Managed Lustre:**

+ - Use Azure Managed Lustre for high-performance storage needs in HPC workloads.

+ - Deploy and configure Lustre file systems through the Azure Marketplace.

+ - Set up and manage mount points on HPC nodes to access the Lustre file system.

+* **Azure NetApp Files:**

+ - Utilize Azure NetApp Files for enterprise-grade performance and data management features.

+ - Configure snapshots, cloning, and data replication for critical HPC applications.

+ - Integrate with Azure services and manage multiple protocols (NFS, SMB) for versatile usage.

+* **Azure Blob Storage:**

+ - Use Azure Blob Storage for cost-effective long-term data archiving.

+ - Implement data lifecycle policies to automatically move data between access tiers (Hot, Cool, Archive).

+ - Set up access controls and integrate with data analytics services for efficient data management.

+* **Azure Files:**

+ - Use Azure Files for fully managed file shares accessible via SMB protocol.

+ - Configure Azure AD and RBAC for secure access management and compliance.

+ - Ensure high availability with options for geo-redundant storage to protect against regional failures.

+## Best practices for HPC storage

+* **Define clear storage requirements:**

+ - Identify the specific storage needs for different workloads, such as high-performance scratch space, long-term archiving, and shared storage.

+ - Choose the appropriate storage solutions (for example, Azure Managed Lustre, Azure Blob Storage, Azure NetApp Files) based on performance, scalability, and cost requirements.

+* **Implement data lifecycle management:**

+ - Set up automated lifecycle policies to manage data movement between different storage tiers (Hot, Cool, Archive) to optimize costs and performance.

+ - Regularly review and adjust lifecycle policies to ensure data is stored in the most cost-effective and performance-appropriate tier.

+* **Ensure data security and compliance:**

+ - Use Azure Active Directory (AD) and role-based access control (RBAC) to enforce granular access controls on storage resources.

+ - Implement encryption for data at rest and in transit to meet security and compliance requirements.

+* **Optimize data movement:**

+ - Utilize tools like Azure Data Box for large-scale offline data transfers and AzCopy or rsync for efficient online data transfers.

+ - Monitor and optimize data transfer processes to minimize downtime and ensure data integrity during migration.

+* **Monitor and manage storage performance:**

+ - Continuously monitor storage performance and usage metrics to identify and address bottlenecks.

+ - Use Azure Monitor and Azure Metrics to gain insights into storage performance and capacity utilization, and make necessary adjustments to meet workload demands.

+These best practices ensure that your HPC storage strategy is effective, cost-efficient, and capable of meeting the performance and scalability requirements of your workloads.

+## Example steps for storage setup and deployment

+This section provides detailed instructions for setting up various storage solutions for HPC in the cloud. It covers the deployment and configuration of Azure Managed Lustre, Azure NetApp Files, NFS on Azure Blob, and Azure Files, including how to deploy these services and configure mount points on HPC nodes.

+1. **Setting up Azure Managed Lustre:**

+ - **Deploy a Lustre filesystem:**

+ - Navigate to the Azure Marketplace and search for "Azure Managed Lustre."

+ - Follow the prompts to deploy the Lustre filesystem, specifying the required parameters such as resource group, location, and storage size.

+ - Confirm the deployment and wait for the Lustre filesystem to be provisioned.

+ - **Configure mount points:**

+ - Once the Lustre filesystem is deployed, obtain the necessary mount information from the Azure portal.

+ - On each HPC node, install the Lustre client packages if not already present.

+ - Use the mount information to configure the mount points by adding entries to the `/etc/fstab` file or using the `mount` command directly.

+ - Example:

+ ```bash

+ sudo mount -t lustre <LUSTRE_FILESYSTEM_URL> /mnt/lustre

+ ```

+2. **Setting up Azure NetApp Files:**

+ - **Deploy an Azure NetApp Files volume:**

+ - Navigate to the Azure portal and search for "Azure NetApp Files."

+ - Create a NetApp account if not already existing.

+ - Create a capacity pool by specifying the required parameters such as resource group, location, and pool size.

+ - Create a new volume within the capacity pool by providing details like volume size, protocol type (NFS or SMB), and virtual network.

+ - **Configure mount points:**

+ - Once the NetApp volume is created, obtain the necessary mount information from the Azure portal.

+ - On each HPC node, install the necessary client packages for the protocol used (NFS or SMB) if not already present.

+ - Use the mount information to configure the mount points by adding entries to the `/etc/fstab` file or using the `mount` command directly.

+ - Example for NFS:

+ ```bash

+ sudo mount -t nfs <NETAPP_VOLUME_URL>:/<VOLUME_NAME> /mnt/netapp

+ ```

+3. **Implementing NFS on Azure Blob:**

+ - **Create an Azure Storage account:**

+ - Navigate to the Azure portal and create a new storage account.

+ - Enable NFS v3 support during the creation process by selecting the appropriate options under "File shares."

+ - **Configure NFS client:**

+ - On each HPC node, install NFS client packages if not already present.

+ - Configure the NFS client by adding entries to the `/etc/fstab` file or using the `mount` command to mount the Azure Blob storage.

+ - Example:

+ ```bash

+ sudo mount -t nfs <STORAGE_ACCOUNT_URL>:/<FILE_SHARE_NAME> /mnt/blob

+ ```

+4. **Setting up Azure Files:**

+ - **Deploy an Azure File Share:**

+ - Navigate to the Azure portal and search for "Azure Storage accounts."

+ - Create a new storage account if not already existing by specifying parameters such as resource group, location, and performance tier (Standard or Premium).

+ - Within the storage account, navigate to the "File shares" section and create a new file share by specifying the name and quota (size).

+ - **Configure mount points:**

+ - Once the file share is created, obtain the necessary mount information from the Azure portal.

+ - On each HPC node, install the necessary client packages for the protocol used (SMB) if not already present.

+ - Use the mount information to configure the mount points by adding entries to the `/etc/fstab` file or using the `mount` command directly.

+ - Example for SMB:

+ ```bash

+ sudo mount -t cifs //<STORAGE_ACCOUNT_NAME>.file.core.windows.net/<FILE_SHARE_NAME> /mnt/azurefiles -o vers=3.0,username=<STORAGE_ACCOUNT_NAME>,password=<STORAGE_ACCOUNT_KEY>,dir_mode=0777,file_mode=0777,sec=ntlmssp

+ ```

+## Resources

+- [Lustre - Azure Managed Lustre File System documentation](/azure/azure-managed-lustre)

+- [Lustre - Robinhood for Azure Managed Lustre File System](https://techcommunity.microsoft.com/t5/azure-high-performance-computing/azure-managed-lustre-with-automatic-synchronisation-to-azure/ba-p/3997202)

+- [Lustre - AzureHPC Lustre On Marketplace](https://techcommunity.microsoft.com/t5/azure-high-performance-computing/azurehpc-lustre-marketplace-offer/ba-p/3272689)

+- [Lustre - Lustre File System Template on CycleCloud](https://techcommunity.microsoft.com/t5/azure-high-performance-computing/lustre-on-azure/ba-p/1052536)

+- [NFS on Blob](/azure/storage/blobs/network-file-system-protocol-support)

+- [NFS on Azure Files](/azure/storage/files/files-nfs-protocol)

+- [Azure NetApp Files](https://azure.microsoft.com/products/netapp)

+ Title: "Deployment step 4: compute nodes - overview"

+description: Learn about production-level environment migration deployment step four.

+# Deployment step 4: compute nodes - overview

+Managing compute nodes in an HPC cloud environment involves careful consideration of virtual machine (VM) types, images, and quota limits. Testing key on-premises workloads in the cloud helps assess the cost-benefit of different VM SKUs, allowing for more informed hardware decisions over time. Azure provides preconfigured HPC images for Ubuntu and Alma Linux, which include necessary drivers and libraries, simplifying the deployment process. Custom images can also be created using available resources from the Azure HPC image repository. Additionally, itΓÇÖs important to plan resource usage carefully and consult with Azure to avoid quota limitations, especially when scaling across multiple regions.

+This section provides guidance on selecting and managing compute resources efficiently for HPC workloads in the cloud.

+## Virtual machine (VM) types (SKUs)

+We recommend you test a few key on-premises workloads in the cloud to develop an understanding of cost-benefit for different SKUS. In the cloud, the hardware options allow decisions to be refined over time.

+## VM images

+Azure offers HPC images for ubuntu and alma linux, containing various drivers, libraries, and some HPC-related configurations. We recommended that you use these images as much as possible. However, if custom images are required, one can see from the Azure HPC images GitHub repository how these images were built, and use the scripts there.

+## Quota

+If large amounts of resources are required, it's beneficial to have a proper planning and discussion with Azure team to minimize chances of reaching quota limits. Depending on the case, it can be beneficial to explore multiple regions whenever possible.

+For details check the description of the following component:

+- [VM images](lift-and-shift-step-4-vm-images.md)

+Here we describe each component. Each section includes:

+- An overview description of what the component is

+- What the requirements for the component are (that is, what do we need from the component)

+- Tools and services available

+- Best practices for the component in the context of HPC lift & shift

+- An example of a quick start setup

+The goal of the quick start is to have a sense on how to start using the component. As the HPC cloud deployment matures, one is expected to automate the usage of the component, by using, for instance, Infrastructure as Software tools such as Terraform or Bicep.

+ Title: "Deployment step 4: compute nodes - VM images component"

+description: Learn about the configuration of virtual machine (VM) images during migration deployment step four.

+# Deployment step 4: compute nodes - VM images component

+A Virtual Machine (VM) image is a snapshot of a virtual machine's operating system, software, configurations, and data stored at a specific point in time. It's a valuable asset that encapsulates most of what is required to enable virtual machines to run end-user jobs.

+In the context of HPC environments, VM images should have or could have support for drivers (for example, IB, GPUs), MPI libraries (for example, mpich, intel-mpi, pmix), and other HPC relevant software (for example, CUDA, NCCL, compilers, health checkers).

+## Define VM image needs

+* **Libraries, middleware, drivers:**

+ - Understand the major libraries (for example, MPI flavors) and, eventually, middleware (for example, Slurm/PBS/LFS) needed for the HPC applications. Drivers to support GPUs, for instance, can also be placed in the image.

+* **Utilities and configurations:**

+ - Small utilities (for example, healthchecks) or configurations (for example, ulimit) used by most users.

+## Tools and services

+**Azure HPC images:**

+ - Azure HPC images are available for usage, which contains several packages relevant for HPC settings.

+ - Azure HPC images contain both Ubuntu and AlmaLinux Linux distributions.

+## Best practices for HPC images in HPC lift and shift architecture

+* **Make use of Azure HPC images:**

+ - These images are extensively tested to run in Azure SKUs and Azure HPC systems, such as CycleCloud.

+* **Custom images and other Linux distributions:**

+ - If a custom image needs to be created, we recommend using the Azure HPC image GitHub repo as much as possible. It contains all scripts used to create the Azure HPC images.

+## Example steps for setup and deployment

+This section provides an overview on deploying a VM using an Azure HPC image via Azure portal.

+1. **Go to the Azure portal and select HPC VM image to create a VM:**

+ - **Select VM image:**

+ - Navigate in Azure portal to create the VM following the standard VM provisioning steps.

+ - When selecting the VM image (from marketplace), look for either "AlmaLinux HPC" or "Ubuntu-based HPC and AI"

+ - Fill up all fields (including networking, disk, management, etc.)

+ - Provision VM

+ - Define partitions/queues, Azure SKUs, compute node hostnames, and other parameters.

+2. **Test the VM:**

+ - **SSH into the VM:**

+ - Here you can use your operating system ssh tool or use the Azure portal cloud shell, or go into the VM access tab to select, for instance, access via Bastion (depending on the network setup)

+ - **See some HPC related tools:**

+ - One can observe the Azure HPC image in action by the following command, which lists the module available, including various mpi implementations

+ ```bash

+ module av

+ ```

+ - To load `openmpi`:

+ ```bash

+ module load mpi/openmpi

+ which mpirun

+ ```

+ - HPC tools and libraries can be found in `/opt/` directory.

+## Resources

+- Azure HPC SKUs and supported images: [product website](/azure/virtual-machines/configure#vm-images)

+- Azure HPC image overview: [product website](/azure/virtual-machines/configure#centos-hpc-vm-images)

+- Azure HPC image release notes (with software + software versions): [GitHub](https://github.com/Azure/azhpc-images/releases)

+- Azure HPC image installation scripts: [GitHub](https://github.com/Azure/azhpc-images)

+- Image creation (general purpose): [product website](/azure/virtual-machines/image-version)

+ Title: "Deployment step 5: end-user entry point - end-user entry point component"

+description: Learn about the configuration of end-user entry points during migration deployment step five.

+# Deployment step 5: end-user entry point - end-user entry point component

+Users access the computing environment in different ways. A common access point is through a terminal with ssh via command line interface (CLI). Other mechanisms are graphical user interface via VDI or web portals with on-demand, Jupyter lab, or r-studio. Some users may also rely on ssh via Visual Studio Code (VS Code). An end-user entry point component is key to shape the user experience accessing the HPC cloud resources, and it's highly dependent on the user workflow and application.

+Once all the basic infrastructure is deployed, the end-user entry point would:

+- Allow end-user to sign in into the machine and submit jobs;

+- Allow end-user to request a remote desktop session;

+- Allow end-user to request web browser-based sessions to run applications such

+ as Jupyter lab or r-studio.

+## Define user entry point needs

+* **SSH access:**

+ - Enable users to sign in into the HPC environment via SSH for job submission and management.

+ - Ensure secure authentication and connection protocols are in place.

+* **Remote desktop access:**

+ - Allow users to request and establish remote desktop sessions for graphical applications.

+ - Provide VDI solutions that support various operating systems and applications.

+* **Web browser-based access:**

+ - Support web browser-based sessions for running applications such as Jupyter Lab or RStudio.

+ - Ensure seamless integration with the HPC environment and resource management.

+## Tools and services

+* **SSH access:**

+ - Use standard SSH protocols to provide secure command-line access to HPC resources.

+ - Configure SSH keys and user permissions to ensure secure and efficient access.

+* **Remote desktop access:**

+ - Utilize VDI solutions such as Windows Virtual Desktop or non-Microsoft VDI providers.

+ - Configure remote desktop protocols (RDP, VNC) and ensure compatibility with user applications.

+* **Web browser-based access:**

+ - Deploy web-based platforms like JupyterHub or RStudio Server for interactive sessions.

+ - To allow seamless access to compute resources, integrate these platforms with the HPC environment.

+## Best practices

+* **Secure authentication and access control:**

+ - Implement multifactor authentication (MFA) and SSH key-based authentication for secure access.

+ - Use role-based access control (RBAC) to manage user permissions and ensure compliance with security policies.

+* **Optimize user experience:**

+ - Provide clear documentation and training for users on how to access and utilize different entry points.

+ - To ensure a smooth user experience, continuously monitor and optimize the performance of access points.

+* **Ensure compatibility and integration:**

+ - Test and validate the compatibility of remote desktop and web-based access solutions with HPC applications.

+ - To provide seamless resource management, integrate access solutions with the existing HPC infrastructure.

+* **Scalability and performance:**

+ - Configure access points to scale based on user demand, ensuring availability and performance during peak usage.

+ - Use performance metrics to monitor and optimize the entry point infrastructure regularly.

+## Example steps for setup and deployment

+**Setting up SSH access:**

+1. **Configure SSH server:**

+ - Install and configure an SSH server on the sign-in nodes.

+ - Generate and distribute SSH keys to users and configure user permissions.

+ ```bash

+ sudo apt-get install openssh-server

+ sudo systemctl enable ssh

+ sudo systemctl start ssh

+ ```

+2. **User authentication:**

+ - Set up SSH key-based authentication and configure the SSH server to disable password authentication for added security.

+ ```bash

+ ssh-keygen -t rsa -b 4096

+ ssh-copy-id user@hpc-login-node

+ ```

+**Setting up remote desktop access:**

+1. **Deploy VDI solution:**

+ - Choose and deploy a VDI solution that fits your HPC environment (for example, Windows Virtual Desktop, VNC).

+ - Configure remote desktop protocols and ensure they're compatible with user applications.

+2. **Configure remote desktop access:**

+ - Set up remote desktop services on the HPC sign-in nodes and configure user permissions.

+ ```bash

+ sudo apt-get install xrdp

+ sudo systemctl enable xrdp

+ sudo systemctl start xrdp

+ ```

+**Setting up web browser-based access:**

+1. **Deploy JupyterHub or RStudio Server:**

+ - Install and configure JupyterHub or RStudio Server on the HPC environment.

+ ```bash

+ sudo apt-get install jupyterhub

+ sudo systemctl enable jupyterhub

+ sudo systemctl start jupyterhub

+ ````

+2. **Integrate with HPC resources:**

+ - Configure the web-based platforms to integrate with the HPC scheduler and compute resources.

+ ```bash

+ jupyterhub --no-ssl --port 8000

+ ```

+## Resources

+- Azure CycleCloud CLI installation guide: [product website](/azure/cyclecloud/how-to/install-cyclecloud-cli?view=cyclecloud-8&preserve-view=true)

+- Azure CycleCloud CLI reference guide: [product website](/azure/cyclecloud/cli?view=cyclecloud-8&preserve-view=true)

+- Azure CycleCloud REST API reference guide: [product website](/azure/cyclecloud/api?view=cyclecloud-8&preserve-view=true)

+- Azure CycleCloud Python API reference guide: [product website](/azure/cyclecloud/python-api?view=cyclecloud-8&preserve-view=true)

+- Remote visualization via OnDemand and AzHop: [blog post](https://techcommunity.microsoft.com/t5/azure-high-performance-computing/azure-hpc-ondemand-platform-cloud-hpc-made-easy/ba-p/2537338)

+- LSF Scheduler CLI commands: [external](https://www.ibm.com/docs/en/spectrum-lsf/10.1.0?topic=reference-command)

+- PBS Scheduler CLI commands: [external](https://2021.help.altair.com/2021.1.2/PBS%20Professional/PBSUserGuide2021.1.2.pdf)

+- Slurm Scheduler CLI commands: [external](https://slurm.schedmd.com/pdfs/summary.pdf)

+- Open OnDemand: [external](https://openondemand.org/)

+ Title: "Deployment step 5: end-user entry point - overview"

+description: Learn about production-level environment migration deployment step five.

