+## Understand cost savings

+Azure Advisor provides recommendations for resizing/shutting down underutilized resources, purchasing compute reserved instances, and savings plans for compute.

+These recommendations contain one or more calls-to-action and forecasted savings from following the recommendations. Recommendations should be followed in a specific order: rightsizing/shutdown, followed by reservation purchases, and finally, the savings plan purchase. This sequence allows each step to impact the subsequent ones positively.

+For example, rightsizing or shutting down resources reduces on-demand costs immediately. This change in your usage pattern essentially invalidates your existing reservation and savings plan recommendations, as they were based on your pre-rightsizing usage and costs. Updated reservation and savings plan recommendations (and their forecasted savings) should appear within three days.

+The forecasted savings from reservations and savings plans are based on actual rates and usage, while the forecasted savings from rightsizing/shutdown are based on retail rates. The actual savings may vary depending on the usage patterns and rates. Assuming there are no material changes to your usage patterns, your actual savings from reservations and savings plan should be in line with the forecasts. Savings from rightsizing/shutdown vary based on your actual rates. This is important if you intend to track cost savings forecasts from Azure Advisor.

+The direct management API in Azure API Management is deprecated and will be retired effective 15 March 2025. You should discontinue use of the direct management API to configure and manage your API Management instance programmatically, and migrate to the standard Azure Resource Manager-based API instead.

+A built-in [direct management API](/rest/api/apimanagement/apimanagementrest/api-management-rest) to programmatically manage your API Management instance is disabled by default but can be enabled in the Premium, Standard, Basic, and Developer tiers of API Management. This API is deprecated. While your API Management instance isn't affected by this change, any tool, script, or program that uses the direct management API to interact with the API Management service is affected by this change. You'll be unable to run those tools successfully after the retirement date unless you update the tools to use the standard [Azure Resource Manager-based REST API](/rest/api/apimanagement) for API Management.

+The direct management API is deprecated. Support for the direct management API will no longer be available after 15 March 2025.

+You should no longer use the direct management API. Before the retirement date, update your tools, scripts, and programs to use equivalent operations in the Azure Resource Manager-based REST API instead.

+| max-size | Maximum length of the body of the request or response in bytes, checked against the `Content-Length` header. If the request body or response body is compressed, this value is the decompressed length. Maximum allowed value: 4 MB. Policy expressions are allowed. | Yes | N/A |

+## Subnet requirements

+ kubectl apply -f https://trafficcontrollerdocs.blob.core.windows.net/examples/https-scenario/ssl-termination/deployment.yaml

+ kubectl apply -f https://trafficcontrollerdocs.blob.core.windows.net/examples/https-scenario/ssl-termination/deployment.yaml

+ **Workaround**: Use `Start-AutomationRunbook` ([internal cmdlet](/azure/automation/shared-resources/modules#internal-cmdlets)) or `Start-AzAutomationRunbook` (from [Az.Automation module](/powershell/module/Az.Automation/Start-AzAutomationRunbook)) to start another runbook from parent runbook.

+> [!Important]

+> Azure Automation Agent-based User Hybrid Runbook Worker (Windows and Linux) has retired on **31 August 2024** and is no longer supported. Follow the guidelines on how to [migrate from an existing Agent-based User Hybrid Runbook Workers to Extension-based Hybrid Workers](migrate-existing-agent-based-hybrid-worker-to-extension-based-workers.md).

+> [!NOTE]

+> Azure Automation Run As Account has retired on September 30, 2023 and is replaced with Managed Identities. Follow the guidelines on [how to start migrating your runbooks to use managed identities](automation-security-overview.md#managed-identities). For more information, see [migrating from an existing Run As accounts to managed identity](migrate-run-as-accounts-managed-identity.md#sample-scripts).

+* User Hybrid Runbook Workers (extension-based and agent-based)

+* Machines managed by Azure Automation Update management and Azure Automation Change tracking & inventory

+* Azure Automation DSC nodes

+From **31 October 2024**, all agent-based and extension-based User Hybrid Runbook Workers, Webhooks, DSC nodes and Azure Automation Update management and Change Tracking managed machines, using Transport Layer Security (TLS) 1.0 and 1.1 protocols would no longer be able to connect to Azure Automation. All jobs running or scheduled on Hybrid Workers using TLS 1.0 and 1.1 protocols will fail.

+Ensure that the Webhook calls that trigger runbooks navigate on TLS 1.2 or higher. Learn how to [disable TLS 1.0/1.1 protocols on Windows Hybrid Worker and enable TLS 1.2 or above](/system-center/scom/plan-security-tls12-config#configure-windows-operating-system-to-only-use-tls-12-protocol) on Windows machine.

+> [!Important]

+> Azure Automation Agent-based User Hybrid Runbook Worker (Windows and Linux) has retired on **31 August 2024** and is no longer supported. Follow the guidelines in this article on how to migrate from an existing Agent-based User Hybrid Runbook Workers to Extension-based Hybrid Workers.

+A dynamic group is defined by a query that Azure Automation evaluates at deployment time. Even if a dynamic group query retrieves a large number of machines, Azure Automation can process only a maximum of 1000 machines at a time.

+Following are limits that apply to Update Management:

+| **Resource** | **Limit**| **Notes** |

+||||

+|Number of machines per update deployment|1000||

+|Number of dynamic groups per update deployment |500 ||

+### Not able to connect - network and internet connectivity validation failed

+When deploying Arc resource bridge, you may receive an error with `errorCode` as `PostOperationsError`, `errorResponse` as code `GuestInternetConnectivityError` with a URL specifying port 53 (DNS). This may be due to the appliance VM IPs being unable to reach DNS servers, so they can't resolve the endpoint specified in the error.

+Error example:

+`{ _errorCode_: _PostOperationsError_, _errorResponse_: _{\n\_message\_: \_{\\n ΓÇ»\\\_code\\\_:\\\_GuestInternetConnectivityError\\\_,\\n\\\_message\\\_:\\\_Not able to connect to http://aszhcitest01.company.org:55000. Error returned: action failed after 5 attempts: Get \\\\\\\_http://aszhcitest01.company.org:55000\\\\\\\_: dial tcp: lookup aszhcitest01.company.org on 127.0.0.53:53: read udp 127.0.0.1:32975-\\u003e127.0.0.53:53: i/o timeout. Arc Resource Bridge network and internet connectivity validation failed: cloud-agent-connectivity-test. 1. check your networking setup and ensure the URLs mentioned in : https://aka.ms/AAla73m are reachable from the Appliance VM. ΓÇ» 2. Check firewall/proxy settings\\\_\\n }\_\n}_ }`

+Error example:

+`{ _errorCode_: _PostOperationsError_, _errorResponse_: _{\n\_message\_: \_{\\n ΓÇ»\\\_code\\\_: \\\_GuestInternetConnectivityError\\\_,\\n ΓÇ»\\\_message\\\_: \\\_Not able to connect to https://linuxgeneva-microsoft.azurecr.io. Error returned: action failed after 5 attempts: Get \\\\\\\_https://linuxgeneva-microsoft.azurecr.io\\\\\\\_: dial tcp: lookup linuxgeneva-microsoft.azurecr.io on 127.0.0.53:53: server misbehaving. Arc Resource Bridge network and internet connectivity validation failed: http-connectivity-test-arc. 1. Please check your networking setup and ensure the URLs mentioned in : https://aka.ms/AAla73m are reachable from the Appliance VM. ΓÇ» 2. Check firewall/proxy settings\\\_\\n }\_\n}_ }`

+To resolve the error, work with your network administrator to allow the appliance VM IPs to reach the DNS servers. For more information, see [Azure Arc resource bridge network requirements](network-requirements.md).

+- Create a resource with the same name, move Arc resource bridge to that new resource.

+`{ ""code"": ""PreflightcheckError"", ""message"": ""{\n \""code\"": \""InsufficientPrivilegesError\"",\n \""message\"": \""The provided vCenter account is missing required vSphere privileges on the resource 'root folder (MoRefId: Folder:group-d1)'. Missing privileges: [Sessions.ValidateSession]. add the privileges to the vCenter account and try again. To review the full list of required privileges, go to https://aka.ms/ARB-vsphere-privilege.\""\n }`

+| 4.x | PowerShell 7.4 | .NET 8 |

+| 4.x | PowerShell 7.2 (support ending) | .NET 6 |

+> [!NOTE]

+> Support for PowerShell 7.2 in Azure Functions ends on November 8, 2024. You might have to resolve some breaking changes when upgrading your PowerShell 7.2 functions to run on PowerShell 7.4. Follow this [migration guide](https://github.com/Azure/azure-functions-powershell-worker/wiki/Upgrading-your-Azure-Function-Apps-to-run-on-PowerShell-7.4) to upgrade to PowerShell 7.4.

+When running your PowerShell functions locally, you need to add the setting `"FUNCTIONS_WORKER_RUNTIME_VERSION" : "7.4"` to the `Values` array in the local.setting.json file in the project root. When running locally on PowerShell 7.4, your local.settings.json file looks like the following example:

+ "FUNCTIONS_WORKER_RUNTIME_VERSION" : "7.4"

+> In PowerShell Functions, the value "~7" for FUNCTIONS_WORKER_RUNTIME_VERSION refers to "7.0.x". We do not automatically upgrade PowerShell Function apps that have "~7" to "7.4". Going forward, for PowerShell Function Apps, we will require that apps specify both the major and minor version they want to target. Hence, it is necessary to mention "7.4" if you want to target "7.4.x"

+Take these considerations into account before you migrate your PowerShell function app to PowerShell 7.4:

+> [!NOTE]

+> Azure Functions support for PowerShell 7.4 is generally available (GA). You may see PowerShell 7.4 still indicated as preview in the Azure portal, but this will be updated soon to reflect the GA status.

+Replace `<SUBSCRIPTION_ID>`, `<RESOURCE_GROUP>`, and `<FUNCTION_APP>` with the ID of your Azure subscription, the name of your resource group and function app, respectively. Also, replace `<VERSION>` with `7.4`. You can verify the updated value of the `powerShellVersion` setting in `Properties` of the returned hash table.

+> [!NOTE]

+> If you do not provide a start date and time for the first recurrence, a recurrence will immediately run when you save the logic app, which might cause the VMs to start or stop before the scheduled run.

+> [!NOTE]

+> If you do not provide a start date and time for the first recurrence, a recurrence will immediately run when you save the logic app, which might cause the VMs to start or stop before the scheduled run.

+> + No further development, enhancements, or updates will be available for Start/Stop V2 except when required to remain on supported versions of components and Azure services.

+> + The TriggerAutoUpdate and UpdateStartStopV2 functions are now deprecated and will be removed in future updates to Start/Stop,V2. To update Start/Stop V2, we recommend that you stop the site, install to the latest version from our [GitHub repository](https://github.com/microsoft/startstopv2-deployments), and the start the site. No built-in notification system is available for updates. After an update to Start/Stop V2 becomes available, we will update the [readme.md](https://github.com/microsoft/startstopv2-deployments/blob/main/README.md) in the GitHub repository. Third-party Github file watchers might be available to enable you to be notified of changes. To disable the automatic update functionality, set the Function App's **AzureClientOptions:EnableAutoUpdate** [application setting](../functions-how-to-use-azure-function-app-settings.md?tabs=azure-portal%2Cto-premium#get-started-in-the-azure-portal) to **false**.