+# Deployment step 5: end-user entry point - overview

+Providing a consistent end-user entry point is crucial for ensuring a smooth transition from on-premises to the cloud in an HPC environment. Whether users access resources through an SSH sign-in node or a web portal, maintaining a familiar experience helps minimize disruptions.

+This section explores the options for user interaction, emphasizing the importance of addressing potential latency issues that may arise when moving to the cloud. It also provides guidance on tools, services, and best practices to optimize the user entry point for HPC lift-and-shift deployments. A quick start setup is included to help establish this component efficiently, with the goal of automating it as the cloud infrastructure matures.

+## Options for user interaction

+End-users may benefit from having similar experience accessing resources on-premises and in the cloud. Whether users go to a sign-in node via ssh or a web portal to submit jobs, we recommend you keep the same user experience and access if there are any latency issues that users may face compared to on-premises environment.

+For details, check the description of the following component:

+- [End-user entry point](lift-and-shift-step-5-end-user-entry-point.md)

+Here we describe each component. Each section includes:

+- An overview description of what the component is

+- What the requirements for the component are (that is, what do we need from the component)

+- Tools and services available

+- Best practices for the component in the context of HPC lift & shift

+- An example of a quick start setup

+The goal of the quick start is to have a sense on how to start using the component. As the HPC cloud deployment matures, one is expected to automate the usage of the component, by using, for instance, Infrastructure as Software tools such as Terraform or Bicep.

+In order to configure hash based distribution, you must select session persistence to be **None** in the Azure portal. This specifies that successive requests from the same client can be handled by any virtual machine.

+ :::image type="content" source="./media/load-balancer-standard-virtual-machine-scale-sets/load-balancer-and-vm-scale-sets.png" alt-text="Screenshot that shows load-balancing rule creation." border="true":::

+To run code that doesn't fit these attributes, you can [create and call a function using Azure Functions](call-azure-functions-from-workflows.md).

+> first [enable authentication for Azure Functions](call-azure-functions-from-workflows.md#enable-authentication-functions).

+ :::image type="content" source="media/call-azure-functions-from-workflows/function-cors-origins.png" alt-text="Screenshot shows Azure portal, CORS pane, and wildcard character * entered under Allowed Origins." lightbox="media/call-azure-functions-from-workflows/function-cors-origins.png":::

+ :::image type="content" source="media/call-azure-functions-from-workflows/select-function-app-function-consumption.png" alt-text="Screenshot shows Consumption workflow with a selected function app and function." lightbox="media/call-azure-functions-from-workflows/select-function-app-function-consumption.png":::

+ :::image type="content" source="media/call-azure-functions-from-workflows/function-request-body-example-consumption.png" alt-text="Screenshot shows Consumption workflow and a function with a Request Body example for the context object payload." lightbox="media/call-azure-functions-from-workflows/function-request-body-example-consumption.png":::

+ :::image type="content" source="media/call-azure-functions-from-workflows/request-body-example-complete.png" alt-text="Screenshot shows Consumption workflow and a function with a complete Request Body example for the context object payload." lightbox="media/call-azure-functions-from-workflows/request-body-example-complete.png":::

+ :::image type="content" source="media/call-azure-functions-from-workflows/function-request-body-string-cast-example.png" alt-text="Screenshot shows Consumption workflow and a Request Body example that casts context object as a string." lightbox="media/call-azure-functions-from-workflows/function-request-body-string-cast-example.png":::

+ :::image type="content" source="media/call-azure-functions-from-workflows/select-function-app-function-standard.png" alt-text="Screenshot shows Standard workflow designer with selected function app and function." lightbox="media/call-azure-functions-from-workflows/select-function-app-function-standard.png":::

+ :::image type="content" source="media/call-azure-functions-from-workflows/function-request-body-example-standard.png" alt-text="Screenshot shows Standard workflow and a function with a Request Body example for the context object payload." lightbox="media/call-azure-functions-from-workflows/function-request-body-example-standard.png":::

+ :::image type="content" source="media/call-azure-functions-from-workflows/request-body-example-complete.png" alt-text="Screenshot shows Standard workflow and a function with a complete Request Body example for the context object payload." lightbox="media/call-azure-functions-from-workflows/request-body-example-complete.png":::

+ :::image type="content" source="media/call-azure-functions-from-workflows/function-request-body-string-cast-example.png" alt-text="Screenshot shows Standard workflow and a Request Body example that casts context object as a string." lightbox="media/call-azure-functions-from-workflows/function-request-body-string-cast-example.png":::

+ :::image type="content" source="media/call-azure-functions-from-workflows/open-advanced-tools-kudu.png" alt-text="Screenshot shows function app menu with selected options for Advanced Tools and Go." lightbox="media/call-azure-functions-from-workflows/open-advanced-tools-kudu.png":::

+ :::image type="content" source="medi." lightbox="media/call-azure-functions-from-workflows/open-debug-console-kudu.png":::

+ :::image type="content" source="media/call-azure-functions-from-workflows/select-site-wwwroot-function-folder.png" alt-text="Screenshot shows folder list with the opened folders for the site, wwwroot, and your function." lightbox="media/call-azure-functions-from-workflows/select-site-wwwroot-function-folder.png":::

+ :::image type="content" source="media/call-azure-functions-from-workflows/edit-function-json-file.png" alt-text="Screenshot shows the function.json file with selected edit command." lightbox="media/call-azure-functions-from-workflows/edit-function-json-file.png":::

+ :::image type="content" source="media/call-azure-functions-from-workflows/set-authentication-level-function-app.png" alt-text="Screenshot shows bindings object with authLevel property set to anonymous." lightbox="media/call-azure-functions-from-workflows/set-authentication-level-function-app.png":::

+ :::image type="content" source="media/call-azure-functions-from-workflows/tenant-id.png" alt-text="Screenshot shows Microsoft Entra ID Properties page with tenant ID's copy button selected." lightbox="media/call-azure-functions-from-workflows/tenant-id.png":::

+ :::image type="content" source="media/call-azure-functions-from-workflows/system-identity-consumption.png" alt-text="Screenshot shows Consumption logic app's Identity page with selected tab named System assigned." lightbox="media/call-azure-functions-from-workflows/system-identity-consumption.png":::

+ :::image type="content" source="media/call-azure-functions-from-workflows/user-identity-consumption.png" alt-text="Screenshot shows Consumption logic app's Identity page with selected tab named User assigned." lightbox="media/call-azure-functions-from-workflows/user-identity-consumption.png":::

+ :::image type="content" source="media/call-azure-functions-from-workflows/user-identity-object-id.png" alt-text="Screenshot shows Consumption logic app's user-assigned identity Overview page with the object (principal) ID selected." lightbox="media/call-azure-functions-from-workflows/user-identity-object-id.png":::

+ :::image type="content" source="media/call-azure-functions-from-workflows/find-enterprise-application-id.png" alt-text="Screenshot shows Entra tenant page named All applications, with enterprise application object ID in search box, and selected matching application ID." lightbox="media/call-azure-functions-from-workflows/find-enterprise-application-id.png":::

+ :::image type="content" source="media/call-azure-functions-from-workflows/add-identity-provider.png" alt-text="Screenshot shows function app menu with Authentication page and selected option named Add identity provider." lightbox="media/call-azure-functions-from-workflows/add-identity-provider.png":::

+ | **Client secret** | Optional, but recommended | <*client-secret*> | The secret value that the app uses to prove its identity when requesting a token. The client secret is created and stored in your app's configuration as a slot-sticky [application setting](../app-service/configure-common.md#configure-app-settings) named **MICROSOFT_PROVIDER_AUTHENTICATION_SECRET**. <br><br>- Make sure to regularly rotate secrets and store them securely. For example, manage your secrets in Azure Key Vault where you can use a managed identity to retrieve the key without exposing the value to an unauthorized user. You can update this setting to use [Key Vault references](../app-service/app-service-key-vault-references.md). <br><br>- If you provide a client secret value, sign-in operations use the hybrid flow, returning both access and refresh tokens. <br><br>- If you don't provide a client secret, sign-in operations use the [OAuth 2.0 implicit grant flow](/entra/identity-platform/v2-oauth2-implicit-grant-flow). This method directly returns only an ID token or access token. These tokens are sent by the provider and stored in the EasyAuth token store. <br><br>**Important**: Due to security risks, the implicit grant flow is [no longer a suitable authentication method](/entra/identity-platform/v2-oauth2-implicit-grant-flow#prefer-the-auth-code-flow). Instead, use either [authorization code flow with Proof Key for Code Exchange (PKCE)](/entra/msal/dotnet/advanced/spa-authorization-code) or [single-page application (SPA) authorization codes](/entra/msal/dotnet/advanced/spa-authorization-code). |

+ :::image type="content" source="media/call-azure-functions-from-workflows/identity-provider-authentication-settings.png" alt-text="Screenshot shows app registration for your logic app and identity provider for your function app." lightbox="media/call-azure-functions-from-workflows/identity-provider-authentication-settings.png":::

+ :::image type="content" source="media/call-azure-functions-from-workflows/identity-provider-application-id.png" alt-text="Screenshot shows new identity provider for function app." lightbox="media/call-azure-functions-from-workflows/identity-provider-application-id.png":::

+* [Call Azure Functions from Azure Logic Apps](call-azure-functions-from-workflows.md)

+1. Before an Azure function can use a managed identity, first [enable authentication for Azure functions](call-azure-functions-from-workflows.md#enable-authentication-functions).

+* To run your own code or perform XML transformation, [create and call an Azure function](call-azure-functions-from-workflows.md), rather than use the [inline code capability](../logic-apps/logic-apps-add-run-inline-code.md) or provide [assemblies to use as maps](../logic-apps/logic-apps-enterprise-integration-maps.md), respectively. Also, set up the hosting environment for your function app to comply with your isolation requirements.

+ For example, you might be able to reduce costs when accessing other resources by using the [HTTP action](../connectors/connectors-native-http.md) or by calling a function that you created by using the [Azure Functions service](../azure-functions/functions-overview.md) and using the [built-in Azure Functions action](call-azure-functions-from-workflows.md). However, using Azure Functions also incurs costs, so make sure that you compare your options.

+ * The built-in action, [Azure Functions - Choose an Azure function](call-azure-functions-from-workflows.md) is now **Azure Functions Operations - Call an Azure function**. This action currently works only for functions that are created from the **HTTP Trigger** template.

+| <*quotient-result*> | Integer or Float | The result from dividing the first number by the second number. If either the dividend or divisor has Float type, the result has Float type. <br><br><br><br>**Note**: To convert the float result to an integer, try [creating and calling a function in Azure](call-azure-functions-from-workflows.md) from your logic app. |

+ :::image type="content" source="media/deterministic-ips/add-ip-data-source-firewall.png" alt-text="Screenshot of the Azure platform. Add Disable public network access.":::

+1. Under **Firewall**, check the box **Add your client IP address** and under **Address range**, enter the IP addresses found in your Azure Managed Grafana workspace.

+1. Select **Save** to finish adding the Azure Managed Grafana outbound IP addresses to the allowlist.

+ - If the following error message is displayed, Azure Managed Grafana can't access the data source: `Post "https://<Azure-Data-Explorer-URI>/v1/rest/query": dial tcp ...: i/o timeout`. Make sure that you've entered the IP addresses correctly in the data source firewall allowlist.

+1. Open your Azure Managed Grafana workspace and go to **Networking** > **Managed Private Endpoint** > **Add**.

+### Option 2: Discover using non-sudo user account

+- If you can't provide user account with sudo access, then you can set 'isSudo' registry key to value '0' in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AzureAppliance registry on the appliance server.

+- Provide a non-sudo user account with the required capabilities.

+ - Sign in as root user. Create a non-sudo user account by running the `sudo useradd <account-name>` command. Set a password for the non-sudo user account using the `sudo passwd <account-name>` command.

+ - Add the non-sudo user account to the wheel group using this command: `sudo usermod ΓÇôaG wheel <account-name>`. Users in this group have permissions to run setcap commands as detailed below.

+ - Sign in to the non-sudo user account that was created and run the following commands:

+ setcap CAP_DAC_READ_SEARCH+eip /usr/sbin/fdisk <br></br> setcap CAP_DAC_READ_SEARCH+eip /sbin/fdisk _(if /usr/sbin/fdisk is not present)_ | To collect disk configuration data.

+ setcap "cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_admin,cap_sys_chroot,cap_sys_admin,<br> cap_sys_resource,cap_audit_control,cap_setfcap=+eip" /sbin/lvm | To collect disk performance data.

+ setcap CAP_DAC_READ_SEARCH+eip /usr/sbin/dmidecode | To collect BIOS serial number.

+ chmod a+r /sys/class/dmi/id/product_uuid | To collect BIOS GUID.

+ sudo setcap CAP_DAC_READ_SEARCH,CAP_SYS_PTRACE=ep /bin/ls<br /> sudo setcap CAP_DAC_READ_SEARCH,CAP_SYS_PTRACE=ep /bin/netstat | To perform agentless dependency analysis on the server, set the required permissions on /bin/netstat and /bin/ls files.

+- Running all the above commands will prompt for a password. Enter the password of the non-sudo user account for each prompt.

+- Add the credentials of the non-sudo user account to the Azure Migrate appliance.

+- The non-sudo user account will execute the commands listedΓÇ»[here](discovered-metadata.md#linux-server-metadata) periodically.

+1. Extract the zipped file to a folder on the server that will host the appliance. Make sure you don't run the script on a server with an existing Azure Migrate appliance.

+1. Accept the **license terms**, and read the third party information.

+ - If you have added proxy details or disabled the proxy or authentication, select **Save** to trigger connectivity, and check connectivity again.

+1. If you're using SSH key-based authentication for Linux server, you can select source type as **Linux Server (SSH key-based)**, specify a friendly name for credentials, add the username, browse, and select the SSH private key file. Select **Save**.

+ - The SSH key file supports CRLF to mark a line break in the text file that you upload. SSH keys created on Linux systems most commonly have LF as their newline character so you can convert them to CRLF by opening the file in vim, typing `:set textmode`, and saving the file.

+ - If you choose **Add multiple items**, you can add multiple records at once by specifying server **IP address/FQDN** with the friendly name for credentials in the text box. **Verify** the added records, and select **Save**.

+ - If you choose **Import CSV** _(selected by default)_, you can download a CSV template file, populate the file with the server **IP address/FQDN** and friendly name for credentials. You then import the file into the appliance, **verify** the records in the file, and select **Save**.

+1. Select **Save**. The appliance tries validating the connection to the servers added and shows the **Validation status** in the table against each server.

+You can provision Oracle Database@Azure using the Azure portal and Azure APIs, SDKs, and Terraform. Management of Oracle database system infrastructure and VM cluster resources takes place in the Azure portal as well.

+To purchase Oracle Database@Azure, contact [Oracle's sales team](https://go.oracle.com/LP=138489) or your Oracle sales representative for a sale offer. Oracle Sales team creates an Azure Private Offer in the Azure Marketplace for your service. After an offer is made for your organization, you can accept the offer and complete the purchase in the Azure portal's Marketplace service. For more information on Azure private offers, see [Overview of the commercial marketplace and enterprise procurement](/marketplace/procurement-overview).

+- [Groups and roles for Oracle Database@Azure](oracle-database-groups-roles.md)

+ Title: Terraform/OpenTofu examples for Exadata Services

+description: Learn about Terraform/OpenTofu examples for Exadata services

+# Terraform/OpenTofu examples for Exadata services

+In this article, you learn about how to use HashiCorp Terraform, to provision and manage resources for Oracle Database@Azure using the Terraform tool that enables you to provision and manage infrastructure in Oracle Cloud Infrastructure (OCI).

+For more information on reference implementations for Terraform or OpenTofu modules, sees the following links:

+* [QuickStart Oracle Database@Azure with Terraform or OpenTofu Modules](https://docs.oracle.com/en/learn/dbazure-terraform/https://docsupdatetracker.net/index.html)

+* [OCI Landing Zones](https://github.com/oci-landing-zones/)

+* [Azure Verified Modules](https://aka.ms/avm)

+ >[!NOTE]

+ > This document describes examples of provisioning and management of Oracle Database@Azure resources through Terraform provider `AzAPI`. For detailed AzAPI provider resources and data sources documentation, see [https://registry.terraform.io/providers/Azure/azapi/latest/docs](https://registry.terraform.io/providers/Azure/azapi/latest/docs)

+The samples use example values for illustration purposes. You must replace them with your own settings.

+The samples use [AzAPI Dynamic Properties](https://techcommunity.microsoft.com/t5/azure-tools-blog/announcing-azapi-dynamic-properties/ba-p/4121855) instead of `JSONEncode` for more native Terraform behavior.

+## Oracle Exadata services

+In this section, you will find examples of how to use the `AzAPI` provider to manage Oracle Exadata services in Azure.

+### Exadata Infrastructure

+In this section, you will find examples of how to use the `AzAPI` provider to manage Oracle Exadata infrastructure in Azure.

+#### Create an Oracle Exadata Infrastructure

+```resource "azapi_resource" "resource_group" {

+ type = "Microsoft.Resources/resourceGroups@2023-07-01"

+ name = "ExampleRG"

+ location = "eastus"

+}

+

+// OperationId: CloudExadataInfrastructures_CreateOrUpdate, CloudExadataInfrastructures_Get, CloudExadataInfrastructures_Delete

+// PUT /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Oracle.Database/cloudExadataInfrastructures/{cloudexadatainfrastructurename}

+resource "azapi_resource" "cloudExadataInfrastructure" {

+ type = "Oracle.Database/cloudExadataInfrastructures@2023-09-01"

+ parent_id = azapi_resource.resource_group.id

+ name = "ExampleName"

+ body = {

+ "location" : "eastus",

+ "zones" : [

+ "2"

+ ],

+ "tags" : {

+ "createdby" : "ExampleName"

+ },

+ "properties" : {

+ "computeCount" : 2,

+ "displayName" : "ExampleName",

+ "maintenanceWindow" : {

+ "leadTimeInWeeks" : 0,

+ "preference" : "NoPreference",

+ "patchingMode" : "Rolling"

+ },

+ "shape" : "Exadata.X9M",

+ "storageCount" : 3

+ }

+ }

+ schema_validation_enabled = false

+}

+```

+#### List Oracle Exadata Infrastructures by Subscription

+```data "azapi_resource" "subscription" {

+ type = "Microsoft.Resources/subscriptions@2020-06-01"

+ response_export_values = ["*"]

+}

+

+// OperationId: CloudExadataInfrastructures_ListBySubscription

+// GET /subscriptions/{subscriptionId}/providers/Oracle.Database/cloudExadataInfrastructures

+data "azapi_resource_list" "listCloudExadataInfrastructuresBySubscription" {

+ type = "Oracle.Database/cloudExadataInfrastructures@2023-09-01"

+ parent_id = data.azapi_resource.subscription.id

+}

+```

+#### List Oracle Exadata Infrastructures by Resource Group

+```data "azurerm_resource_group" "example" {

+ name = "existing"

+}

+

+// OperationId: CloudExadataInfrastructures_ListByResourceGroup

+// GET /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Oracle.Database/cloudExadataInfrastructures

+data "azapi_resource_list" "listCloudExadataInfrastructuresByResourceGroup" {

+ type = "Oracle.Database/cloudExadataInfrastructures@2023-09-01"

+ parent_id = azurerm_resource_group.example.id

+}

+```

+#### Patch an Oracle Exadata Infrastructure

+ >[!NOTE]

+ > Only Microsoft Azure tags on the resource can be updated through the AzAPI provider.