+>

+> + As of August 19, 2024. Start/Stop v2 has been updated to the [.NET 8 isolated worker model](../functions-versions.md?tabs=isolated-process%2Cv4&pivots=programming-language-csharp#languages).

+|TriggerAutoUpdate |Timer |Deprecated. This function starts the auto update process based on the application setting "**AzureClientOptions:EnableAutoUpdate=true**".|

+|UpdateStartStopV2 |Queue |Deprecated. This function performs the actual auto update execution, which validates your current version with the available version and decides the final action.|

+| `drawingchanged` | Fired when any coordinate in a shape is added or changed. |

+| `drawingcomplete` | Fired when a shape completes drawing or is taken out of edit mode. |

+| `drawingmodechanged` | Fired when the drawing mode changes. The new drawing mode is passed into the event handler. |

+For a complete working sample of how to display data from a vector tile source on the map, see [Drawing tools events] in the [Azure Maps Samples]. This sample enables you to draw shapes on the map and watch as the events fire. For the source code for this sample, see [Drawing tools events sample code].

+The following code shows how the drawing events can be used to create a measuring tool. The `drawingchanging` is used to monitor the shape, as it's being drawn. As the user moves the mouse, the dimensions of the shape are calculated. The `drawingcomplete` event is used to do a final calculation on the shape after drawing completes. The `drawingmodechanged` event is used to determine when the user is switching into a drawing mode. Also, the `drawingmodechanged` event clears the drawing canvas and clears old measurement information.

+The [Use a snapping grid] sample snaps an HTML marker to a grid when dragged. Drawing tools are used to snap drawn shapes to the grid when the `drawingcomplete` event fires. For the source code for this sample, see [Use a snapping grid source code].

+ * The HTML header includes CSS and JavaScript resource files hosted by the Azure Map Control library.

+ Some things to know regarding this JavaScript:

+The map so far only looks at the longitude/latitude data for the search results. However, the raw JSON that the Maps Search service returns contains additional information about each gas station. Including the name and street address. You can incorporate that data into the map with interactive popup boxes.

+| 9 | cron |

+# Collect firewall logs with Azure Monitor Agent

+This tutorial walks you through the Log Analytics interface, gets you started with some basic queries, and shows you how you can work with the results. You learn how to:

+> In this tutorial, you use Log Analytics features to build one query and use another example query. When you're ready to learn the syntax of queries and start directly editing the query itself, read the [Kusto Query Language tutorial](/azure/data-explorer/kusto/query/tutorial?pivots=azuremonitor). That tutorial walks you through example queries that you can edit and run in Log Analytics. It uses several of the features that you learn in this tutorial.

+> [!NOTE]

+> Log Analytics has two modes - Simple and KQL. *This tutorial walks you through KQL mode.* For information on Simple mode, see [Analyze data using Log Analytics Simple mode (Preview)](log-analytics-simple-mode.md).

+You can view the scope in the upper-left corner of the Logs experience, below the name of your active query tab. If you're using your own environment, you see an option to select a different scope. This option isn't available in the demo environment.

+* Select the link below **Useful links** (in this example [AppRequests](/azure/azure-monitor/reference/tables/AppRequests)) to go to the table reference that documents each table and its columns.

+* Select **Preview data** to have a quick look at a few recent records in the table. This preview can be useful to ensure it's the data you're expecting before you run a query with it.

+Let's write a query by using the **AppRequests** table. Double-click its name or hover over it and click on **Use in editor** to add it to the query window. You can also type directly in the window. You can even get IntelliSense which helps completing the names of tables in the current scope and Kusto Query Language (KQL) commands.

+You can see that we do have results. The number of records that the query returns appears in the lower-right corner. The maximum number of results that you can retrieve in the Log Analytics portal experience is 30,000.

+### Multiple filters

+Let's reduce our results further by adding another filter condition. A query can include any number of filters to target exactly the set of records that you want. On the left side of the screen where the **Tables** tab is active, select the **Filter** tab instead. If you can't find it, click on the ellipsis to view more tabs.

+On the **Filter** tab, select **Load old filters** to view the top 10 values for each filter.

+Select **Get Home/Index** under **Name**, then click on **Apply & Run**.

+In addition to helping you write and run queries, Log Analytics provides features for working with the results. Start by expanding a record to view the values for all of its columns by clicking the chevron on the left side of the row.

+Set a filter on the **DurationMs** column to limit the records to those that took more than **150** milliseconds.

+1. The results table allows you to filter just like in Excel. Select the ellipsis in the **Name** column header.

+1. Uncheck **Select All**, then search for **Get Home/Index** and check it. Filters are automatically applied to your results.

+In the sidebar, you see a list of all available columns. Drag the **Url** column into the **Row Groups** section. Results are now organized by that column, and you can collapse each group to help you with your analysis. This action is similar to adding a filter condition to the query, but instead of refetching data from the server, you're processing the data your original query returned. When you run the query again, Log Analytics retrieves data based on your original query. Use this method if you want to quickly analyze a set of records as part of interactive analysis.

+Let's look at a query that uses numerical data that we can view in a chart. Instead of building a query, we select an example query.

+Select **Queries** on the left pane. This pane includes example queries that you can add to the query window. If you're using your own workspace, you should have various queries in multiple categories.<!-- If you're using the demo environment, you might see only a single **Log Analytics workspaces** category. Expand that to view the queries in the category. -->

+Load the **Function Error rate** query in the **Applications** category to the editor. To do so, double-click the query or hover over the query name to show more information, then select **Load to editor**.

+Notice that the new query is separated from the other by a blank line. A query in KQL ends when it encounters a blank line, making them separate queries.

+Click anywhere in a query to select it, then click on the **Run** button to run it.

+* Spain Central

+* Spain Central

+* Spain Central

+| Spain/Sweden | Spain Central | Sweden Central |

+* Spain Central

+Linux clients can check the used and available capacity of a volume using the [`df -h`](https://linux.die.net/man/1/df). Using the `h` option displays the size, including used and available space in human readable format (using M, G and T unit sizes).

+If a volume create-read-update-delete (CRUD) operation is performed on a volume not in a terminal state, the operation will fail. Automation workflows and portal users should check for the terminal state of the volume before executing subsequent asynchronous operations on the volume.

+| The SMB or dual-protocol volume creation fails with the following error: <br> `{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.","details":[{"code":"InternalServerError", "message":"Error when creating - Could not query DNS server. Verify that the network configuration is correct and that DNS servers are available."}]}` | This error indicates that the DNS is not reachable. <br> Consider the following solutions: <ul><li>If you're using Basic network features, check if Active Directory Domain Services (AD DS) and the volume are being deployed in same region.</li> <li>Check if AD DS and the volume are using the same virtual network (VNet). If they're using different VNets, make sure that the VNets are peered with each other. See [Guidelines for Azure NetApp Files network planning](azure-netapp-files-network-topologies.md). </li> <li>The DNS server might have network security groups (NSGs) applied. As such, it does not allow the traffic to flow. In this case, open the NSGs to the DNS or AD to connect to various ports. For port requirements, see [Requirements for Active Directory connections](create-active-directory-connections.md#requirements-for-active-directory-connections). </li></ul> <br>The same solutions apply for Microsoft Entra Domain Services. Microsoft Entra Domain Services should be deployed in the same region. The VNet should be in the same region or peered with the VNet used by the volume. |

+| The SMB or dual-protocol volume creation fails with the following error: <br> `Failed to create the Active Directory machine account \"SMB-ANF-VOL\". Reason: Kerberos Error: KDC has no support for encryption type Details: Error: Machine account creation procedure failed [nnn]Loaded the preliminary configuration. [nnn]Successfully connected to ip 10.x.x.x, port 88 using TCP [nnn]FAILURE: Could not authenticate as 'contosa.com': KDC has no support for encryption type (KRB5KDC_ERR_ETYPE_NOSUPP) ` | Make sure that [AES Encryption](./create-active-directory-connections.md#create-an-active-directory-connection) is enabled for both the Active Directory connection and the service account. |

+| SMB volume creation fails with the following error: <br> `Failed to create the Active Directory machine account. Reason: LDAP Error: Intialization of LDAP library failed Details: Error: Machine account creation procedure failed` | This error occurs because the service or user account used in the Azure NetApp Files Active Directory connections does not have sufficient privilege to create computer objects or make modifications to the newly created computer object. <br> To resolve the issue, grant the account being used greater privilege. You can apply a default role with sufficient privileges or delegate more privilege to the user, service account, or group it's part of. |

+| Dual-protocol volume creation fails with the error `Failed to validate LDAP configuration, try again after correcting LDAP configuration`. | The pointer (PTR) record of the Active Directory (AD) host machine might be missing on the DNS server. You need to create a reverse lookup zone on the DNS server, and then add a PTR record of the AD host machine in that reverse lookup zone. <br> For example, assume that the IP address of the AD machine is `10.x.x.x`, the hostname of the AD machine (as found by using the `hostname` command) is `AD1`, and the domain name is `contoso.com`. The PTR record added to the reverse lookup zone should be `10.x.x.x` -> `contoso.com`. |

+| Dual-protocol volume creation fails with the error `Could not query DNS server. Verify that the network configuration is correct and that DNS servers are available`. | This error indicates that DNS is not reachable. The reason might be because DNS IP is incorrect, or there's a networking issue. Check the DNS IP entered in AD connection and make sure that the IP is correct. <br> If you're using Basic network features, make sure that the AD configuration and the volume are in same region and in same VNet. If they are in different VNets, ensure that VNet peering is established between the two VNets. <br> See [Guidelines for Azure NetApp Files network planning](azure-netapp-files-network-topologies.md#azure-native-environments) for details. |

+|`Volume creation fails due to unreachable DNS server` | Two possible solutions are available: <br> <ul><li> This error indicates that DNS is not reachable. The reason might be an incorrect DNS IP or a networking issue. Check the DNS IP entered in the AD connection and make sure that the IP is correct. </li> <li> If you're using Basic network features, ensure that the AD and the volume are in same region and in same VNet. If they are in different VNets, ensure that VNet peering is established between the two VNets. </li></ul> |

+| Error when creating an SMB volume with LDAP enabled as true: <br> `Error Message: ldapEnabled option is only supported with NFS protocol volume. ` | You cannot create an SMB volume with LDAP enabled. <br> Create SMB volumes with LDAP disabled. |

+| Error when creating an LDAP-enabled NFS volume: <br> `Could not query DNS server` <br> `Sample error message:` <br> `"log": time="2020-10-21 05:04:04.300" level=info msg=Res method=GET url=/v2/Volumes/070d0d72-d82c-c893-8ce3-17894e56cea3 x-correlation-id=9bb9e9fe-abb6-4eb5-a1e4-9e5fbb838813 x-request-id=c8032cb4-2453-05a9-6d61-31ca4a922d85 xresp="200: {\"created\":\"2020-10-21T05:02:55.000Z\",\"lifeCycleState\":\"error\",\"lifeCycleStateDetails\":\"Error when creating - Could not query DNS server. Verify that the network configuration is correct and that DNS servers are available.\",\"name\":\"smb1\",\"ownerId\ \":\"8c925a51-b913-11e9-b0de-9af5941b8ed0\",\"region\":\"westus2stage\",\"volumeId\":\"070d0d72-d82c-c893-8ce3-` | This error occurs because DNS is unreachable. <br> <ul><li> Check if you've configured the correct site (site scoping) for Azure NetApp Files. </li><li> The reason that DNS is unreachable might be an incorrect DNS IP address or networking issues. Check the DNS IP address entered in the AD connection to make sure that it is correct. </li><li> If you're using Basic network features, ensure that the AD and the volume are in the same region and the same VNet. If they are in different VNets, ensure that VNet peering is established between the two VNets.</li></ul> |