+```data "azapi_resource" "subscription" {

+ type = "Microsoft.Resources/subscriptions@2020-06-01"

+ response_export_values = ["*"]

+}

+

+// OperationId: CloudExadataInfrastructures_Update

+// PATCH /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Oracle.Database/cloudExadataInfrastructures/{cloudexadatainfrastructurename}

+resource "azapi_resource_action" "patch_cloudExadataInfrastructure" {

+ type = "Oracle.Database/cloudExadataInfrastructures@2023-09-01"

+ resource_id = azapi_resource.cloudExadataInfrastructure.id

+ action = ""

+ method = "PATCH"

+ body = {

+ "tags" : {

+ "updatedby" : "ExampleName"

+ }

+ }

+}

+```

+#### List database servers on an Oracle Exadata infrastructure

+```// OperationId: DbServers_Get

+// GET /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Oracle.Database/cloudExadataInfrastructures/{cloudexadatainfrastructurename}/dbServers/{dbserverocid}

+data "azapi_resource" "dbServer" {

+ type = "Oracle.Database/cloudExadataInfrastructures/dbServers@2023-09-01"

+ parent_id = azapi_resource.cloudExadataInfrastructure.id

+ name = var.resource_name

+}

+```

+## Exadata VM Cluster

+### Create an Oracle Exadata VM Cluster

+```resource "azapi_resource" "resource_group" {

+ type = "Microsoft.Resources/resourceGroups@2023-07-01"

+ name = "ExampleRG" location = "eastus"

+}

+

+// OperationId: CloudExadataInfrastructures_CreateOrUpdate, CloudExadataInfrastructures_Get, CloudExadataInfrastructures_Delete

+// PUT /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Oracle.Database/cloudExadataInfrastructures/{cloudexadatainfrastructurename}

+resource "azapi_resource" "cloudExadataInfrastructure" {

+ type = "Oracle.Database/cloudExadataInfrastructures@2023-09-01"

+ parent_id = azapi_resource.resource_group.id

+ name = "ExampleName"

+ body = {

+ "location" : "eastus",

+ "zones" : [

+ "2"

+ ],

+ "tags" : {

+ "createdby" : "ExampleName"

+ },

+ "properties" : {

+ "computeCount" : 2,

+ "displayName" : "ExampleName",

+ "maintenanceWindow" : {

+ "leadTimeInWeeks" : 0,

+ "preference" : "NoPreference",

+ "patchingMode" : "Rolling"

+ },

+ "shape" : "Exadata.X9M",

+ "storageCount" : 3

+ }

+ }

+ schema_validation_enabled = false

+}

+

+//-VMCluster resources

+// OperationId: CloudVmClusters_CreateOrUpdate, CloudVmClusters_Get, CloudVmClusters_Delete

+// PUT GET DELETE /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Oracle.Database/cloudVmClusters/{cloudvmclustername}

+resource "azapi_resource" "cloudVmCluster" {

+ type = "Oracle.Database/cloudVmClusters@2023-09-01"

+ parent_id = azapi_resource.resourceGroup.id

+ name = local.exa_cluster_name

+ schema_validation_enabled = false

+ depends_on = [azapi_resource.cloudExadataInfrastructure]

+ body = {

+ "properties": {

+ "dataStorageSizeInTbs": 1000,

+ "dbNodeStorageSizeInGbs": 1000,

+ "memorySizeInGbs": 1000,

+ "timeZone": "UTC",

+ "hostname": "hostname1",

+ "domain": "domain1",

+ "cpuCoreCount": 2,

+ "ocpuCount": 3,

+ "clusterName": "cluster1",

+ "dataStoragePercentage": 100,

+ "isLocalBackupEnabled": false,

+ "cloudExadataInfrastructureId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg000/providers/Oracle.Database/cloudExadataInfrastructures/infra1",

+ "isSparseDiskgroupEnabled": false,

+ "sshPublicKeys": [

+ "ssh-key 1"

+ ],

+ "nsgCidrs": [

+ {

+ "source": "10.0.0.0/16",

+ "destinationPortRange": {

+ "min": 1520,

+ "max": 1522

+ }

+ },

+ {

+ "source": "10.10.0.0/24"

+ }

+ ],

+ "licenseModel": "LicenseIncluded",

+ "scanListenerPortTcp": 1050,

+ "scanListenerPortTcpSsl": 1025,

+ "vnetId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg000/providers/Microsoft.Network/virtualNetworks/vnet1",

+ "giVersion": "19.0.0.0",

+ "subnetId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg000/providers/Microsoft.Network/virtualNetworks/vnet1/subnets/subnet1",

+ "backupSubnetCidr": "172.17.5.0/24",

+ "dataCollectionOptions": {

+ "isDiagnosticsEventsEnabled": false,

+ "isHealthMonitoringEnabled": false,

+ "isIncidentLogsEnabled": false

+ },

+ "displayName": "cluster 1",

+ "dbServers": [

+ "ocid1..aaaa"

+ ]

+ },

+ "location": "eastus"

+ }

+ response_export_values = ["properties.ocid"]

+}

+```

+### List Oracle Exadata VM Clusters by Subscription

+```data "azapi_resource" "subscription" {

+ type = "Microsoft.Resources/subscriptions@2020-06-01"

+ response_export_values = ["*"]

+}

+

+// OperationId: CloudExadataInfrastructures_ListBySubscription

+// GET /subscriptions/{subscriptionId}/providers/Oracle.Database/cloudExadataInfrastructures

+data "azapi_resource_list" "listCloudExadataInfrastructuresBySubscription" {

+ type = "Oracle.Database/cloudVmClusters@2023-09-01"

+ parent_id = data.azapi_resource.subscription.id

+}

+```

+### List Oracle Exadata VM Clusters by Resource Group

+```data "azurerm_resource_group" "example" {

+ name = "existing"

+}

+

+// OperationId: CloudExadataInfrastructures_ListByResourceGroup

+// GET /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Oracle.Database/cloudExadataInfrastructures

+data "azapi_resource_list" "listCloudExadataInfrastructuresByResourceGroup" {

+ type = "Oracle.Database/cloudVmClusters@2023-09-01"

+ parent_id = azurerm_resource_group.example.id

+}

+```

+### List Database Nodes on an Oracle Exadata VM Cluster

+```// OperationId: DbNodes_Get

+// GET /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Oracle.Database/cloudVmClusters/{cloudvmclustername}/dbNodes/{dbnodeocid}

+data "azapi_resource" "dbNode" {

+ type = "Oracle.Database/cloudVmClusters/dbNodes@2023-09-01"

+ parent_id = azapi_resource.cloudVmCluster.id. // VM Cluster Id

+ name = var.resource_name

+}

+```

+### Add a Virtual Network Address to an Exadata VM Cluster

+```// OperationId: VirtualNetworkAddresses_CreateOrUpdate, VirtualNetworkAddresses_Get, VirtualNetworkAddresses_Delete

+// PUT GET DELETE /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Oracle.Database/cloudVmClusters/{cloudvmclustername}/virtualNetworkAddresses/{virtualnetworkaddressname}

+resource "azapi_resource" "virtualNetworkAddress" {

+ type = "Oracle.Database/cloudVmClusters/virtualNetworkAddresses@2023-09-01"

+ parent_id = azapi_resource.cloudVmCluster.id

+ name = var.resource_name

+ body = {

+ "properties": {

+ "ipAddress": "192.168.0.1",

+ "vmOcid": "ocid1..aaaa"

+ }

+ }

+ schema_validation_enabled = false

+}

+```

+### List Virtual Network Addresses on an Oracle Exadata VM Cluster

+```// OperationId: VirtualNetworkAddresses_ListByCloudVmCluster

+// GET /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Oracle.Database/cloudVmClusters/{cloudvmclustername}/virtualNetworkAddresses

+data "azapi_resource_list" "listVirtualNetworkAddressesByCloudVmCluster" {

+ type = "Oracle.Database/cloudVmClusters/virtualNetworkAddresses@2023-09-01"

+ parent_id = azapi_resource.cloudVmCluster.id

+}

+```

+## Exadata Database Shape

+In this section, you will find examples of how to use the `AzAPI` provider to manage Oracle Exadata Database shapes in Azure.

+### List an Oracle Exadata Database Shape

+```data "azapi_resource_id" "location" {

+ type = "Oracle.Database/locations@2023-12-12"

+ parent_id = data.azapi_resource.subscription.id

+ name = "eastus"

+}

+

+// OperationId: DbSystemShapes_Get

+// GET /subscriptions/{subscriptionId}/providers/Oracle.Database/locations/{location}/dbSystemShapes/{dbsystemshapename}

+data "azapi_resource" "dbSystemShape" {

+ type = "Oracle.Database/locations/dbSystemShapes@2023-09-01"

+ parent_id = data.azapi_resource_id.location.id

+ name = var.resource_name

+}

+```

+### List Oracle Exadata Databases by Location

+``` // OperationId: DbSystemShapes_ListByLocation

+// GET /subscriptions/{subscriptionId}/providers/Oracle.Database/locations/{location}/dbSystemShapes

+data "azapi_resource_list" "listDbSystemShapesByLocation" {

+ type = "Oracle.Database/locations/dbSystemShapes@2023-09-01"

+ parent_id = data.azapi_resource_id.location.id

+}

+```

+## Combined Exadata Services

+In this section, you will find examples of how to use the `AzAPI` provider to manage Oracle Exadata services in Azure.

+### Create an Oracle Database Home on an Exadata VM Cluster on an Exadata Infrastructure with a Delegated Subnet in Microsoft Azure

+ >[!NOTE]

+ >The following script creates an Oracle Exadata Infrastructure and an Oracle Exadata VM Cluster using the `AzAPI` Terraform provider followed by creating an Exadata Database deployment using the [OCI Terraform provider](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/database_db_home).

+```terraform {

+ required_providers {

+ azapi = {

+ source = "Azure/azapi"

+ }

+ oci = {

+ source = "oracle/oci"

+ }

+ }

+}

+

+provider "azapi" {

+ skip_provider_registration = false

+}

+

+provider "oci" {

+ user_ocid = <user_ocid>

+ fingerprint = <user_fingerprint>

+ tenancy_ocid = <oci_tenancy_ocid>

+ region = "us-ashburn-1"

+ private_key_path = <Path to API Key>

+}

+

+locals {

+ resource_group_name = "TestResourceGroup"

+ user = "Username"

+ location = "eastus"

+}

+

+resource "azapi_resource" "resource_group" {

+ type = "Microsoft.Resources/resourceGroups@2023-07-01"

+ name = local.resource_group_name

+ location = local.location

+}

+

+resource "azapi_resource" "virtual_network" {

+ type = "Microsoft.Network/virtualNetworks@2023-04-01"

+ name = "${local.resource_group_name}_vnet"

+ location = local.location

+ parent_id = azapi_resource.resource_group.id

+ body = {

+ properties = {

+ addressSpace = {

+ addressPrefixes = [

+ "10.0.0.0/16"

+ ]

+ }

+ subnets = [

+ {

+ name = "delegated"

+ properties = {

+ addressPrefix = "10.0.1.0/24"

+ delegations = [

+ {

+ name = "Oracle.Database.networkAttachments"

+ properties = {

+ serviceName = "Oracle.Database/networkAttachments"

+ }

+ }

+ ]

+ }

+ }

+ ]

+ }

+ }

+}

+

+data "azapi_resource_list" "listVirtualNetwork" {

+ type = "Microsoft.Network/virtualNetworks/subnets@2023-09-01"

+ parent_id = azapi_resource.virtual_network.id

+ depends_on = [azapi_resource.virtual_network]

+ response_export_values = ["*"]

+}

+

+resource "tls_private_key" "generated_ssh_key" {

+ algorithm = "RSA"

+ rsa_bits = 4096

+}

+

+resource "azapi_resource" "ssh_public_key" {

+ type = "Microsoft.Compute/sshPublicKeys@2023-09-01"

+ name = "${local.resource_group_name}_key"

+ location = local.location

+ parent_id = azapi_resource.resource_group.id

+ body = {

+ properties = {

+ publicKey = "${tls_private_key.generated_ssh_key.public_key_openssh}"

+ }

+ }

+}

+

+// OperationId: CloudExadataInfrastructures_CreateOrUpdate, CloudExadataInfrastructures_Get, CloudExadataInfrastructures_Delete

+// PUT /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Oracle.Database/cloudExadataInfrastructures/{cloudexadatainfrastructurename}

+resource "azapi_resource" "cloudExadataInfrastructure" {

+ type = "Oracle.Database/cloudExadataInfrastructures@2023-09-01"

+ parent_id = azapi_resource.resource_group.id

+ name = "OFake_terraform_deploy_infra_${local.resource_group_name}"

+ timeouts {

+ create = "1h30m"

+ delete = "20m"

+ }

+ body = {

+ "location" : "${local.location}",

+ "zones" : [

+ "2"

+ ],

+ "tags" : {

+ "createdby" : "${local.user}"

+ },

+ "properties" : {

+ "computeCount" : 2,

+ "displayName" : "OFake_terraform_deploy_infra_${local.resource_group_name}",

+ "maintenanceWindow" : {

+ "leadTimeInWeeks" : 0,

+ "preference" : "NoPreference",

+ "patchingMode" : "Rolling"

+ },

+ "shape" : "Exadata.X9M",

+ "storageCount" : 3

+ }

+

+ }

+ schema_validation_enabled = false

+}

+

+// OperationId: DbServers_ListByCloudExadataInfrastructure

+// GET /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Oracle.Database/cloudExadataInfrastructures/{cloudexadatainfrastructurename}/dbServers

+data "azapi_resource_list" "listDbServersByCloudExadataInfrastructure" {

+ type = "Oracle.Database/cloudExadataInfrastructures/dbServers@2023-09-01"

+ parent_id = azapi_resource.cloudExadataInfrastructure.id

+ depends_on = [azapi_resource.cloudExadataInfrastructure]

+ response_export_values = ["*"]

+}

+

+// OperationId: CloudVmClusters_CreateOrUpdate, CloudVmClusters_Get, CloudVmClusters_Delete

+// PUT /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Oracle.Database/cloudVmClusters/{cloudvmclustername}

+resource "azapi_resource" "cloudVmCluster" {

+ type = "Oracle.Database/cloudVmClusters@2023-09-01"

+ parent_id = azapi_resource.resource_group.id

+ name = "OFake_terraform_deploy_cluster_${local.resource_group_name}"

+ schema_validation_enabled = false

+ depends_on = [azapi_resource.cloudExadataInfrastructure]

+ timeouts {

+ create = "1h30m"

+ delete = "20m"

+ }

+ body = {

+ "location" : "${local.location}",

+ "tags" : {

+ "createdby" : "${local.user}"

+ },

+ "properties" : {

+ "subnetId" : "${data.azapi_resource_list.listVirtualNetwork.output.value[0].id}"

+ "cloudExadataInfrastructureId" : "${azapi_resource.cloudExadataInfrastructure.id}"

+ "cpuCoreCount" : 4

+ "dataCollectionOptions" : {

+ "isDiagnosticsEventsEnabled" : true,

+ "isHealthMonitoringEnabled" : true,

+ "isIncidentLogsEnabled" : true

+ },

+ "dataStoragePercentage" : 80,

+ "dataStorageSizeInTbs" : 2,

+ "dbNodeStorageSizeInGbs" : 120,

+ "dbServers" : [

+ "${data.azapi_resource_list.listDbServersByCloudExadataInfrastructure.output.value[0].properties.ocid}",

+ "${data.azapi_resource_list.listDbServersByCloudExadataInfrastructure.output.value[1].properties.ocid}"

+ ]

+ "displayName" : "OFake_terraform_deploy_cluster_${local.resource_group_name}",

+ "giVersion" : "19.0.0.0",

+ "hostname" : "${local.user}",

+ "isLocalBackupEnabled" : false,

+ "isSparseDiskgroupEnabled" : false,

+ "licenseModel" : "LicenseIncluded",

+ "memorySizeInGbs" : 60,

+ "sshPublicKeys" : ["${tls_private_key.generated_ssh_key.public_key_openssh}"],

+ "timeZone" : "UTC",

+ "vnetId" : "${azapi_resource.virtual_network.id}",

+ "provisioningState" : "Succeeded"

+ }

+ }

+ response_export_values = ["properties.ocid"]

+}

+

+resource "oci_database_db_home" "exa_db_home" {

+ source = "VM_CLUSTER_NEW"

+ vm_cluster_id = azapi_resource.cloudVmCluster.output.properties.ocid

+ db_version = "19.20.0.0"

+ display_name = "TFDBHOME"

+

+ database {

+ db_name = "TFCDB"

+ pdb_name = "TFPDB"

+ admin_password = "TestPass#2024#"

+ db_workload = "OLTP"

+ }

+ depends_on = [azapi_resource.cloudVmCluster]

+}

+```

+ Title: Manage Exadata resources

+description: Learn about how to manage Exadata resources.

+# Manage Exadata resources

+After provisioning an OracleDB@Azure resource, for example an Oracle Exadata Infrastructure or an Oracle Exadata VM Cluster, you can use the Microsoft Azure blade for a limited set of management functions, and those functions are described in this document.

+## Prerequisites

+There are prerequisites that must be completed before you can provision Exadata Services. You need to complete the following:

+- An existing Azure subscription

+- An Azure VNet with a subnet delegated to the Oracle Database@Azure service (`Oracle.Database/networkAttachments`)

+- Permissions in Azure to create resources in the region, with the following conditions:

+ * No policies prohibiting the creation of resources without tags, because the OracleSubscription resource is created automatically without tags during onboarding.