+For predictable Active Directory Domain Services operations with Azure NetApp Files volumes, reliable and low-latency network connectivity (equal to or less than 10 milliseconds [ms] roundtrip time [RTT]) to AD DS domain controllers is highly recommended. Poor network connectivity or high network latency between Azure NetApp Files and AD DS domain controllers can cause client access interruptions or client timeouts.

+For more information on Microsoft Active Directory requirements for network latency over a wide-area network, see

+| Security Account Manager (SAM)/Local Security Authority (LSA)/SMB | 445 | TCP, UDP |

+Azure NetApp Files initiates domain controller discovery every four hours. Azure NetApp Files queries the site-specific DNS service resource (SRV) record to determine which domain controllers are in the AD DS site specified in the **AD Site Name** field of the Azure NetApp Files AD connection. Azure NetApp Files domain controller server discovery checks the status of the services hosted on the domain controllers (such as Kerberos, LDAP, Net Logon, and LSA) and selects the optimal domain controller for authentication requests.

+The DNS SRV records for the AD DS site specified in the AD Site name field of the Azure NetApp Files AD connection must contain the list of IP addresses for the AD DS domain controllers that will be used by Azure NetApp Files. You can check the validity of the DNS SRV record by using the `nslookup` utility.

+A separate discovery process for AD DS LDAP servers occurs when LDAP is enabled for an Azure NetApp Files NFS volume. When the LDAP client is created on Azure NetApp Files, Azure NetApp Files queries the AD DS SRV record for a list of all AD DS LDAP servers in the domain and not the AD DS LDAP servers assigned to the AD DS site specified in the AD connection.

+Azure NetApp Files uses the AD DS Site to discover the domain controllers and subnets assigned to the AD DS Site defined in the AD Site Name. All domain controllers assigned to the AD DS Site must have good network connectivity from the Azure virtual network interfaces used by ANF and be reachable. AD DS domain controller VMs assigned to the AD DS Site used by Azure NetApp Files must be excluded from cost management policies that shut down VMs.

+You must update the AD DS Site configuration whenever new domain controllers are deployed into a subnet assigned to the AD DS site that is used by the Azure NetApp Files AD Connection. Ensure that the DNS SRV records for the site reflect any changes to the domain controllers assigned to the AD DS Site used by Azure NetApp Files. You can check the validity of the DNS SRV resource record by using the `nslookup` utility.

+> For scenarios that involve complex AD DS or complex network topologies, you should have a Microsoft Azure cloud solutions architect CSA review the Azure NetApp Files networking and AD Site design.

+In the Active Directory Sites and Services tool, verify that the AD DS domain controllers deployed into the AD DS subnet are assigned to the `ANF` site.

+If they aren't assigned, create the subnet object that maps to the AD DS subnet in the Azure virtual network. Right-click the **Subnets** container in the **Active Directory Sites and Services** utility and select **New Subnet...**. In the **New Object - Subnet** dialog, the 10.0.0.0/24 IP address range for the AD DS Subnet is entered in the **Prefix** field. Select `ANF` as the site object for the subnet. Select **OK** to create the subnet object and assign it to the `ANF` site.

+* [Understand DNS in Azure NetApp Files](domain-name-system-concept.md).

+| Capability name | DisableAutoscale |

+| SDK | Authentication option |

+|--|-|

+| Identity | Access Key or Microsoft Entra authentication |

+| SMS | Access Key or Microsoft Entra authentication |

+| Phone Numbers | Access Key or Microsoft Entra authentication |

+| Email | Access Key or Microsoft Entra authentication |

+| Advanced Messaging | Access Key or Microsoft Entra authentication |

+| Calling | User Access Token |

+| Chat | User Access Token |

+Incoming messages to the business are published as [Microsoft.Communication.AdvancedMessageReceived](/azure/event-grid/communication-services-advanced-messaging-events#microsoftcommunicationadvancedmessagereceived-event) Event Grid events. This quickstart uses the media ID and media MIME type in the AdvancedMessageReceived event to download the media payload.

+Here's an example of an AdvancedMessageReceived event with media content:

+```json

+[{

+ "id": "00000000-0000-0000-0000-000000000000",

+ "topic": "/subscriptions/{subscription-id}/resourcegroups/{resourcegroup-name}/providers/microsoft.communication/communicationservices/{communication-services-resource-name}",

+ "subject": "advancedMessage/sender/{sender@id}/recipient/11111111-1111-1111-1111-111111111111",

+ "data": {

+ "channelType": "whatsapp",

+ "media": {

+ "mimeType": "image/jpeg",

+ "id": "22222222-2222-2222-2222-222222222222"

+ },

+ "from": "{sender@id}",

+ "to": "11111111-1111-1111-1111-111111111111",

+ "receivedTimestamp": "2023-07-06T18:30:19+00:00"

+ },

+ "eventType": "Microsoft.Communication.AdvancedMessageReceived",

+ "dataVersion": "1.0",

+ "metadataVersion": "1",

+ "eventTime": "2023-07-06T18:30:22.1921716Z"

+}]

+```

+ "client_id": "aaaaaaaaa-0000-1111-2222-bbbbbbbbbbbb"

+When using the Workload profiles environment, you need to update the VNET to delegate the subnet to `Microsoft.App/environments`. This delegation is not applicable to the Consumption-only environment.

+# [Bash](#tab/bash)

+```azurecli-interactive

+az network vnet subnet update \

+ --resource-group $RESOURCE_GROUP \

+ --vnet-name $VNET_NAME \

+ --name infrastructure-subnet \

+ --delegations Microsoft.App/environments

+```

+# [Azure PowerShell](#tab/azure-powershell)

+```azurepowershell-interactive

+$delegation = New-AzDelegation -Name 'containerApp' -ServiceName 'Microsoft.App/environments'

+$vnet = Set-AzVirtualNetworkSubnetConfig -Name $SubnetArgs.Name -VirtualNetwork $vnet -AddressPrefix $SubnetArgs.AddressPrefix -Delegation $delegation

+$vnet | Set-AzVirtualNetwork

+```

+When using the Workload profiles environment, you need update the VNET to delegate the subnet to `Microsoft.App/environments`. This delegation is not applicable to the Consumption-only environment.

+# [Bash](#tab/bash)

+```azurecli-interactive

+az network vnet subnet update \

+ --resource-group $RESOURCE_GROUP \

+ --vnet-name $VNET_NAME \

+ --name infrastructure-subnet \

+ --delegations Microsoft.App/environments

+```

+# [Azure PowerShell](#tab/azure-powershell)

+```azurepowershell-interactive

+$delegation = New-AzDelegation -Name 'containerApp' -ServiceName 'Microsoft.App/environments'

+$vnet = Set-AzVirtualNetworkSubnetConfig -Name $SubnetArgs.Name -VirtualNetwork $vnet -AddressPrefix $SubnetArgs.AddressPrefix -Delegation $delegation

+$vnet | Set-AzVirtualNetwork

+```

+Network-close deployment is one of the primary reasons for using a private container registry. Docker images have an efficient [layering construct](https://docs.docker.com/get-started/docker-concepts/building-images/understanding-image-layers/) that allows for incremental deployments. However, new nodes need to pull all layers required for a given image. This initial `docker pull` can quickly add up to multiple gigabytes. Having a private registry close to your deployment minimizes the network latency.

+1. Install Notation v1.2.0 on a Linux amd64 environment. Follow the [Notation installation guide](https://notaryproject.dev/docs/user-guides/installation/cli/) to download the package for other environments.

+ curl -Lo notation.tar.gz https://github.com/notaryproject/notation/releases/download/v1.2.0/notation_1.2.0_linux_amd64.tar.gz

+1. Install Notation v1.2.0 on a Linux amd64 environment. Follow the [Notation installation guide](https://notaryproject.dev/docs/user-guides/installation/cli/) to download the package for other environments.

+ curl -Lo notation.tar.gz https://github.com/notaryproject/notation/releases/download/v1.2.0/notation_1.2.0_linux_amd64.tar.gz

+description: Save costs with Microsoft Azure OpenAI Service Provisioned Reservations by committing to a reservation for your provisioned throughput units.

+When you purchase a reservation, the Azure OpenAI provisioned throughput usage that matches the reservation attributes is no longer charged at the hourly rates. For pricing information, see the [Azure OpenAI Service pricing](https://azure.microsoft.com/pricing/details/cognitive-services/openai-service/) page.

+## Reservation application

+## Renewal options

+## Prerequisites

+To buy an Azure OpenAI reservation, follow these steps:

+*Exchange isn't supported for Azure OpenAI Service Provisioned reservations*.

+You can cancel or refund reservations with certain limitations. For more information, see [Self-service exchanges and refunds for Azure Reservations](exchange-and-refund-azure-reservations.md).

+## Increase Azure OpenAI reservation capacity

+You can't change the size of a purchased reservation. If you want to increase your Azure OpenAI reservation capacity to cover more hourly PTUs, you can buy more Azure OpenAI Service Provisioned reservations.

+# customer intent: As a reservation purchaser, I want learn how to exchange or refund Azure reservations.

+Azure Reservations provide flexibility to help meet your evolving needs. Reservation products are interchangeable with each other if they're the same type of reservation. For example, you can exchange multiple compute reservations including Azure Dedicated Host, Azure VMware Solution, and Azure Virtual Machines with each other all at once. You can also exchange multiple SQL database reservation types including SQL Managed Instances and Elastic Pool with each other. However, you can't exchange dissimilar reservations. For example, you can't exchange an Azure Cosmos DB reservation for SQL Database.

+## Reservation exchange policy changes

+Not all reservations are eligible for exchange. For example, you can't exchange the following reservations:

+- Azure Databricks reserved capacity

+- Azure OpenAI provisioned throughput

+- Synapse Analytics Pre-purchase plan

+- Red Hat plans

+- SUSE Linux plans

+*Microsoft is not currently charging early termination fees for reservation refunds. We might charge the fees for refunds made in the future. We currently don't have a date for enabling the fee.*

+## Prerequisites

+**You must have owner or Reservation administrator access on the Reservation Order to exchange or refund an existing reservation**. You can [Add or change users who can manage a reservation](./manage-reserved-vm-instance.md#who-can-manage-a-reservation-by-default).

+## Related content

+description: Learn how to automatically renew Azure reservations to maintain reservation discounts, avoid manual renewals, and ensure continuous savings benefits.

+# customer intent: As a reservation purchaser, I want learn about renewing reservations so that I can decide to renew manually, automatically, or not at all.