+ * No policies enforcing naming conventions, because the OracleSubscription resource is created automatically with a default resource name.

+- Purchase OracleDB@Azure in the Azure portal.

+- Select your Oracle Cloud Infrastructure (OCI) account.

+For more detailed documentation, including optional steps, see [Onboarding with Oracle Database@Azure](https://docs.oracle.com/iaas/Content/database-at-azure/oaaonboard.htm).

+## Common Management Functions from the Microsoft Azure Blade

+The following management functions are available for all resources from the Microsoft Azure blade for that resource.

+### Access the resource blade

+1. From the Microsoft Azure portal, select OracleDB@Azure application.

+1. From the left menu, select **Oracle Exadata Database@Azure**.

+1. If the blade lists and manages several resources, select the resource type at the top of the blade. For example, the **Oracle Exadata Database@Azure** blade accesses both Oracle Exadata Infrastructure and Oracle Exadata VM Cluster resources.

+### List status for all resources of the same type

+1. Follow the steps to **Access the resource blade**.

+1. Resources will be shown in the list as **Succeeded**, **Failed**, or **Provisioning**.

+1. Access the specifics of that resource by selecting the link in the **Name** field in the table.

+### Provision a new resource

+1. Follow the steps to **Access the resource blade**.

+1. Select the **+ Create** icon at the top of the blade.

+1. Follow the provisioning flow for the resource.

+ * [Provision Exadata infrastructure](exadata-provision-infrastructure.md)

+ * [Provision an Exadata VM cluster](exadata-provision-vm-cluster.md)

+### Refresh the blade's info

+1. Follow the steps to **Access the resource blade**.

+1. Select the **Refresh** icon at the top of the blade.

+1. Wait for the blade to reload.

+### Remove a resource

+1. Follow the steps to **Access the resource blade**.

+1. You can remove a single or multiple resources from the blade by selecting the checkbox on the left side of the table. Once you have selected the resource(s) to remove, you can then select the **Delete** icon at the top of the blade.

+1. You can also remove a single resource by selecting the link to the resource from the **Name** field in the table. From the resource's detail page, select the **Delete** icon at the top of the blade.

+### Add, manage, or delete resource tags

+1. Follow the steps to **Access the resource blade**.

+1. Select the link to the resource from the **Name** field in the table.

+1. From the resource's overview page, select the **Edit** link on the **Tags** field.

+1. To create a new tag, enter values in the **Name** and **Value** fields.

+1. To edit an existing tag, change the value in the existing tag's **Value** field.

+1. To delete an existing tag, select the **Trashcan** icon at the right-side of the tag.

+### Start, stop, or restart Oracle Exadata VM Cluster VMs

+1. Follow the steps to **Access the resource blade**.

+1. Select the Oracle Exadata VM Cluster blade.

+1. Select the link to the resource from the **Name** field in the table.

+1. From the resource's overview page, select the **Settings > Virtual machines** link on the left-side menu.

+1. To start a virtual machine (VM), select the **Start** icon. The **Start virtual machine** panel opens. Select the VM to start from the **Virtual machine** drop-down list. The drop-down list only populates with any unavailable VMs. Select the **Submit** button to start that VM, or the **Cancel** button to cancel the operation.

+1. To stop a virtual machine (VM), select the **Stop** icon. The **Stop virtual machine** panel opens. Select the VM to stop from the **Virtual machine** drop-down list. The drop-down list only populates with any available VMs. NOTE: Stopping a node may disrupt ongoing back-end software operations and database availability. Select the **Submit** button to stop that VM, or the **Cancel** button to cancel the operation.

+1. To restart a virtual machine (VM), select the **Restart** icon. The **Restart virtual machine** panel opens. Select the VM to restart from the Virtual machine drop-down list. The drop-down list only populates with any available VMs.

+

+ >[!NOTE]

+ >Restarting shuts down the node and then starts it. For single-node systems, databases are offline while the reboot is in progress.

+1. Select the **Submit** button to restart that VM, or the **Cancel** button to cancel the operation.

+### Access the OCI console

+1. Follow the steps to **Access the resource blade**.

+1. Select the link to the resource from the **Name** field in the table.

+1. From the resource's detail page, select the **Go to OCI** link on the **OCI Database URL** field.

+1. Log in to OCI.

+1. Manage the resource from within the OCI console.

+### Perform a connectivity test

+1. Follow the steps to Access the OCI console.

+1. In the OCI console, navigate to the **Pluggable Database Details** page for the database you want to test.

+1. Select the **PDB connection** button.

+1. Select **Show** link to expand the details for the **Connection Strings**.

+1. Open Oracle SQL Developer. If you don't have SQL Developer installed, download [SQL Developer](https://www.oracle.com/database/sqldeveloper/technologies/download/) and install.

+1. Within SQL Developer, open a new connection with the following information.

+ 1. **Name** - Enter a name of your choice used to save your connection.

+ 1. **Username** - Enter **SYS**.

+ 1. **Password** - Enter the password used when creating the PDB.

+ 1. **Role** - Select **SYSDBA**.

+ 1. **Save Password** - Select the box if your security rules allow. If not, you will need to enter the PDB password every time you use this connection in SQL Developer.

+ 1. **Connection Type** - Select **Basic**.

+ 1. **Hostname** - Enter one of the host IPs from the **Connection Strings** above.

+ 1. **Port** - The default is 1521. You only need to change this if you have altered default port settings for the PDB.

+ 1. **Service Name** - Enter the **SERVICE_NAME** value from the host IP you previously selected. This is from the **Connection Strings** above.

+ 1. Select the **Test** button. The Status at the bottom of the connections list, should show as **Success**. If the connection is not a success, one or more of the **Hostname**, **Port**, and **Service Name** fields is incorrect, or the PDB is not currently running.

+ 1. Select the **Save** button.

+ 1. Select the **Connect** button.

+### Manage network security group (NSG) rules

+1. Follow the steps to access the Oracle Exadata VM Cluster resource blade.

+1. Select the link to the resource from the **Name** field in the table.

+1. From the resource's detail page, select the **Go to OCI** link on the **OCI network security group URL** field.

+1. Log in to OCI.

+1. Manage the NSG rules from within the OCI console.

+1. For additional information on NSG rules and considerations within OracleDB@Azure, see the **Automatic Network Ingress Configuration** section of [Troubleshooting and Known Issues for Exadata Services](exadata-troubleshoot-services.md).

+### Support for OracleDB@Azure

+1. Follow the steps to Access the OCI console.

+1. From the OCI console, there are two ways to access support resources.

+ 1. At the top of the page, select the Help (?) icon at the top-right of the menu bar.

+ 1. On the right-side of the page, select the floating Support icon.

+

+ >[!NOTE]

+ >This icon can be moved by the user, and the precise horizontal location can vary from user to user.

+1. You have several support options from here, including documentation, requesting help via chat, visiting the Support Center, posting a question to a forum, submitting feedback, requesting a limit increase, and creating a support request.

+1. If you need to create a support request, select that option.

+1. The support request page will auto-populate with information needed by Oracle Support Services, including resource name, resource OCID, service group, service, and several other items dependent upon the specific OracleDB@Azure resource.

+1. Select the support option from the following options:

+ 1. Critical outage for critical production system outage or a critical business function is unavailable or unstable. You or an alternate contact must be available to work this issue 24x7 if needed.

+ 1. Significant impairment for critical system or a business function experiencing severe loss of service. Operations can continue in a restricted manner. You or an alternate contact are available to work this issue during normal business hours.

+ 1. Technical issue where functionality, errors, or a performance issue impact some operations.

+ 1. General guidance where a product or service usage question, product or service setup, or documentation clarification is needed.

+1. Select the **Create Support Request** button.

+1. The support ticket is created. This ticket can be monitored within the OCI console or via [My Oracle Support (MOS)](https://support.oracle.com/).

+ Title: Exadata services

+description: Learn about how to manage Exadata services.

+# Exadata services

+Oracle Database@Azure (OracleDB@Azure) provides you with seamless integration of Oracle resources within your Microsoft Azure cloud environment.

+You access the OracleDB@Azure service through the Microsoft Azure portal. You create and manage Oracle Exadata Infrastructure and Oracle Exadata VM Cluster resources with direct access to the Oracle Cloud Infrastructure (OCI) portal for creation and management of Oracle Exadata Databases, including all Container Databases (CDBs) and Pluggable Databases (PDBs).

+There are IP address requirement differences between Oracle Database@Azure and Oracle Cloud Infrastructure (OCI). In the [Requirements for IP Address Space](https://docs.oracle.com/iaas/exadatacloud/exacs/ecs-network-setup.html#GUID-D5C577A1-BC11-470F-8A91-77609BBEF1EA) documentation, the following changes for Oracle Database@Azure must be considered.

+* Oracle Database@Azure only supports Exadata X9M. Other shapes are unsupported.

+* Oracle Database@Azure reserves 13 IP addresses for the client subnet versus 3 for OCI requirements.

+The following articles provide specifics of the creation and management tasks associated with each resource type.

+Articles:

+* [What's New in Exadata Services](exadata-manage-services.md)

+* [Provision Exadata Infrastructure](exadata-provision-infrastructure.md)

+* [Provision an Exadata VM Cluster](exadata-provision-vm-cluster.md)

+* [Manage Exadata Resources](exadata-manage-resources.md)

+* [Operate processes for Exadata resources](exadata-operations-processes-services.md)

+* [OCI Multicloud Landing Zone for Azure](exadata-multicloud-landing-zone-azure-services.md)

+* [Terraform/OpenTofu Examples for Exadata Services](exadata-examples-services.md)

+* [Troubleshooting and Known Issues for Exadata Services](exadata-troubleshoot-services.md)

+For more information on specific Oracle Exadata Infrastructure or Oracle Exadata VM Cluster articles beyond their implementation and use within OracleDB@Azure, see the following articles:

+* [Exadata Database Service on Dedicated Infrastructure](https://docs.oracle.com/en/engineered-systems/exadata-cloud-service/ecscm/https://docsupdatetracker.net/index.html#Oracle%C2%AE-Cloud)

+* [Manage Databases on Exadata Cloud Infrastructure](https://docs.oracle.com/en/engineered-systems/exadata-cloud-service/ecscm/manage-databases.html#GUID-51424A67-C26A-48AD-8CBA-B015F88F841A)

+* [Oracle Exadata Database Service on Dedicated Infrastructure Overview](https://docs.oracle.com/en/engineered-systems/exadata-cloud-service/ecscm/exadata-cloud-infrastructure-overview.html)

+ Title: Exadata - OCI multicloud landing zone for Azure

+description: Learn about Exadata - OCI multicloud landing zone for Azure.

+# Exadata - OCI Multicloud landing zone for Azure

+Oracle Cloud Infrastructure (OCI) partnered with Microsoft Azure to develop and distribute HashiCorp Terraform/OpenTofu modules that streamline the provisioning process.

+Both OCI Multicloud Landing Zone for Azure (OCI LZ) and Microsoft Verified Modules (MVM) use multiple templates to empower Oracle Database@Azure. These Terraform/OpenTofu modules use four (4) terraform providers, AzureRM, AzureAD, AzAPI, and OCI, covering IAM, networking, and database layer resources. Apply these reference implementations for a quick start deployment, or customize them for a more complex topology fit to your needs.

+The following diagram illustrates where Terraform or OpenTofu can be introduced to streamline the identity, access, networking, and provisioning processes within Oracle Database@Azure.

+## Prerequisites

+- Complete, at a minimum, steps 1-2 of the [Onboarding with Oracle Database@Azure](onboard-oracle-database.md).

+- Have a Terraform/OpenTofu, OCI CLI, Azure CLI, and python (minimum 3.4) environment. For more information, see the [Oracle Multicloud Landing Zone for Azure README](https://github.com/oracle-quickstart/terraform-oci-multicloud-azure?tab=readme-ov-file#prerequisites).

+## Dependencies

+The [Oracle Multicloud Landing Zone for Azure](https://github.com/oracle-quickstart/terraform-oci-multicloud-azure) modules and templates use multiple Terraform providers.

+| Terraform/OpenTofu Providers | Terraform/OpenTofu Modules |

+| - | -- |

+| [AzAPI](/azure/developer/terraform/overview-azapi-provider) | [OCI Landing Zone modules](https://github.com/oci-landing-zones/) |

+| [AzureAD](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs) | [Azure Verified Modules](https://aka.ms/avm) |

+| [AzureRM](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs) | |

+| [OCI](https://registry.terraform.io/providers/oracle/oci/latest/docs) | |

+## Templates

+For module details, see [Oracle Multicloud Landing Zone for Azure](https://github.com/oracle-quickstart/terraform-oci-multicloud-azure).

+| Template | Use Case and Configurations | Terraform/OpenTofu Providers |

+| -- | | - |

+| [az-oci-exa-pdb](https://github.com/oracle-quickstart/terraform-oci-multicloud-azure/tree/main/templates/az-oci-exa-pdb) | Quick start Exadata Database Service | [hashicorp/azurerm](https://registry.terraform.io/providers/hashicorp/azurerm) |

+| | 1. Configuring Azure virtual network with [delegated subnet limits](oracle-database-delegated-subnet-limits.md) | [azure/azapi](https://registry.terraform.io/providers/Azure/azapi) |

+| | 2. [Provision Exadata infrastructure](exadata-provision-infrastructure.md) | [hashicorp/oci](https://registry.terraform.io/providers/hashicorp/oci) |

+| | 3. [Provision an Exadata VM Cluster](exadata-provision-vm-cluster.md) | |

+| | 4. [Creating Database Home](https://docs.oracle.com/iaas/exadata/doc/ecc-creating-first-db-home-on-exacc.html) | |

+| | 5. [Creating Container Database (CDB)](https://docs.oracle.com/iaas/exadata/doc/ecc-create-first-db.html) | |

+| | 6. [Creating Pluggable Database (PDB)](https://docs.oracle.com/iaas/exadata/doc/ecc-create-first-db.html) | |

+| [az-oci-rbac-n-sso-fed](https://github.com/oracle-quickstart/terraform-oci-multicloud-azure/tree/main/templates/az-oci-rbac-n-sso-fed) | Set up both identity federation and RBAC roles/groups | All the following |

+| [az-oci-sso-federation](https://github.com/oracle-quickstart/terraform-oci-multicloud-azure/tree/main/templates/az-oci-sso-federation) | Set up [SSO Between OCI and Microsoft Entra ID](https://docs.oracle.com/iaas/Content/Identity/tutorials/azure_ad/sso_azure/azure_sso.htm) | [hashicorp/azuread](https://registry.terraform.io/providers/hashicorp/azuread/) |

+| | 1. Get service provider metadata from OCI IAM. | [hashicorp/azurerm](https://registry.terraform.io/providers/hashicorp/azurerm) |

+| | 2. Create an Microsoft Entra ID application. | [hashicorp/oci](https://registry.terraform.io/providers/hashicorp/oci) |

+| | 3. Set up SAML SSO for the Microsoft Entra ID application. | |

+| | 4. Set up attributes and claims in the Microsoft Entra ID application. | |

+| | 5. Assign a test user to the Microsoft Entra ID application. | |

+| | 6. Enable the Microsoft Entra ID application as the Identity Provider (IdP) for OCI IAM. | |

+| | 7. Set up [Identity Lifecycle Management Between OCI IAM and Microsoft Entra ID](https://docs.oracle.com/iaas/Content/Identity/tutorials/azure_ad/lifecycle_azure/azure_lifecycle.htm#azure-lifecycle). | |

+| [az-odb-rbac](https://github.com/oracle-quickstart/terraform-oci-multicloud-azure/tree/main/templates/az-odb-rbac) | Create [roles and groups in Azure](https://docs.oracle.com/iaas/Content/multicloud/oaagroupsroles.htm) for Exadata and Autonomous Database services. | [hashicorp/azuread](https://registry.terraform.io/providers/hashicorp/azuread/) |

+| | 1. Create Azure role definition for ADBS Administrator role.| [hashicorp/azurerm](https://registry.terraform.io/providers/hashicorp/azurerm) |

+| | 2. Create Azure group. | |

+| | 3. Create Azure role assignment. | |

+## More Terraform/OpenTofu resources

+* [QuickStart Oracle Database@Azure with Terraform or OpenTofu Modules](https://docs.oracle.com/en/learn/dbazure-terraform/https://docsupdatetracker.net/index.html) [Terraform: Set Up OCI Terraform](https://docs.oracle.com/iaas/developer-tutorials/tutorials/tf-provider/01-summary.htm)

+* [Import OCI Resources into a Terraform State File](https://docs.oracle.com/en/learn/terraform-statefile-oci-resources/https://docsupdatetracker.net/index.html)

+* [Azure Verified Module for Virtual Network](https://github.com/Azure/terraform-azurerm-avm-res-network-virtualnetwork)

+* [Quickstart: Install and Configure Terraform For Azure](/azure/developer/terraform/quickstart-configure)

+* [Authenticate Terraform to Azure](/azure/developer/terraform/authenticate-to-azure)

+ Title: Operation processes for Exadata services

+description: Learn about operation processes for Exadata services.

+# Operations processes for Exadata services

+There are Oracle processes that are accessible from Microsoft Azure, but are set up and maintained from the Oracle Cloud Infrastructure (OCI) console.

+## Oracle Database Autonomous Recovery Service@Azure

+Oracle Database Autonomous Recovery Service@Azure (RCV) is the preferred backup solution for OracleDB@Azure resources. The key customer benefits are as follows:

+* Allows use of Microsoft Azure Consumption Commitment (MACC) to pay for your backup storage.

+* Allows choice of backup storage locations to meet corporate data residency and compliance requirements.

+* Provides zero data loss with real-time database protection, enabling recovery to less than a second after an outage or ransomware attack.

+* Provides backup immutability using a policy-based backup retention lock preventing backup deletion or alteration by any user in the tenancy.

+* Improves data theft prevention with mandatory and automatic encryption for backup data throughout the entire lifecycle.

+* Provides higher operational efficiency by eliminating weekly full backups that reduces the CPU, memory, and I/O overhead when running backups lowering overall cloud costs.

+* Shortens the backup window with an incremental forever paradigm that moves smaller amounts of backup data between the database and RCV.

+* Improves recoverability with automated zero-impact recovery validation for database backups.

+* Speeds recovery to regions with optimized backups eliminating the need to recover multiple incremental backups.

+* Centralizes database protection insights with a granular recovery health dashboard.