+You can renew reservations to automatically purchase a replacement when an existing reservation expires. Automatic renewal provides an easy way to continue getting reservation discounts. It also saves you from having to closely monitor a reservation's expiration. With automatic renewal, you prevent savings benefits loss by not having to manually renew. *The renewal setting is turned on by default* when you make a purchase. You can manually turn off the renewal setting at the time of purchase. After purchase, you can enable or disable the renewal setting anytime, up to the expiration of the existing reservation. *When auto-renew is enabled, you have to manually turn it off to stop automatic renewal*.

+The renewal price is available 30 days before the expiry of existing reservation. When you enable renewal more than 30 days before the reservation expiration, you're sent an email detailing renewal costs 30 days before expiration. The reservation price might change between the time that you lock the renewal price and the renewal time. If so, your renewal will not be processed and you can purchase a new reservation in order to continue getting the benefit.

+Renewing a reservation creates a new reservation when the existing reservation expires. It doesn't extend the term of the existing reservation.

+## Related content

+This article outlines how to use the Copy Activity in an Azure Data Factory or Synapse Analytics pipeline to copy data from Azure Database for MariaDB. It builds on the [copy activity overview](copy-activity-overview.md) article that presents a general overview of copy activity.

+This article outlines how to use the Copy Activity in an Azure Data Factory or Synapse Analytics pipeline to copy data from Concur. It builds on the [copy activity overview](copy-activity-overview.md) article that presents a general overview of copy activity.

+- [Drill](connector-drill.md)

+- [Oracle Responsys (Preview)](connector-oracle-responsys.md)

+## Connectors that are deprecated

+> [!IMPORTANT]

+> This connector will be deprecated on **December 31, 2024**. You are recommended to migrate to [ODBC connector](connector-odbc.md) by installing a driver before that date.

+This article outlines how to use the Copy Activity in an Azure Data Factory or Synapse Analytics pipeline to copy data from HBase. It builds on the [copy activity overview](copy-activity-overview.md) article that presents a general overview of copy activity.

+This article outlines how to use the Copy Activity in an Azure Data Factory or Synapse Analytics pipeline to copy data from Magento. It builds on the [copy activity overview](copy-activity-overview.md) article that presents a general overview of copy activity.

+This article outlines how to use the Copy Activity in an Azure Data Factory or Synapse Analytics pipeline to copy data from Marketo. It builds on the [copy activity overview](copy-activity-overview.md) article that presents a general overview of copy activity.

+| clientId | The client ID of your Marketo service. | Yes |

+> This connector will be deprecated on **December 31, 2024**. You are recommended to migrate to [ODBC connector](connector-odbc.md) by installing a driver before that date.

+This article outlines how to use the Copy Activity in an Azure Data Factory or Synapse Analytics pipeline to copy data from Oracle Responsys. It builds on the [copy activity overview](copy-activity-overview.md) article that presents a general overview of copy activity.

+This article outlines how to use the Copy Activity in an Azure Data Factory or Synapse Analytics pipeline to copy data from PayPal. It builds on the [copy activity overview](copy-activity-overview.md) article that presents a general overview of copy activity.

+This article outlines how to use the Copy Activity in an Azure Data Factory or Synapse Analytics pipeline to copy data from Phoenix. It builds on the [copy activity overview](copy-activity-overview.md) article that presents a general overview of copy activity.

+> [!IMPORTANT]

+Data Migration Assistant (DMA) is deprecated. For more information, see the [DMA product documentation](/sql/dma/dma-overview).

+- PaaS services (multi-tenant), which includes Azure App Service Environment for Power Apps, Azure API Management in deployment modes other than APIM with virtual network integration, and Azure Virtual WAN aren't currently supported. For more information, see [Azure DDoS Protection APIM in VNET Integration](https://techcommunity.microsoft.com/t5/azure-network-security-blog/azure-ddos-standard-protection-now-supports-apim-in-vnet/ba-p/3641671)

+- Azure DDoS Protection service can protect a public load balancer with a public IP address prefix linked to its frontend. This is supported for DDoS Network Protection SKU.

+- DDoS telemetry for individual virtual machine instances in Virtual Machine Scale Sets is available with Flexible orchestration mode.

+ Title: Microsoft Intune conditional access policies for dev boxes

+In this article, you learn how to configure conditional access policies in Microsoft Intune to control access to dev boxes. For Dev Box, it's common to configure conditional access policies to restrict who can access dev box, what they can do, and where they can access from. To configure conditional access policies, you can use Microsoft Intune to create dynamic device groups and conditional access policies.

+Conditional access is the protection of regulated content in a system by requiring certain criteria to be met before granting access to the content. Conditional access policies at their simplest are if-then statements. If a user wants to access a resource, then they must complete an action. Conditional access policies are a powerful tool for being able to keep your organization's devices secure and environments compliant.

+1. Under **Users**, select **All users**.

+

+1. Under **Devices**, select the device group you created in the previous section.

+ Address: 203.0.113.10

+ Address: 203.0.113.10

+ExpressRoute virtual network gateway is designed to exchange network routes and route network traffic. FastPath is designed to improve the data path performance between your on-premises network and your virtual network. When enabled, FastPath sends network traffic directly to virtual machines in the virtual network, bypassing the expressroute virtual network gateway.

+FastPath is available on all ExpressRoute circuits. Support for virtual network peering and UDR over FastPath is now generally available in all regions within the public cloud and only for connections associated to ExpressRoute Direct circuits. Limited general availability (GA) support for Private Endpoint/Private Link connectivity is only available for connections associated to ExpressRoute Direct circuits and within limited regions & for limited services behind a private endpoint.

+FastPath still requires an expressroute virtual network gateway to be created to exchange routes between a virtual network and an on-premises network. For more information about virtual network gateways and ExpressRoute, including performance information, and gateway SKUs, see [ExpressRoute virtual network gateways](expressroute-about-virtual-network-gateways.md).