+## High-level Steps to Enable Autonomous Recovery Service@Azure

+1. Access the OCI console for the database you want to enable for Autonomous Recovery Service@Azure. For details on this, see Access the OCI console in [Managing Exadata Resources](exadata-manage-resources.md).

+1. Configure or create an Autonomous Recovery Service@Azure protection policy with Store backups in the same cloud provider as the database set.

+1. Use the protection policy to Configure automated backups.

+1. When the backup completes, subscription and backup location details appear in the database within OCI.

+For more information for Autonomous Recovery Service@Azure, see the following documents:

+* [Multicloud Oracle Database Backup Support](https://docs.oracle.com/en/cloud/paas/recovery-service/dbrsu/azure-multicloud-recoveryservice.html)

+* [Backup Automation and Storage in Oracle Cloud](https://docs.oracle.com/en/cloud/paas/recovery-service/dbrsu/backup-automation.html)

+* [Enable Automatic Backups to Recovery Service](https://docs.oracle.com/en/cloud/paas/recovery-service/dbrsu/enable-automatic-backup.html#GUID-B8A2D342-3331-42C9-8FDD-D0DB0E25F4CE)

+* [About Configuring Protection Policies](https://docs.oracle.com/en/cloud/paas/recovery-service/dbrsu/overview-protection-policy.html#GUID-8C097EAF-E2B0-4231-8027-0067A2E81A00)

+* [Creating a Protection Policy](https://docs.oracle.com/en/cloud/paas/recovery-service/dbrsu/create-protection-policy.html#GUID-C73E254E-2019-4EDA-88E0-F0BA68082A65)

+* [Viewing Protection Policy Details](https://docs.oracle.com/en/cloud/paas/recovery-service/dbrsu/view-protection-policy.html#GUID-5101A7ED-8891-4A6B-B1C4-F13F55A68FF0)

+ Title: Provision Exadata infrastructure

+description: Learn about provisioning an Exadata infrastructure.

+# Provision Exadata infrastructure

+Provisioning Oracle Exadata Infrastructure is a time-consuming process. Provisioning an Oracle Exadata Infrastructure is a prerequisite for provisioning Oracle Exadata VM Clusters and any Oracle Exadata Databases.

+## Prerequisites

+There are prerequisites that must be completed before you can provision Exadata Services. You need to complete the following:

+- An existing Azure subscription

+- An Azure virtual network with a subnet delegated to the Oracle Database@Azure service (`Oracle.Database/networkAttachments`)

+- Permissions in Azure to create resources in the region, with the following conditions:

+ * No policies prohibiting the creation of resources without tags, because the OracleSubscription resource is created automatically without tags during onboarding.

+ * No policies enforcing naming conventions, because the OracleSubscription resource is created automatically with a default resource name.

+- Purchase OracleDB@Azure in the Azure portal.

+- Select your Oracle Cloud Infrastructure (OCI) account.

+For more detailed documentation, including optional steps, see [Onboarding with Oracle Database@Azure](https://docs.oracle.com/iaas/Content/database-at-azure/oaaonboard.htm).

+>[!NOTE]

+> Review the [Troubleshoot issues for Exadata services](exadata-troubleshoot-services.md), specifically the IP Address Requirement Differences, to ensure you have all the information needed for a successful provisioning flow.

+## Provision Oracle Exadata infrastructure and VM Cluster resources

+1. Provision your Oracle Exadata Infrastructure and Oracle Exadata VM Cluster resources from the OracleDB@Azure blade. By default, the Oracle Exadata Infrastructure tab is selected. To create an Oracle Exadata VM Cluster resource, select that tab first.

+1. Select the **+ Create** icon at the top of the blade to begin the provisioning flow.

+1. Check that you're the **Create** Oracle Exadata Infrastructure flow. If not, exit the flow.

+1. From the **Basics** tab of the Create Oracle Exadata Infrastructure flow, enter the following information.

+ 1. Select the Microsoft Azure subscription to which the Oracle Exadata Infrastructure will be provisioned and billed.

+ 1. Select an existing **Resource group** or select the **Create new** link to create and use a new Resource group for this resource. A resource group is a collection of resources sharing the same lifecycle, permissions, and policies.

+ 1. Enter a unique **Name** for the Oracle Exadata Infrastructure on this subscription.

+ 1. Select the **Region** where this Oracle Exadata Infrastructure is provisioned.

+ >[!NOTE]

+ >The regions where the OracleDB@Azure service is available are limited.

+ 1. Select the **Availability zone** where this Oracle Exadata Infrastructure is provisioned.

+ > [!NOTE]

+ > The availability zones where the OracleDB@Azure service is available are limited.

+ 1. The **Oracle Cloud account name** field is display-only. If the name isn't showing correctly, your OracleDB@Azure account setup hasn't been successfully completed.

+ 1. Select **Next** to continue.

+1. From the Configuration tab of the Create Oracle Exadata Infrastructure flow, enter the following information.

+ 1. From the dropdown list, select the **Exadata infrastructure model** you want to use for this deployment.

+ > [!NOTE]

+ > Not all Oracle Exadata Infrastructure models are available. For more information, see [Oracle Exadata Infrastructure Models](https://docs.oracle.com/iaas/exadatacloud/exacs/ecs-ovr-x8m-scable-infra.html#GUID-15EB1E00-3898-4718-AD94-81BDE271C843).

+ 1. The **Database servers** selector can be used to select a range from 2 to 32.

+ 1. The **Storage servers** selector can be used to select a range from 3 to 64.

+ 1. The **OCPUs** and **Storage** fields are automatically updated based on the settings of the **Database servers** and **Storage servers** selectors.

+ 1. Select **Next** to continue.

+1. From the **Maintenance** tab of the Create Oracle Exadata Infrastructure flow, enter the following information.

+ 1. The **Maintenance method** is selectable to either Rolling or Nonrolling based on your patching preferences.

+ 1. By default, the **Maintenance schedule** is set to **No preference**.

+ 1. If you select **Specify a schedule** for the **Maintenance schedule**, another options open for you to tailor a maintenance schedule that meets your requirements. Each of these selections requires at least one option in each field.

+ 1. You can then enter up to 10 **Names** and **Email addresses** that are used as contacts for the maintenance process.

+ 1. Select **Next** to continue.

+1. From the **Consent** tab of the Create Oracle Exadata Infrastructure flow, you must agree to the terms of service, privacy policy, and agree to access permissions. Once accepted, select **Next** to continue.

+1. From the **Tags** tab of the Create Oracle Exadata Infrastructure flow, you define Microsoft Azure tags.

+ >[!NOTE]

+ > These tags aren't propagated to the Oracle Cloud Infrastructure (OCI) portal. Once you have created the tags, if any, for your environment, select **Next** to continue.

+1. From the **Review _+ create** tab of the Create Oracle Exadata Infrastructure flow, a short validation process is run to check the values that you entered from the previous steps. If the validation fails, you must correct any errors before you can start the provisioning process.

+1. Select the **Create** button to start the provisioning flow.

+1. Return to the Oracle Exadata Infrastructure blade to monitor and manage the state of your Oracle Exadata Infrastructure environments.

+ Title: Provision Exadata virtual machine clusters

+description: Learn about how to provision Exadata virtual machine clusters.

+# Provision Exadata virtual machine clusters

+Provisioning an Oracle Exadata VM Cluster requires the existence of an Oracle Exadata Infrastructure, and is a prerequisite for Oracle Exadata Databases that runs on the cluster.

+## Prerequisites

+There are prerequisites that must be completed before you can provision Exadata Services. You need to complete the following:

+- An existing Azure subscription

+- An Azure virtual network with a subnet delegated to the Oracle Database@Azure service (`Oracle.Database/networkAttachments`)

+- Permissions in Azure to create resources in the region, with the following conditions:

+ * No policies prohibiting the creation of resources without tags, because the OracleSubscription resource is created automatically without tags during onboarding.

+ * No policies enforcing naming conventions, because the OracleSubscription resource is created automatically with a default resource name.

+- Purchase OracleDB@Azure in the Azure portal.

+- Select your Oracle Cloud Infrastructure (OCI) account.

+For more detailed documentation, including optional steps, see [Onboarding with Oracle Database@Azure](onboard-oracle-database.md).

+>[!NOTE]

+>Review the [Troubleshoot Exadata services](exadata-troubleshoot-services.md), specifically the IP Address Requirement Differences, to ensure you have all the information needed for a successful provisioning flow.

+1. You provision Oracle Exadata Infrastructure and Oracle Exadata VM Cluster resources from the OracleDB@Azure blade. By default, the Oracle Exadata Infrastructure tab is selected.

+To create an Oracle Exadata VM Cluster resource, select that tab first and follow these instructions.

+1. Select the **+ Create** icon at the top of the blade to begin the provisioning flow.

+1. Check that you're using the **Create** Oracle Exadata VM Cluster flow. If not, exit the flow.

+1. From the **Basics** tab of the Create Oracle Exadata VM Cluster flow, enter the following information.

+ > [!NOTE]

+ > Before you can provision an Oracle Exadata VM Cluster, you must have a provisioned Oracle Exadata Infrastructure which you'll assign for your Oracle Exadata VM Cluster.

+1. Select the Microsoft Azure subscription to which the Oracle Exadata VM Cluster will be provisioned.

+ 1. Select an existing **Resource group** or select the **Create new** link to create and use a new Resource group for this resource.

+ 1. Enter a unique **Name** for the Oracle Exadata VM Cluster on this subscription.

+ 1. Select the **Region** where this Oracle Exadata Infrastructure is provisioned. NOTE: The regions where the OracleDB@Azure service is available are limited, and you should assign the Oracle Exadata VM Cluster to the same region as the parent Oracle Exadata Infrastructure.

+ 1. The **Cluster name** should match the Name to avoid additional naming conflicts.

+ 1. Select the existing **Exadata infrastructure** that is the parent for your Oracle Exadata VM Cluster.

+ 1. The **License type** is either **License included** or **Bring your own license (BYOL)**. Your selection affects your billing.

+ 1. The default **Time zone** is UTC. There's also an option to **Select another time zone**.

+ 1. If you choose the **Select another time zone** option, two additional required fields open, **Region or country** and **Selected time zone**. Both of these fields are drop-down lists with selectable values. Once you select the **Region or country**, the **Selected time zone** is populated with the available values for that **Region or country**.

+ 1. The **Grid Infrastructure Version** is selectable based on your previous selections. The **Grid Infrastructure Version** limits the Oracle Database versions that the Oracle Exadata VM Cluster supports.

+ 1. If selected, the **Choose Exadata Image version** checkbox allows you to select whether or not to **Include Exadata Image minor versions** as selectable, and then to choose the specific **Exadata Image version** from the drop-down field based on whether or not you allowed **Include Exadata Image minor versions**.

+ 1. The **SSH public key source** can be selected to **Generate new key pair**, **Use existing key stored in Azure**, or **Use existing public key**. If you select **Generate new key pair**, you must give your newly generated key a unique name. If you select **Use existing key stored in Azure**, you must select that key from a dropdown of defined key for your subscription. If you select **Use existing public key**, you must provide an RSA public key in sing-line format (starting with "ssh-rsa") or the multi-line PEM format. You can generate SSH keys using ssh-keygen or Linux and OS X, or PuTTYGen on Windows.

+ 1. Select **Next** to continue.

+1. From the **Configuration** tab of the Create Oracle Exadata VM Cluster flow, enter the following information.

+ 1. The **Change database servers** checkbox is optional. If selected, it allows you to select a single database server for VM cluster placement. If you don't select this checkbox, the minimum database servers are two (2). Maximum resources vary based on allocation per VM cluster based on the number of database servers. Select from the available configurations.

+ 1. If you select the **Change database servers** checkbox, a drop-down box for **Select database servers** appears. Use this drop-down control to select the specific database servers for your configuration.

+ 1. **Database servers** and **System Model** fields are read-only and based on the available resources.

+ 1. The **OCPU count per VM**, **Memory per VM**, and **Local storage per VM** are limited by the Oracle Exadata Infrastructure.

+ 1. **Total requested OCPU count**, **Total requested memory**, and **Total local storage** are computed based on the local values that you accept or select.

+ 1. **Usable Exadata Storage (TB)** is limited by the Oracle Exadata Infrastructure.

+ 1. **Use Exadata sparse snapshots**, **Use local backups**, and **Usable storage allocation** are options that can only be set at this time before the Oracle Exadata VM Cluster has been provisioned.

+ 1. Select **Next** to continue.

+1. From the **Networking** tab of the Create Oracle Exadata VM Cluster flow, enter the following information.

+ 1. The **Virtual network** is limited based on the **Subscription** and **Resource group** that you selected earlier in the provisioning flow.

+ 1. The **Client subnet** is selectable based on the selected **Virtual network**.

+ 1. To use a custom DNS domain, select the **Custom DNS** checkbox. If unchecked, the Oracle Exadata VM Cluster uses the default domain, oraclevcn.com.

+ 1. If checked, a list of existing DNS private views from OCI is presented. Select the view to use. To create a new private view and zones, see [Configure Private DNS](https://docs.oracle.com/iaas/exadatacloud/exacs/ecs-network-setup.html#ECSCM-GUID-69CF2720-31BE-455B-93E3-D2E39B2DA44B).

+ > [!NOTE]

+ > In order for the list of DNS private views to be populated correctly, the network link's compartment in OCI must match the Microsoft Azure subscription.

+ 1. Enter the **Host name prefix**. The prefix forms the first portion of the Oracle Exadata VM Cluster host name.

+ 1. The **Host domain name** and **Host and domain URL** for your Oracle Exadata VM Cluster are read-only and populated with derived naming.

+ 1. Within the **Network ingress rules** section, the **Add additional network ingress rules** checkbox allows you to define addition ingress CIDR rules. Additional network CIDR ranges (such as application or hub subnet ranges) can be added, during provisioning, to the network security group (NSG) ingress rules for the VM cluster. The selected virtual network's CIDR is added by default. CIDR ranges are specified. The port can be a single port, port range (for example, 80-8080), a comma-delimited list of ports (for example, 80,8080), or any combination of these. This only updates the OCI network security group ingress rules. Microsoft Azure virtual network network security rules must be updated in the specific virtual network in Microsoft Azure.

+ 1. Select **Next** to continue.

+1. From the **Diagnostics Collection** tab of the Create Oracle Exadata VM Cluster flow allows you to specify the diagnostic events, health monitoring, and incident logs and tracing that Oracle can use to identify, track, and resolve issues. Select **Next** to continue.

+1. From the **Consent** tab of the Create Oracle Exadata VM Cluster flow, you must agree to the terms of service, privacy policy, and agree to access permissions. Select **Next** to continue.

+1. From the **Tags** tab of the Create Oracle Exadata VM Cluster flow, you can define Microsoft Azure tags. NOTE: These tags aren't propagated to the Oracle Cloud Infrastructure (OCI) portal. Select **Next** to continue.

+1. From the **Review _+ create** tab of the Create Oracle Exadata VM Cluster flow, a short validation process is run to check the values that you entered from the previous steps. If the validation fails, you must correct any errors before you can start the provisioning process.

+1. Select the **Create** button to start the provisioning flow.

+1. Return to the Oracle Exadata VM Cluster blade to monitor and manage the state of your Oracle Exadata VM Cluster environments.

+ Title: Troubleshoot Exadata services

+description: Learn about how to Troubleshoot for Exadata services.

+# Troubleshoot Exadata services

+Use the information in this article to resolve common errors and provisioning issues in your Oracle Database@Azure environments.

+The issues covered in this guide don't cover general issues related to Oracle Database@Azure configuration, settings, and account setup. For more information on those articles, see [Oracle Database@Azure Overview](https://docs.oracle.com/iaas/Content/multicloud/oaaoverview.htm).

+## Terminations and Microsoft Azure locks

+Oracle advises removal of all Microsoft Azure locks to Oracle Database@Azure resources before terminating the resource. For example, if you created a Microsoft Azure private endpoint, you should remove that resource first. If you have a policy to prevent the deletion of locked resources, the Oracle Database@Azure workflow to delete the resource fails because Oracle Database@Azure can't delete the lock.

+## IP Address Requirement Differences

+There are IP address requirement differences between Oracle Database@Azure and Oracle Cloud Infrastructure (OCI). In the [Requirements for IP Address Space](https://docs.oracle.com/iaas/exadatacloud/exacs/ecs-network-setup.html#GUID-D5C577A1-BC11-470F-8A91-77609BBEF1EA) documentation, the following changes for Oracle Database@Azure must be considered.

+* Oracle Database@Azure only supports Exadata X9M. All other shapes are unsupported.

+* Oracle Database@Azure reserves 13 IP addresses for the client subnet versus 3 for OCI requirements.

+## Private DNS Zone Limitation

+When provisioning Exadata Services, a private DNS zone can only select zones with four labels or less. For example, a.b.c.d is allowed, while a.b.c.d.e is not allowed.

+## Automatic Network Ingress Configuration

+You can connect a Microsoft Azure VM to an Oracle Exadata VM Cluster if both are in the same virtual network (VNet). The functionality is automatic and requires no additional changes to network security group (NSG) rules. If you need to connect a Microsoft Azure VM from a different VNet than the one where the Oracle Exadata VM Cluster was created, an additional step to configure NSG traffic rules to allow the other VNet's traffic to flow properly. As an example, if you have two (2) VNets (A and B) with VNet A serving the Microsoft Azure VM and VNet B serving the Oracle Exadata VM Cluster, you need to add VNet A's CIDR address to the NSG route table in OCI.

+| Direction | Source or Destination | Protocol | Details | Description |

+| | | -- | - | -- |

+| Direction: Egress <br /> Stateless: No | Destination Type: CIDR <br /> Destination: 0.0.0.0/0 | All Protocols | Allow: All traffic for all ports | Default NSG egress rule |

+| Direction: Ingress <br /> Stateless: No | Source Type: CIDR <br /> Source: Microsoft Azure VNet CIDR | TCP | Source Port Range: All <br /> Destination Port Range: All <br /> Allow: TCP traffic for ports: All | Ingress all TCP from Microsoft Azure VNet. |

+| Direction: Ingress <br /> Stateless: No | Source Type: CIDR <br /> Source: Microsoft AzureVNet CIDR | ICMP | Type: All <br /> Code: All <br /> Allow: ICMP traffic for: All | Ingress all ICMP from Microsoft Azure VNet. |

+| Direction | Source or Destination | Protocol | Details | Description |

+| | | -- | - | -- |

+| Direction: Egress <br /> Stateless: No | Destination Type: Service <br /> Destination: OCI IAD object storage | TCP | Source Port Range: All <br /> Destination Port Range: 443 <br /> Allow: TCP traffic for ports: 443 HTTPS | Allows access to object storage. |

+| Direction: Ingress <br /> Stateless: No | Source Type: CIDR <br /> Source: 0.0.0.0/0 | ICMP | Type: 3 <br /> Code: 4 <br /> Allow: ICMP traffic for: 3, 4 Destination Unreachable: Fragmentation Needed and Don't Fragment was Set | Allows Path MTU Discovery fragmentation messages. |

+ Title: What's new in Exadata services

+description: Learn about what's new in Exadata services.

+# What's new in Exadata services

+Oracle Database@Azure (OracleDB@Azure) provides you with seamless integration of Oracle resources within your Microsoft Azure cloud environment.

+## July 2024

+| Month/Year | Feature | Description |

+| - | - | |

+| July 2024 | Added a Quickstart Terraform Templates and Modules section. | This section grows as the templates and modules are revised and new content is added. |

+The above table only lists the changes within the Oracle Database@Azure product specific to Oracle Exadata Infrastructures or Oracle Exadata VM Clusters. For changes to the Oracle Exadata Infrastructure or the Oracle Exadata VM Cluster products, see [WhatΓÇÖs New in Oracle Exadata Database Service on Dedicated Infrastructure](https://docs.oracle.com/en/engineered-systems/exadata-cloud-service/ecscm/exa-whats-new.html).

+## Next steps

+* [Provision Exadata Infrastructure](exadata-provision-infrastructure.md)

+* [Provision an Exadata VM Cluster](exadata-provision-vm-cluster.md)

+* [Manage Exadata Resources](exadata-manage-resources.md)

+* [Operate processes for Exadata resources](exadata-operations-processes-services.md)

+* [OCI Multicloud Landing Zone for Azure](exadata-multicloud-landing-zone-azure-services.md)

+* [Terraform/OpenTofu Examples for Exadata Services](exadata-examples-services.md)

+* [Troubleshooting and Known Issues for Exadata Services](exadata-troubleshoot-services.md)

+ Title: Delegated subnet limits

+description: Learn about Delegated subnet limits for Oracle Database@Azure.

+# Delegated subnet limits

+In this article, you learn about delegated subnet limits for Oracle Database@Azure.

+Oracle Database@Azure infrastructure resources are connected to your Azure virtual network using a virtual NIC from your [delegated subnets](/azure/virtual-network/subnet-delegation-overview) (delegated to `Oracle.Database/networkAttachement`). By default, the Oracle Database@Azure service can use up to five delegated subnets. If you need more delegated subnet capacity, you can request a service limit increase.

+## Service limits in the OCI Console

+For information on viewing and increasing service limits in the OCI Console, see the following articles:

+- [To view the tenancy's limits and usage (by region)](https://docs.oracle.com/en-us/iaas/Content/General/Concepts/servicelimits.htm#To_view_your_tenancys_limits_and_usage_by_region)

+- [Requesting a service limit increase](https://docs.oracle.com/en-us/iaas/Content/General/Concepts/servicelimits.htm#Requesti)

+When submitting a service limit increase, note the following:

+- The service name is `Multicloud`.

+- The resource name is `Delegated Subnet Multicloud Links`.

+- The service limit name for Oracle Database@Azure delegated subnets is `azure-delegated-subnet-count`.

+- The limit is applied at the regional level.

+## Next steps

+[Network planning for Oracle Database@Azure](oracle-database-network-plan.md) in the Azure documentation for information about network topologies and constraints for Oracle Database@Azure.

+ Title: Provision an Exadata infrastructure for Oracle Database@Azure

+description: Provision an Exadata infrastructure for Oracle Database@Azure

+# Provision an Exadata infrastructure

+## Prerequisites

+Before you restore data in an archived log, see [Start an investigation by searching large datasets (preview)](investigate-large-datasets.md) and [Restore in Azure Monitor](/azure/azure-monitor/logs/restore).

+To restore archived log data in Microsoft Sentinel, specify the table and time range for the data you want to restore. Within a few minutes, the log data is available within the Log Analytics workspace. Then you can use the data in high-performance queries that support full Kusto Query Language (KQL).

+Restore archived data directly from the **Search** page or from a saved search.

+1. In Microsoft Sentinel, select **Search**. In the [Azure portal](https://portal.azure.com), this page is listed under **General**. In the [Defender portal](https://security.microsoft.com/), this page is at the Microsoft Sentinel root level.

+1. Restore log data using one of the following methods:

+ - Select :::image type="icon" source="media/restore/restore-button.png" border="false"::: **Restore** at the top of the page. In the **Restoration** pane on the side, select the table and time range you want to restore, and then select **Restore at the bottom of the pane**.

+ - Select **Saved searches**, locate the search results you want to restore, and then select **Restore**. If you have multiple tables, select the one you want to restore and then select **Actions > Restore** in the side pane. For example:

+ :::image type="content" source="media/restore/restore-azure.png" alt-text="Screenshot of restoring a specific site search.":::

+1. When your restore job is complete and the status is updated, select the table name and review the results.

+ In the [Azure portal](https://portal.azure.com), results are shown in the **Logs** query page. In the [Defender portal](https://security.microsoft.com/), results are shown in the **Advanced hunting** page.

+ For example:

+ The **Time range** is set to a custom time range that uses the start and end times of the restored data.

+To save costs, we recommend you delete the restored table when you no longer need it. When you delete a restored table, the underlying source data isn't deleted.

+1. In Microsoft Sentinel, select **Search** > **Restoration** and identify the table you want to delete.

+1. Select **Delete** for that table row to delete the restored table.

+>- When using **partitioning** and sending **batches** of messages, you should ensure that they do not contain any partition identifying properties. Since deduplication relies on explicitly setting message IDs to determine uniqueness, it is not recommended to use deduplication and batching together with partitioning.

+| Java - Spring Boot | Yes | Yes | Yes | Yes |

+#### SpringBoot client

+Authenticating with a system-assigned managed identity is only available for Spring Cloud Azure version 4.0 or higher.

+| Default environment variable name | Description | Example value |

+||--||

+| spring.cloud.azure.storage.blob.credential.managed-identity-enabled | Whether to enable managed identity | `True` |

+| spring.cloud.azure.storage.blob.account-name | Name for the storage account | `storage-account-name` |

+| spring.cloud.azure.storage.blob.endpoint | Blob Storage endpoint | `https://<storage-account-name>.blob.core.windows.net/` |

+#### Other clients

+#### SpringBoot client

+Authenticating with a user-assigned managed identity is only available for Spring Cloud Azure version 4.0 or higher.

+| Default environment variable name | Description | Example value |

+||--||

+| spring.cloud.azure.storage.blob.credential.managed-identity-enabled | Whether to enable managed identity | `True` |

+| spring.cloud.azure.storage.blob.account-name | Name for the storage account | `storage-account-name` |

+| spring.cloud.azure.storage.blob.endpoint | Blob Storage endpoint | `https://<storage-account-name>.blob.core.windows.net/` |

+| spring.cloud.azure.storage.blob.credential.client-id | Client ID of the user-assigned managed identity | `00001111-aaaa-2222-bbbb-3333cccc4444` |

+#### Other clients

+#### SpringBoot client

+#### Other clients

+#### SpringBoot client

+Authenticating with a service principal is only available for Spring Cloud Azure version 4.0 or higher.

+| Default environment variable name | Description | Example value |

+||--||

+| spring.cloud.azure.storage.blob.account-name | Name for the storage account | `storage-account-name` |

+| spring.cloud.azure.storage.blob.endpoint | Blob Storage endpoint | `https://<storage-account-name>.blob.core.windows.net/` |

+| spring.cloud.azure.storage.blob.credential.client-id | Client ID of the service principal | `00001111-aaaa-2222-bbbb-3333cccc4444` |

+| spring.cloud.azure.storage.blob.credential.client-secret | Client secret to perform service principal authentication | `Aa1Bb~2Cc3.-Dd4Ee5Ff6Gg7Hh8Ii9_Jj0Kk1Ll2` |

+#### Other clients

+| Java - Spring Boot | Yes | Yes | Yes | Yes |

+#### SpringBoot client

+Authenticating with a system-assigned managed identity is only available for Spring Cloud Azure version 4.0 or higher.

+| Default environment variable name | Description | Example value |

+||--||

+| spring.cloud.azure.storage.queue.credential.managed-identity-enabled | Whether to enable managed identity | `True` |

+| spring.cloud.azure.storage.queue.account-name | Name for the storage account | `storage-account-name` |

+| spring.cloud.azure.storage.queue.endpoint | Queue Storage endpoint | `https://<storage-account-name>.queue.core.windows.net/` |

+#### Other clients

+#### SpringBoot client

+Authenticating with a user-assigned managed identity is only available for Spring Cloud Azure version 4.0 or higher.

+| Default environment variable name | Description | Example value |

+||--||

+| spring.cloud.azure.storage.queue.credential.managed-identity-enabled | Whether to enable managed identity | `True` |

+| spring.cloud.azure.storage.queue.account-name | Name for the storage account | `storage-account-name` |

+| spring.cloud.azure.storage.queue.endpoint | Queue Storage endpoint | `https://<storage-account-name>.queue.core.windows.net/` |

+| spring.cloud.azure.storage.queue.credential.client-id | Client ID of the user-assigned managed identity | `00001111-aaaa-2222-bbbb-3333cccc4444` |

+#### Other clients

+#### SpringBoot client

+#### Other clients

+#### SpringBoot client

+Authenticating with a service principal is only available for Spring Cloud Azure version 4.0 or higher.

+| Default environment variable name | Description | Example value |

+||--||

+| spring.cloud.azure.storage.queue.account-name | Name for the storage account | `storage-account-name` |

+| spring.cloud.azure.storage.queue.endpoint | Queue Storage endpoint | `https://<storage-account-name>.queue.core.windows.net/` |

+| spring.cloud.azure.storage.queue.credential.client-id | Client ID of the service principal | `00001111-aaaa-2222-bbbb-3333cccc4444` |

+| spring.cloud.azure.storage.queue.credential.client-secret | Client secret to perform service principal authentication | `Aa1Bb~2Cc3.-Dd4Ee5Ff6Gg7Hh8Ii9_Jj0Kk1Ll2` |

+#### Other clients

+#Customer intent: As an IT admin, I want create pre and post events using a webhook with Automation runbooks.

+Pre and post events, also known as pre/post-scripts, allow you to execute user-defined actions before and after the schedule patch installation. One of the most common scenarios is to start and stop a Virtual Machine (VM). With pre-events, you can run a prepatching script to start the VM before initiating the schedule patching process. Once the schedule patching is complete, and the server is rebooted, a post-patching script can be executed to safely shut down the VM.

+ if ($eventType -ne "Microsoft.Maintenance.PreMaintenanceEvent" -and $eventType ΓÇône "Microsoft.Maintenance.PostMaintenanceEvent" ) {

+ 1. To customize, you can use either your existing scripts with the above modifications done or use the following scripts.

+if ($eventType -ne "Microsoft.Maintenance.PreMaintenanceEvent") {

+ Write-Output "Webhook not triggered as part of pre-patching for maintenance run"

+if ($eventType -ne "Microsoft.Maintenance.PostMaintenanceEvent") {

+ Write-Output "Webhook not triggered as part of post-patching for maintenance run"

+param

+(

+ [Parameter(Mandatory=$false)]

+ [object] $WebhookData

+)

+Connect-AzAccount -Identity

+# Install the Resource Graph module from PowerShell Gallery

+# Install-Module -Name Az.ResourceGraph

+$notificationPayload = ConvertFrom-Json -InputObject $WebhookData.RequestBody

+$maintenanceRunId = $notificationPayload[0].data.CorrelationId

+-Path "$maintenanceRunId`?api-version=2023-09-01-preview" `

+6. To see the mount path, select **Go to resource** and look for it in the Overview tab. The mount path is in the format `\\<share-name>\<folder-name>`.

+6. Connect directly to any VM part of the host pool using Remote Desktop and open the **File Explorer.** Then navigate to your **Mount path**. Within this folder, there should be a `.VHD` or .`VHDX` file for the profile.

+description: Learn how to create an encrypted virtual network by using the Azure portal. A virtual network lets Azure resources communicate with each other and the internet.

+# Create a virtual network with encryption by using the Azure portal

+Azure Virtual Network encryption is a feature of Azure Virtual Network. With Virtual Network encryption, you can seamlessly encrypt and decrypt internal network traffic over the wire, with minimal effect to performance and scale. Virtual Network encryption protects data that traverses your virtual network from virtual machine to virtual machine and from virtual machine to on-premises.

+An Azure account with an active subscription. [Create one for free](https://azure.microsoft.com/free/?ref=microsoft.com&utm_source=microsoft.com&utm_medium=docs&utm_campaign=visualstudio).

+- Have an Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+- Install Azure PowerShell locally or use Azure Cloud Shell.

+- Ensure that your `Az.Network` module is 4.3.0 or later. To verify the installed module, use the command `Get-InstalledModule -Name Az.Network`. If the module requires an update, use the command `Update-Module -Name Az.Network`, if necessary.

+- This article requires version 2.31.0 or later of the Azure CLI. If you're using Azure Cloud Shell, the latest version is already installed.

+## Create a virtual network

+Create a resource group with [New-AzResourceGroup](/powershell/module/az.resources/new-azresourcegroup) named `test-rg` in the `eastus2` location.

+Create a resource group with [az group create](/cli/azure/group#az-group-create) named `test-rg` in the `eastus2` location.

+> To encrypt traffic, Virtual Network encryption requires supported virtual machine versions in the virtual network. The setting `dropUnencrypted` drops traffic between unsupported virtual machine versions if they're deployed in the virtual network. For more information, see [Azure Virtual Network encryption requirements](virtual-network-encryption-overview.md#requirements).

+1. In the search box at the top of the portal, begin to enter **Virtual networks**. When **Virtual networks** appears in the search results, select it.

+1. Select **vnet-1** to open the **vnet-1** pane.

+1. On the service menu, select **Overview**, and then select the **Properties** tab.

+1. Under **Encryption**, select **Disabled**.

+ :::image type="content" source="./media/how-to-create-encryption-portal/virtual-network-properties.png" alt-text="Screenshot that shows properties of the virtual network.":::

+You can also enable encryption on an existing virtual network by using [Set-AzVirtualNetwork](/powershell/module/az.network/set-azvirtualnetwork). *This step isn't necessary if you created the virtual network with encryption enabled in the previous steps.*

+You can also enable encryption on an existing virtual network by using [az network vnet update](/cli/azure/network/vnet#az-network-vnet-update). *This step isn't necessary if you created the virtual network with encryption enabled in the previous steps.*

+## Verify that encryption is enabled

+1. In the search box at the top of the portal, begin to enter **Virtual networks**. When **Virtual networks** appears in the search results, select it.

+1. Select **vnet-1** to open the **vnet-1** pane.

+1. On the service menu, select **Overview**, and then select the **Properties** tab.

+ :::image type="content" source="./media/how-to-create-encryption-portal/virtual-network-properties-encryption-enabled.png" alt-text="Screenshot that shows properties of the virtual network with Encryption st as Enabled.":::

+To view the parameter for encryption, enter the following information:

+## Clean up resources

+When you no longer need this resource group, use [Remove-AzResourceGroup](/powershell/module/az.resources/remove-azresourcegroup) to remove the resource group and all the resources it contains.

+When you finish with the virtual network, use [az group delete](/cli/azure/group#az-group-delete) to remove the resource group and all its resources.

+## Related content

+- For more information about Virtual Network, see [What is Azure Virtual Network?](/azure/virtual-network/virtual-networks-overview).

+- For more information about Virtual Network encryption, see [What is Azure Virtual Network encryption?](virtual-network-encryption-overview.md).

+description: Learn how to create, change, or delete an Azure network security group (NSG).

+When you use security rules in network security groups (NSGs), you can filter the type of network traffic that flows in and out of virtual network subnets and network interfaces. To learn more about NSGs, see [Network security group overview](./network-security-groups-overview.md). Next, complete the [Filter network traffic](tutorial-filter-network-traffic.md) tutorial to gain some experience with NSGs.

+If you don't have an Azure account with an active subscription, [create one for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F). Complete one of these tasks before you start the remainder of this article:

+- **PowerShell users**: Either run the commands in [Azure Cloud Shell](https://shell.azure.com/powershell) or run PowerShell locally from your computer. Cloud Shell is a free interactive shell that you can use to run the steps in this article. It has common Azure tools that are preinstalled and configured to use with your account. On the Cloud Shell browser tab, find the **Select environment** dropdown list. Then select **PowerShell** if it isn't already selected.

+- **Azure CLI users**: Either run the commands in [Cloud Shell](https://shell.azure.com/bash) or run the Azure CLI locally from your computer. Cloud Shell is a free interactive shell that you can use to run the steps in this article. It has common Azure tools that are preinstalled and configured to use with your account. On the Cloud Shell browser tab, find the **Select environment** dropdown list. Then select **Bash** if it isn't already selected.

+ If you're running the Azure CLI locally, use Azure CLI version 2.0.28 or later. Run `az --version` to find the installed version. If you need to install or upgrade, see [Install the Azure CLI](/cli/azure/install-azure-cli). Run `az login` to sign in to Azure.

+Assign the [Network Contributor role](../role-based-access-control/built-in-roles.md?toc=%2fazure%2fvirtual-network%2ftoc.json#network-contributor) or a [custom role](../role-based-access-control/custom-roles.md?toc=%2fazure%2fvirtual-network%2ftoc.json) with the appropriate [permissions](#permissions).

+You can create, [view all](#view-all-network-security-groups), [view details of](#view-details-of-a-network-security-group), [change](#change-a-network-security-group), and [delete](#delete-a-network-security-group) an NSG. You can also associate or dissociate an NSG from a [network interface](#associate-or-dissociate-a-network-security-group-to-or-from-a-network-interface) or a [subnet](#associate-or-dissociate-a-network-security-group-to-or-from-a-subnet).

+The number of NSGs that you can create for each Azure region and subscription is limited. To learn more, see [Azure subscription and service limits, quotas, and constraints](../azure-resource-manager/management/azure-subscription-service-limits.md#azure-resource-manager-virtual-networking-limits).

+1. In the search box at the top of the portal, enter **Network security group**. Select **Network security groups** in the search results.

+1. Select **+ Create**.

+1. On the **Create network security group** page, under the **Basics** tab, enter or select the following values:

+ | Resource group | Select an existing resource group, or create a new one by selecting **Create new**. This example uses the `myResourceGroup` resource group. |

+ | Network security group name | Enter a name for the NSG that you're creating. |

+ | Region | Select the region that you want. |

+ :::image type="content" source="./media/manage-network-security-group/create-network-security-group.png" alt-text="Screenshot that shows creating a NSG in the Azure portal.":::

+1. Select **Review + create**.

+1. After you see the **Validation passed** message, select **Create**.

+Use [New-AzNetworkSecurityGroup](/powershell/module/az.network/new-aznetworksecuritygroup) to create an NSG named `myNSG` in the **East US** region. The NSG named `myNSG` is created in the existing `myResourceGroup` resource group.

+Use [az network nsg create](/cli/azure/network/nsg#az-network-nsg-create) to create an NSG named `myNSG` in the existing `myResourceGroup` resource group.

+In the search box at the top of the portal, enter **Network security group**. Select **Network security groups** in the search results to see the list of NSGs in your subscription.

+Use [Get-AzNetworkSecurityGroup](/powershell/module/az.network/get-aznetworksecuritygroup) to list all the NSGs in your subscription.

+Use [az network nsg list](/cli/azure/network/nsg#az-network-nsg-list) to list all the NSGs in your subscription.

+1. In the search box at the top of the portal, enter **Network security group** and select **Network security groups** in the search results.

+1. Select the name of your NSG.

+ - Under **Settings**, view the **Inbound security rules**, **Outbound security rules**, **Network interfaces**, and **Subnets** to which the NSG is associated.

+ - Under **Monitoring**, enable or disable **Diagnostic settings**. For more information, see [Resource logging for a network security group](virtual-network-nsg-manage-log.md).

+ - Under **Help**, view **Effective security rules**. For more information, see [Diagnose a virtual machine (VM) network traffic filter problem](diagnose-network-traffic-filter-problem.md).

+ :::image type="content" source="./media/manage-network-security-group/network-security-group-details-inline.png" alt-text="Screenshot that shows the Network security group page in the Azure portal." lightbox="./media/manage-network-security-group/network-security-group-details-expanded.png":::

+To learn more about the common Azure settings that are listed, see the following articles:

+- [Access control identity and access management (IAM)](../role-based-access-control/overview.md)

+Use [Get-AzNetworkSecurityGroup](/powershell/module/az.network/get-aznetworksecuritygroup) to view the details of an NSG.

+To learn more about the common Azure settings that are listed, see the following articles:

+Use [az network nsg show](/cli/azure/network/nsg#az-network-nsg-show) to view the details of an NSG.

+To learn more about the common Azure settings that are listed, see the following articles:

+The most common changes to an NSG are:

+- [Associate or dissociate a network security group to or from a network interface](#associate-or-dissociate-a-network-security-group-to-or-from-a-network-interface)

+For more information about the association and dissociation of an NSG, see [Associate or dissociate a network security group](virtual-network-network-interface.md#associate-or-dissociate-a-network-security-group).

+1. In the search box at the top of the portal, enter **Network security group**. Then select **Network security groups** in the search results.

+1. Select the name of your NSG, and then select **Subnets**.

+ - To associate an NSG to the subnet, select **+ Associate**. Then select your virtual network and the subnet to which you want to associate the NSG. Select **OK**.

+ :::image type="content" source="./media/manage-network-security-group/associate-subnet-network-security-group.png" alt-text="Screenshot that shows associating a network security group to a subnet in the Azure portal.":::

+ - To dissociate an NSG from the subnet, select the three dots next to the subnet from which you want to dissociate the NSG, and then select **Dissociate**. Select **Yes**.

+ :::image type="content" source="./media/manage-network-security-group/dissociate-subnet-network-security-group.png" alt-text="Screenshot that shows dissociating an NSG from a subnet in the Azure portal.":::

+Use [Set-AzVirtualNetworkSubnetConfig](/powershell/module/az.network/set-azvirtualnetworksubnetconfig) to associate or dissociate an NSG to or from a subnet.

+Use [az network vnet subnet update](/cli/azure/network/vnet/subnet#az-network-vnet-subnet-update) to associate or dissociate an NSG to or from a subnet.

+If an NSG is associated to any subnets or network interfaces, it can't be deleted. Dissociate an NSG from all subnets and network interfaces before you attempt to delete it.

+1. In the search box at the top of the portal, enter **Network security group**. Then select **Network security groups** in the search results.

+1. Select the NSG that you want to delete.

+1. Select **Delete**, and then select **Yes** in the confirmation dialog box.

+ :::image type="content" source="./media/manage-network-security-group/delete-network-security-group.png" alt-text="Screenshot that shows deleting a network security group in the Azure portal.":::

+Use [Remove-AzNetworkSecurityGroup](/powershell/module/az.network/remove-aznetworksecuritygroup) to delete an NSG.

+Use [az network nsg delete](/cli/azure/network/nsg#az-network-nsg-delete) to delete an NSG.

+An NSG contains zero or more security rules. You can [create](#create-a-security-rule), [view all](#view-all-security-rules), [view details of](#view-the-details-of-a-security-rule), [change](#change-a-security-rule), and [delete](#delete-a-security-rule) a security rule.

+The number of rules per NSG that you can create for each Azure location and subscription is limited. To learn more, see [Azure subscription and service limits, quotas, and constraints](../azure-resource-manager/management/azure-subscription-service-limits.md?toc=%2fazure%2fvirtual-network%2ftoc.json#azure-resource-manager-virtual-networking-limits).

+1. In the search box at the top of the portal, enter **Network security group**. Then select **Network security groups** in the search results.

+1. Select the name of the NSG to which you want to add a security rule.

+1. Select **Inbound security rules** or **Outbound security rules**.

+ Several existing rules are listed, including some that you might not have added. When you create an NSG, several default security rules are created in it. To learn more, see [Default security rules](./network-security-groups-overview.md#default-security-rules). You can't delete default security rules, but you can override them with rules that have a higher priority.

+1. <a name="security-rule-settings"></a>Select **+ Add**. Select or add values for the following settings, and then select **Add**.

+ | **Source** | One of:<ul><li>**Any**</li><li>**IP Addresses**</li><li>**My IP address**</li><li>**Service Tag**</li><li>**Application security group**</li></ul> | <p>If you select **IP Addresses**, you must also specify **Source IP addresses/CIDR ranges**.</p><p>If you select **Service Tag**, you must also select a **Source service tag**.</p><p>If you select **Application security group**, you must also select an existing application security group. If you select **Application security group** for both **Source** and **Destination**, the network interfaces within both application security groups must be in the same virtual network. Learn how to [create an application security group](#create-an-application-security-group).</p> |

+ | **Source IP addresses/CIDR ranges** | A comma-delimited list of IP addresses and Classless Interdomain Routing (CIDR) ranges | <p>This setting appears if you set **Source** to **IP Addresses**. You must specify a single value or comma-separated list of multiple values. An example of multiple values is `10.0.0.0/16, 192.188.1.1`. The number of values that you can specify is limited. For more information, see [Azure limits](../azure-resource-manager/management/azure-subscription-service-limits.md#azure-resource-manager-virtual-networking-limits).</p><p>If the IP address that you specify is assigned to an Azure VM, specify its private IP address, not its public IP address. Azure processes security rules after it translates the public IP address to a private IP address for inbound security rules, but before it translates a private IP address to a public IP address for outbound rules. To learn more about IP addresses in Azure, see [Public IP addresses](./ip-services/public-ip-addresses.md) and [Private IP addresses](./ip-services/private-ip-addresses.md).</p> |

+ | **Source port ranges** | One of:<ul><li>A single port, such as `80`</li><li>A range of ports, such as `1024-65535`</li><li>A comma-separated list of single ports and/or port ranges, such as `80, 1024-65535`</li><li>An asterisk (`*`) to allow traffic on any port</li></ul> | This setting specifies the ports on which the rule allows or denies traffic. The number of ports that you can specify is limited. For more information, see [Azure limits](../azure-resource-manager/management/azure-subscription-service-limits.md#azure-resource-manager-virtual-networking-limits). |

+ | **Destination** | One of:<ul><li>**Any**</li><li>**IP Addresses**</li><li>**Service Tag**</li><li>**Application security group**</li></ul> | <p>If you select **IP Addresses**, you must also specify **Destination IP addresses/CIDR ranges**.</p><p>If you select **Service Tag**, you must also select a **Destination service tag**.</p><p>If you select **Application security group**, you must also select an existing application security group. If you select **Application security group** for both **Source** and **Destination**, the network interfaces within both application security groups must be in the same virtual network. Learn how to [create an application security group](#create-an-application-security-group).</p> |

+ | **Destination IP addresses/CIDR ranges** | A comma-delimited list of IP addresses and CIDR ranges | <p>This setting appears if you change **Destination** to **IP Addresses**. You can specify single or multiple addresses or ranges like you can do with **Source** and **Source IP addresses/CIDR ranges**. The number that you can specify is limited. For more information, see [Azure limits](../azure-resource-manager/management/azure-subscription-service-limits.md#azure-resource-manager-virtual-networking-limits).</p><p>If the IP address that you specify is assigned to an Azure VM, ensure that you specify its private IP, not its public IP address. Azure processes security rules after it translates the public IP address to a private IP address for inbound security rules, but before Azure translates a private IP address to a public IP address for outbound rules. To learn more about IP addresses in Azure, see [Public IP addresses](./ip-services/public-ip-addresses.md) and [Private IP addresses](./ip-services/private-ip-addresses.md).</p> |

+ | **Service** | A destination protocol from the dropdown list | This setting specifies the destination protocol and port range for the security rule. You can select a predefined service, like **RDP**, or select **Custom** and provide the port range in **Destination port ranges**. |

+ | **Destination port ranges** | One of:<ul><li>A single port, such as `80`</li><li>A range of ports, such as `1024-65535`</li><li>A comma-separated list of single ports and/or port ranges, such as `80, 1024-65535`</li><li>An asterisk (`*`) to allow traffic on any port</li></ul> | As with **Source port ranges**, you can specify single or multiple ports and ranges. The number that you can specify is limited. For more information, see [Azure limits](../azure-resource-manager/management/azure-subscription-service-limits.md#azure-resource-manager-virtual-networking-limits). |

+ | **Protocol** | **Any**, **TCP**, **UDP**, or **ICMP** | You can restrict the rule to the Transmission Control Protocol (TCP), User Datagram Protocol (UDP), or Internet Control Message Protocol (ICMP). The default is for the rule to apply to all protocols (**Any**). |

+ | **Priority** | A value between 100 and 4,096 that's unique for all security rules within the NSG | Azure processes security rules in priority order. The lower the number, the higher the priority. We recommend that you leave a gap between priority numbers when you create rules, such as 100, 200, and 300. Leaving gaps makes it easier to add rules in the future so that you can give them higher or lower priority than existing rules. |

+ | **Name** | A unique name for the rule within the NSG | The name can be up to 80 characters. It must begin with a letter or number, and it must end with a letter, number, or underscore. The name can contain only letters, numbers, underscores, periods, or hyphens. |

+ | **Description** | A text description | You can optionally specify a text description for the security rule. The description can't be longer than 140 characters. |

+ :::image type="content" source="./media/manage-network-security-group/add-security-rule.png" alt-text="Screenshot that shows adding a security rule to a network security group in the Azure portal.":::

+Use [Add-AzNetworkSecurityRuleConfig](/powershell/module/az.network/add-aznetworksecurityruleconfig) to create an NSG rule.

+Use [az network nsg rule create](/cli/azure/network/nsg/rule#az-network-nsg-rule-create) to create an NSG rule.

+An NSG contains zero or more rules. To learn more about the list of information when you view the rules, see [Security rules](./network-security-groups-overview.md#security-rules).

+1. In the search box at the top of the portal, enter **Network security group**. Then select **Network security groups** in the search results.

+1. Select the name of the NSG for which you want to view the rules.

+1. Select **Inbound security rules** or **Outbound security rules**.

+ The list contains any rules that you created and the [default security rules](./network-security-groups-overview.md#default-security-rules) of your NSG.

+ :::image type="content" source="./media/manage-network-security-group/view-security-rules.png" alt-text="Screenshot that shows inbound security rules of a network security group in the Azure portal.":::

+Use [Get-AzNetworkSecurityRuleConfig](/powershell/module/az.network/get-aznetworksecurityruleconfig) to view the security rules of an NSG.

+Use [az network nsg rule list](/cli/azure/network/nsg/rule#az-network-nsg-rule-list) to view the security rules of an NSG.

+### View the details of a security rule

+1. In the search box at the top of the portal, enter **Network security group**. Then select **Network security groups** in the search results.

+1. Select the name of the NSG for which you want to view the rules.

+1. Select **Inbound security rules** or **Outbound security rules**.

+1. Select the rule for which you want to view details. For an explanation of all settings, see [Security rule settings](#security-rule-settings).

+ > [!NOTE]

+ > This procedure applies only to a custom security rule. It doesn't work if you choose a default security rule.

+ :::image type="content" source="./media/manage-network-security-group/view-security-rule-details.png" alt-text="Screenshot that shows the details of an inbound security rule of a network security group in the Azure portal.":::

+Use [Get-AzNetworkSecurityRuleConfig](/powershell/module/az.network/get-aznetworksecurityruleconfig) to view the details of a security rule.

+> This procedure applies only to a custom security rule. It doesn't work if you choose a default security rule.

+Use [az network nsg rule show](/cli/azure/network/nsg/rule#az-network-nsg-rule-show) to view the details of a security rule.

+> This procedure applies only to a custom security rule. It doesn't work if you choose a default security rule.

+1. In the search box at the top of the portal, enter **Network security group**. Then select **Network security groups** in the search results.

+1. Select the name of the NSG for which you want to view the rules.

+1. Select **Inbound security rules** or **Outbound security rules**.

+1. Select the rule that you want to change.

+1. Change the settings as needed, and then select **Save**. For an explanation of all settings, see [Security rule settings](#security-rule-settings).

+ :::image type="content" source="./media/manage-network-security-group/change-security-rule.png" alt-text="Screenshot that shows changing the inbound security rule details of a network security group in the Azure portal.":::

+ > This procedure applies only to a custom security rule. You aren't allowed to change a default security rule.

+Use [Set-AzNetworkSecurityRuleConfig](/powershell/module/az.network/set-aznetworksecurityruleconfig) to update an NSG rule.

+> This procedure applies only to a custom security rule. You aren't allowed to change a default security rule.

+Use [az network nsg rule update](/cli/azure/network/nsg/rule#az-network-nsg-rule-update) to update an NSG rule.

+> This procedure applies only to a custom security rule. You aren't allowed to change a default security rule.

+1. In the search box at the top of the portal, enter **Network security group**. Then select **Network security groups** in the search results.

+1. Select the name of the NSG for which you want to view the rules.

+1. Select **Inbound security rules** or **Outbound security rules**.

+1. Select the rules that you want to delete.

+1. Select **Delete**, and then select **Yes**.

+ :::image type="content" source="./media/manage-network-security-group/delete-security-rule.png" alt-text="Screenshot that shows deleting an inbound security rule of a network security group in the Azure portal.":::

+ > This procedure applies only to a custom security rule. You aren't allowed to delete a default security rule.

+Use [Remove-AzNetworkSecurityRuleConfig](/powershell/module/az.network/remove-aznetworksecurityruleconfig) to delete a security rule from an NSG.

+> This procedure applies only to a custom security rule. You aren't allowed to change a default security rule.

+Use [az network nsg rule delete](/cli/azure/network/nsg/rule#az-network-nsg-rule-delete) to delete a security rule from an NSG.

+> This procedure applies only to a custom security rule. You aren't allowed to change a default security rule.

+An application security group contains zero or more network interfaces. To learn more, see [Application security groups](./network-security-groups-overview.md#application-security-groups). All network interfaces in an application security group must exist in the same virtual network. To learn how to add a network interface to an application security group, see [Add a network interface to an application security group](virtual-network-network-interface.md#add-or-remove-from-application-security-groups).

+1. In the search box at the top of the portal, enter **Application security group**. Then select **Application security groups** in the search results.

+1. Select **+ Create**.

+1. On the **Create an application security group** page, under the **Basics** tab, enter or select the following values:

+ | Resource group | Select an existing resource group, or create a new one by selecting **Create new**. This example uses the `myResourceGroup` resource group. |

+ | Name | Enter a name for the application security group that you're creating. |

+ | Region | Select the region in which you want to create the application security group. |

+ :::image type="content" source="./media/manage-network-security-group/create-application-security-group.png" alt-text="Screenshot that shows creating an application security group in the Azure portal.":::

+1. Select **Review + create**.

+1. After you see the **Validation passed** message, select **Create**.

+Use [New-AzApplicationSecurityGroup](/powershell/module/az.network/new-azapplicationsecuritygroup) to create an application security group.

+Use [az network asg create](/cli/azure/network/asg#az-network-asg-create) to create an application security group.

+In the search box at the top of the portal, enter **Application security group**. Then select **Application security groups** in the search results. A list of your application security groups appears in the Azure portal.

+Use [Get-AzApplicationSecurityGroup](/powershell/module/az.network/get-azapplicationsecuritygroup) to list all the application security groups in your Azure subscription.

+Use [az network asg list](/cli/azure/network/asg#az-network-asg-list) to list all the application security groups in a resource group.

+### View the details of a specific application security group

+1. In the search box at the top of the portal, enter **Application security group**. Then select **Application security groups** in the search results.

+1. Select the application security group for which you want to view the details.

+Use [Get-AzApplicationSecurityGroup](/powershell/module/az.network/get-azapplicationsecuritygroup) to view the details of an application security group.

+Use [az network asg show](/cli/azure/network/asg#az-network-asg-show) to view the details of an application security group.

+1. In the search box at the top of the portal, enter **Application security group**. Then select **Application security groups** in the search results.

+1. Select the application security group that you want to change:

+ - Select **move** next to **Resource group** or **Subscription** to change the resource group or subscription, respectively.

+ - Select **edit** next to **Tags** to add or remove tags. To learn more, see [Use tags to organize your Azure resources and management hierarchy](../azure-resource-manager/management/tag-resources.md).

+ :::image type="content" source="./media/manage-network-security-group/change-application-security-group.png" alt-text="Screenshot that shows changing an application security group in the Azure portal.":::

+ > [!NOTE]

+ > You can't change the location of an application security group.

+ - Select **Access control (IAM)** to assign or remove permissions to the application security group.

+You can't change an application security group by using PowerShell.

+> You can't change the resource group, subscription, or location of an application security group by using the Azure CLI.

+1. In the search box at the top of the portal, enter **Application security group**. Then select **Application security groups** in the search results.

+1. Select the application security group that you want to delete.

+1. Select **Delete**, and then select **Yes** to delete the application security group.

+ :::image type="content" source="./media/manage-network-security-group/delete-application-security-group.png" alt-text="Screenshot that shows deleting an application security group in the Azure portal.":::

+To manage NSGs, security rules, and application security groups, your account must be assigned to the [Network Contributor](../role-based-access-control/built-in-roles.md?toc=%2fazure%2fvirtual-network%2ftoc.json#network-contributor) role. You can also use a [custom role](../role-based-access-control/custom-roles.md?toc=%2fazure%2fvirtual-network%2ftoc.json) with the appropriate permissions assigned, as listed in the following tables.

+> You might *not* see the full list of service tags if the Network Contributor role was assigned at a resource group level. To view the full list, you can assign this role at a subscription scope instead. If you can only allow the Network Contributor role for the resource group, you can then also create a custom role for the permissions `Microsoft.Network/locations/serviceTags/read` and `Microsoft.Network/locations/serviceTagDetails/read`. Assign them at a subscription scope along with the Network Contributor role at the resource group scope.

+| `Microsoft.Network/networkSecurityGroups/read` | Get an NSG. |

+| `Microsoft.Network/networkSecurityGroups/write` | Create or update an NSG. |

+| `Microsoft.Network/networkSecurityGroups/delete` | Delete an NSG. |

+| `Microsoft.Network/networkSecurityGroups/join/action` | Associate an NSG to a subnet or network interface.

+> [!NOTE]

+> To perform `write` operations on an NSG, the subscription account must have at least `read` permissions for the resource group along with `Microsoft.Network/networkSecurityGroups/write` permission.

+| `Microsoft.Network/networkSecurityGroups/securityRules/read` | Get a rule. |

+| `Microsoft.Network/networkSecurityGroups/securityRules/write` | Create or update a rule. |

+| `Microsoft.Network/networkSecurityGroups/securityRules/delete` | Delete a rule. |

+| `Microsoft.Network/applicationSecurityGroups/joinIpConfiguration/action` | Join an IP configuration to an application security group.|

+| `Microsoft.Network/applicationSecurityGroups/joinNetworkSecurityRule/action` | Join a security rule to an application security group. |

+| `Microsoft.Network/applicationSecurityGroups/read` | Get an application security group. |

+| `Microsoft.Network/applicationSecurityGroups/write` | Create or update an application security group. |

+| `Microsoft.Network/applicationSecurityGroups/delete` | Delete an application security group. |

+## Related content

+- Create and assign [Azure Policy definitions](./policy-reference.md) for virtual networks.

+description: Learn how to deploy virtual appliances and route tables to create a multitier application environment in Azure.

+A common scenario among larger Azure customers is the need to provide a two-tiered application that's exposed to the internet while it also allows access to the back tier from an on-premises datacenter. This article walks you through a scenario that uses route tables, a VPN gateway, and network virtual appliances to deploy a two-tiered environment that meets the following requirements:

+* A web application must be accessible from the public internet only.

+* A web server that hosts the application must be able to access a back-end application server.

+* All traffic from the internet to the web application must go through a firewall virtual appliance. This virtual appliance is used for internet traffic only.

+* All traffic that goes to the application server must go through a firewall virtual appliance. This virtual appliance is used for access to the back-end server, and for access coming in from the on-premises network via a VPN gateway.

+* Administrators must be able to manage the firewall virtual appliances from their on-premises computers by using a third firewall virtual appliance that's used exclusively for management purposes.

+This example is a standard perimeter network (also known as DMZ) scenario with a DMZ and a protected network. You can construct this scenario in Azure by using network security groups (NSGs), firewall virtual appliances, or a combination of both.

+The following table shows some of the pros and cons for NSGs and firewall virtual appliances.

+| NSG | No cost. <br/>Integrated into Azure role-based access. <br/>Ability to create rules in Azure Resource Manager templates. | Complexity could vary in larger environments. |

+| Firewall | Full control over data plane. <br/> Central management through firewall console. |Cost of firewall appliance. <br/> Not integrated with Azure role-based access. |

+You can deploy the preceding environment in Azure by using features that are available today:

+* **Virtual network**: An Azure virtual network acts in a similar fashion to an on-premises network. You can segment it into one or more subnets to provide traffic isolation and separation of concerns.

+* **Virtual appliance**: Several partners provide virtual appliances in Azure Marketplace to use for the three firewalls described previously.

+* **Route tables**: Route tables are used by Azure networking to control the flow of packets within a virtual network. You can apply these route tables to subnets. You can apply a route table to `GatewaySubnet`, which forwards all traffic that enters into the Azure virtual network from a hybrid connection to a virtual appliance.

+* **IP forwarding**: By default, the Azure networking engine forwards packets to virtual network interface cards (NICs) only if the packet destination IP address matches the NIC IP address. If a route table defines that a packet must be sent to a specific virtual appliance, the Azure networking engine drops that packet. To ensure that the packet is delivered to a VM (in this case a virtual appliance) that isn't the actual destination for the packet, enable IP forwarding for the virtual appliance.

+* **Network security groups**: The following example doesn't make use of NSGs, but you can use NSGs applied to the subnets or NICs in this solution. The NSGs further filter the traffic in and out of those subnets and NICs.

+In this example, a subscription contains the following items:

+* Two resource groups (not shown in the diagram):

+ * `ONPREMRG`: Contains all resources necessary to simulate an on-premises network.

+ * `AZURERG`: Contains all resources necessary for the Azure virtual network environment.

+* A virtual network named `onpremvnet` is segmented and used to mimic an on-premises datacenter:

+ * `onpremsn1`: A subnet that contains a virtual machine (VM) running a Linux distribution to mimic an on-premises server.

+ * `onpremsn2`: A subnet that contains a VM running a Linux distribution to mimic an on-premises computer used by an administrator.

+* One firewall virtual appliance is named `OPFW` on `onpremvnet`. It's used to maintain a tunnel to `azurevnet`.

+* A virtual network named `azurevnet` is segmented as follows:

+ * `azsn1`: An external firewall subnet used exclusively for the external firewall. All internet traffic comes in through this subnet. This subnet contains only a NIC linked to the external firewall.

+ * `azsn2`: A front-end subnet that hosts a VM running as a web server that's accessed from the internet.

+ * `azsn3`: A back-end subnet that hosts a VM running a back-end application server accessed by the front-end web server.

+ * `azsn4`: A management subnet used exclusively to provide management access to all firewall virtual appliances. This subnet contains only a NIC for each firewall virtual appliance used in the solution.

+ * `GatewaySubnet`: An Azure hybrid connection subnet that's required for Azure ExpressRoute and Azure VPN Gateway to provide connectivity between Azure virtual networks and other networks.

+* Three firewall virtual appliances are in the `azurevnet` network:

+ * `AZF1`: An external firewall exposed to the public internet by using a public IP address resource in Azure. You need to ensure that you have a template from Azure Marketplace or directly from your appliance vendor that deploys a three-NIC virtual appliance.

+ * `AZF2`: An internal firewall used to control traffic between `azsn2` and `azsn3`. This firewall is also a three-NIC virtual appliance.

+ * `AZF3`: A management firewall accessible to administrators from the on-premises datacenter and connected to a management subnet that's used to manage all firewall appliances. You can find two-NIC virtual appliance templates in Azure Marketplace. You can also request one directly from your appliance vendor.

+Link each subnet in Azure to a route table to define how traffic initiated in that subnet is routed. If no user-defined routes (UDRs) are defined, Azure uses default routes to allow traffic to flow from one subnet to another. To better understand route tables and traffic routing, see [Azure virtual network traffic routing](virtual-networks-udr-overview.md).

+To ensure that communication is done through the proper firewall appliance, based on the last requirement listed previously, you must create the following route table in `azurevnet`.

+In this scenario, the only traffic that flows from on-premises to Azure is used to manage the firewalls by connecting to `AZF3`, and that traffic must go through the internal firewall, `AZF2`. Only one route is necessary in `GatewaySubnet`, as shown here:

+| 10.0.4.0/24 | 10.0.3.11 | Allows on-premises traffic to reach management firewall `AZF3`. |

+| 10.0.3.0/24 | 10.0.2.11 |Allows traffic to the back-end subnet that hosts the application server through `AZF2`. |

+| 0.0.0.0/0 | 10.0.2.10 |Allows all other traffic to be routed through `AZF1`. |

+| 10.0.2.0/24 |10.0.3.10 |Allows traffic to `azsn2` to flow from an app server to the web server through `AZF2`. |

+You also need to create route tables for the subnets in `onpremvnet` to mimic the on-premises datacenter.

+| 192.168.2.0/24 | 192.168.1.4 |Allows traffic to `onpremsn2` through `OPFW`. |

+| 10.0.3.0/24 |192.168.2.4 |Allows traffic to the back-end subnet in Azure through `OPFW`. |

+| 192.168.1.0/24 | 192.168.2.4 |Allows traffic to `onpremsn1` through `OPFW`. |

+## IP forwarding

+Route tables and IP forwarding are features that you can use in combination to allow virtual appliances to control traffic flow in an Azure virtual network. A virtual appliance is nothing more than a VM that runs an application used to handle network traffic in some way, such as a firewall or a network address translation device.

+This virtual appliance VM must be able to receive incoming traffic that isn't addressed to itself. To allow a VM to receive traffic addressed to other destinations, you must enable IP forwarding for the VM. This setting is an Azure setting, not a setting in the guest operating system. Your virtual appliance still needs to run some type of application to handle the incoming traffic and route it appropriately.

+To learn more about IP forwarding, see [Azure virtual network traffic routing](virtual-networks-udr-overview.md).

+As an example, imagine that you have the following setup in an Azure virtual network:

+* Subnet `onpremsn1` contains a VM named `onpremvm1`.

+* Subnet `onpremsn2` contains a VM named `onpremvm2`.

+* A virtual appliance named `OPFW` is connected to `onpremsn1` and `onpremsn2`.

+* A UDR linked to `onpremsn1` specifies that all traffic to `onpremsn2` must be sent to `OPFW`.

+At this point, if `onpremvm1` tries to establish a connection with `onpremvm2`, the UDR is used, and traffic is sent to `OPFW` as the next hop. The actual packet destination isn't being changed. It still says that `onpremvm2` is the destination.

+Without IP forwarding enabled for `OPFW`, the Azure virtual networking logic drops the packets because it allows only packets to be sent to a VM if the VM's IP address is the destination for the packet.

+With IP forwarding, the Azure virtual network logic forwards the packets to `OPFW`, without changing its original destination address. `OPFW` must handle the packets and determine what to do with them.

+For the previous scenario to work, you must enable IP forwarding on the NICs for `OPFW`, `AZF1`, `AZF2`, and `AZF3` that are used for routing (all NICs except the ones linked to the management subnet).

+## Firewall rules

+As described previously, IP forwarding only ensures that packets are sent to the virtual appliances. Your appliance still needs to decide what to do with those packets. In the previous scenario, you need to create the following rules in your appliances.

+OPFW represents an on-premises device that contains the following rules:

+* **Route**: All traffic to 10.0.0.0/16 (`azurevnet`) must be sent through the tunnel `ONPREMAZURE`.

+* **Policy**: Allow all bidirectional traffic between `port2` and `ONPREMAZURE`.

+`AZF1` represents an Azure virtual appliance that contains the following rule:

+**Policy**: Allow all bidirectional traffic between `port1` and `port2`.

+`AZF2` represents an Azure virtual appliance that contains the following rule:

+**Policy**: Allow all bidirectional traffic between `port1` and `port2`.

+`AZF3` represents an Azure virtual appliance that contains the following rule:

+**Route**: All traffic to 192.168.0.0/16 (`onpremvnet`) must be sent to the Azure gateway IP address (that is, 10.0.0.1) through `port1`.

+## Network security groups

+In this scenario, NSGs aren't being used. However, you can apply NSGs to each subnet to restrict incoming and outgoing traffic. For instance, you can apply the following NSG rules to the external firewall subnet.

+* Allow all TCP traffic from the internet to port 80 on any VM in the subnet.

+* Deny all other traffic from the internet.

+Deny all traffic to the internet.

+## High-level steps

+To deploy this scenario, follow these steps:

+1. Sign in to your Azure subscription.

+1. If you want to deploy a virtual network to mimic the on-premises network, deploy the resources that are part of `ONPREMRG`.

+1. Deploy the resources that are part of `AZURERG`.

+1. Deploy the tunnel from `onpremvnet` to `azurevnet`.

+1. After all resources are provisioned, sign in to `onpremvm2` and ping 10.0.3.101 to test connectivity between `onpremsn2` and `azsn3`.

+ Title: 'Enable MFA for VPN users: Microsoft Entra ID authentication'

+# Enable multifactor authentication (MFA) for P2S VPN - Microsoft Entra ID authentication

+ Title: Gateway SKU mappings

+description: Learn about the changes for virtual network gateway SKUs for VPN Gateway.

+# VPN Gateway SKU consolidation and migration

+We're simplifying our VPN Gateway SKU portfolio. Due to the lack of redundancy, lower availability, and potential higher costs associated with additional failover solutions, we're transitioning all non availability zone (AZ) supported SKUs to AZ supported SKUs. This article helps you understand the upcoming changes for VPN Gateway virtual network gateway SKUs. This article expands on the official announcement.

+* **Effective January 1, 2025**: Creation of new VPN gateways using VpnGw1-5 SKUs (non-AZ) will no longer be possible.

+* **Migration period**: From April 2025 to October 2026, all existing VPN gateways using VpnGw1-5 SKUs (non-AZ SKUs) will be seamlessly migrated to VpnGw1-5 SKUs (AZ).

+To support this migration, we're reducing the prices on AZ SKUs. Refer to the [pricing page](https://azure.microsoft.com/pricing/details/vpn-gateway/) to select the appropriate SKU for your organization.

+> [!NOTE]

+> This article doesn't apply to the following legacy gateway SKUs: Standard or High Performance. For information legacy SKUS, including legacy SKU migration, see [Working with VPN Gateway legacy SKUs](vpn-gateway-about-skus-legacy.md).

+## Mapping old SKUs to new SKUs

+The following diagram shows current SKUs and the new SKUs they'll automatically be migrated to.

+## FAQ

+### What actions do I need to take?

+There are no actions that you need to take. If your gateway currently uses one of the SKUs listed in previous section, we'll migrate the gateway for you. When we perform the migration, the migration is seamless. There's no downtime expected. You'll be notified in advance about migration for your gateway. We recommend that you don't change your SKU manually in anticipation of SKU migration unless you want to upgrade to a higher SKU.

+### What is the timeline?

+Migration will begin after March 2025. You'll be notified when your gateway will be migrated.

+### Can I create new gateways using the older SKUs?

+No. You can't create a new gateway using VpnGw1-5 SKUs (non-AZ SKUs) after January 2025.

+### How long will my existing gateway SKUs be supported?

+The existing gateway SKUs are supported until they're migrated to AZ SKUs. The targeted deprecation for non-AZ SKUs is September 16, 2026. There will be no impact to existing AZ SKUs.

+### Will there be any pricing differences for my gateways after migration?

+Yes. On January 1, 2025 you can see the new [Pricing](https://azure.microsoft.com/pricing/details/vpn-gateway). Until that date, the pricing changes won't show on the pricing page.

+### When does new AZ pricing take effect?

+Yes. The new pricing timeline is:

+* If your existing gateway uses a VpnGw1-5 SKU, new pricing starts after your gateway is migrated.

+* If your existing gateway uses a VpnGw1AZ-5AZ SKU, new pricing starts January 1, 2025.

+### Can I deploy VpnGw 1-5 AZ SKUs in all regions?

+Yes, you can deploy AZ SKUs in all regions. If a region doesn't currently support availability zones, you can still create VPN Gateway AZ SKUs, but the deployment will remain regional.

+### Will there be downtime during migrating my Non-AZ gateways?

+No. This migration is seamless and there's no expected downtime during migration.

+### Will there be any performance impact on my gateways with this migration?

+Yes. AZ SKUs get the benefits of Zone redundancy for VPN gateways in [zone redundant regions](https://learn.microsoft.com/azure/reliability/availability-zones-service-support). If the region doesn't support zone redundancy, the gateway is regional until the region it's deployed to supports zone redundancy.

+### Is VPN Gateway Basic SKU retiring?

+No, the VPN Gateway Basic SKU isn't retiring. You can create a VPN gateway using the Basic gateway SKU via [PowerShell](create-gateway-basic-sku-powershell.md) or CLI. Currently, the VPN Gateway Basic SKU supports only the Basic SKU public IP address resource (which is on a path to retirement). We're working on adding support for the Standard SKU public IP address resource to the VPN Gateway Basic SKU.

+### When will my Standard and HighPerformance gateway be migrated?

+Standard and HighPerformance gateway will be migrated to AZ gateways in CY26. For more information, see this [announcement](https://azure.microsoft.com/updates/standard-and-highperformance-vpn-gateway-skus-will-be-retired-on-30-september-2025/) and [Working with VPN Gateway legacy SKUs](vpn-gateway-about-skus-legacy.md).

+## Next steps

+For more information about SKUs, see [About gateway SKUs](about-gateway-skus.md).

+ Title: 'Enable MFA for VPN users - Microsoft Entra ID authentication'

+# Enable Microsoft Entra ID multifactor authentication (MFA) for P2S VPN users

+ "10.1.0.0/24"

+ "10.1.0.0/24"

+ "10.1.0.0/24"

+ "10.1.0.0/24"

+ "10.1.0.0/24"

+ /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroupsTestRG1/providers/Microsoft.Network/virtualNetworkGateways/VNet1GW

+ /subscriptions/bbbb1b1b-cc2c-dd3d-ee4e-ffffff5f5f5f/resourceGroups/TestRG5/providers/Microsoft.Network/virtualNetworkGateways/VNet5GW

+ $vnet5gw.Id = "/subscriptions/bbbb1b1b-cc2c-dd3d-ee4e-ffffff5f5f5f/resourceGroups/TestRG5/providers/Microsoft.Network/virtualNetworkGateways/VNet5GW"

+ $vnet1gw.Id = "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/TestRG1/providers/Microsoft.Network/virtualNetworkGateways/VNet1GW "