+To configure FastPath, the expressroute virtual network gateway must be either of these two SKUs:

+Note: If your desired region is not yet supported, you can deploy ExpressRoute Traffic Collector to another region in the same geo-political region as your ExpressRoute Circuit.

+ Title: Use Azure Policy to help secure your Azure Firewall deployments

+description: You can use Azure Policy to help secure your Azure Firewall deployments.

+# Use Azure Policy to help secure your Azure Firewall deployments

+Azure Policy is a service in Azure that allows you to create, assign, and manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements. Azure Policy does this by evaluating your resources for noncompliance with assigned policies. For example, you can have a policy to allow only a certain size of virtual machines in your environment or to enforce a specific tag on resources.

+Azure Policy can be used to govern Azure Firewall configurations by applying policies that define what configurations are allowed or disallowed. This helps ensure that the firewall settings are consistent with organizational compliance requirements and security best practices.

+## Prerequisites

+If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

+## Policies available for Azure Firewall

+The following policies are available for Azure Firewall:

+- **Enable Threat Intelligence in Azure Firewall Policy**

+ This policy makes sure that any Azure Firewall configuration without threat intel enabled is marked as noncompliant.

+- **Deploy Azure Firewall across Multiple Availability Zones**

+ The policy restricts Azure Firewall deployment to be only allowed with Multiple Availability Zone configuration.

+- **Upgrade Azure Firewall Standard to Premium**

+ This policy recommends upgrading Azure Firewall Standard to Premium so that all the Premium version advanced firewall features can be used. This further enhances the security of the network.

+- **Azure Firewall Policy Analytics should be enabled**

+ This policy ensures that the Policy Analytics is enabled on the firewall to effectively tune and optimize firewall rules.

+- **Azure Firewall should only allow Encrypted Traffic**

+

+ This policy analyses existing rules and ports in Azure firewall policy and audits firewall policy to make sure that only encrypted traffic is allowed into the environment.

+- **Azure Firewall should have DNS Proxy Enabled**

+

+ This Policy Ensures that DNS proxy feature is enabled on Azure Firewall deployments.

+- **Enable IDPS in Azure Firewall Premium Policy**

+

+ This policy ensures that the IDPS feature is enabled on Azure Firewall deployments to effectively protect the environment from various threats and vulnerabilities.

+- **Enable TLS inspection on Azure Firewall Policy**

+

+ This policy mandates that TLS inspection is enabled to detect, alert, and mitigate malicious activity in HTTPS traffic.

+- **Migrate from Azure Firewall Classic Rules to Firewall Policy**

+

+ This policy recommends migrating from Firewall Classic Rules to Firewall Policy.

+- **VNET with specific tag must have Azure Firewall Deployed**

+

+ This policy finds all virtual networks with a specified tag and checks if there's an Azure Firewall deployed, and flags it as noncompliant if no Azure Firewall exists.

+The following steps show how you can create an Azure Policy that enforces all Firewall Policies to have the Threat Intelligence feature enabled (either **Alert Only**, or **Alert and deny**). The Azure Policy scope is set to the resource group that you create.

+## Create a resource group

+This resource group is set as the scope for the Azure Policy, and is where you create the Firewall Policy.

+1. From the Azure portal, select **Create a resource**.

+1. In the search box, type **resource group** and press Enter.

+1. Select **Resource group** from the search results.

+1. Select **Create**.

+1. Select your subscription.

+1. Type a name for your resource group.

+1. Select a region.

+1. Select **Next : Tags**.

+1. Select **Next : Review + create**.

+1. Select **Create**.

+## Create an Azure Policy

+Now create an Azure Policy in your new resource group. This policy ensures that any firewall policies must have Threat Intelligence enabled.

+1. From the Azure portal, select **All services**.

+1. In the filter box, type **policy** and press Enter.

+1. Select **Policy** in the search results.

+1. On the Policy page, select **Getting started**.

+1. Under **Assign policies**, select **View definitions**.

+1. On the Definitions page, type **firewall**, in the search box.

+1. Select **Azure Firewall Policy should enable Threat Intelligence**.

+1. Select **Assign policy**.

+1. For **Scope**, select you subscription and your new resource group.

+1. Select **Select**.

+1. Select **Next**.

+1. On the **Parameters** page, clear the **Only show parameters that need input or review** check box.

+1. For **Effect**, select **Deny**.

+1. Select **Review + create**.

+1. Select **Create**.

+## Create a Firewall Policy

+Now you attempt to create a Firewall Policy with Threat Intelligence disabled.

+1. From the Azure portal, select **Create a resource**.

+1. In the search box, type **firewall policy** and press Enter.

+1. Select **Firewall Policy** in the search results.

+1. Select **Create**.

+1. Select your subscription.

+1. For **Resource group**, select the resource group that you created previously.

+1. In the **Name** text box, type a name for your policy.

+1. Select **Next : DNS Settings**.

+1. Continue selecting through to the **Threat intelligence** page.

+1. For **Threat intelligence mode**, select **Disabled**.

+1. Select **Review + create**.

+You should see an error that says your resource was disallowed by policy, confirming that your Azure Policy doesn't allow firewall policies that have Threat Intelligence disabled.

+## Related content

+- [What is Azure Policy?](../governance/policy/overview.md)

+- [Govern your Azure Firewall configuration with Azure Policies](https://techcommunity.microsoft.com/t5/azure-network-security-blog/govern-your-azure-firewall-configuration-with-azure-policies/ba-p/4189902)

+**Why does the Job failure in between?

+ |Cluster Pool|This field is autopopulated and shows the cluster pool name on which the cluster is now getting created. To create a cluster in a different pool, find that cluster pool in the portal and click **+ New cluster**.|

+- **Savepoint:** Rest APIs to trigger savepoint for job.

+# Deploy the DICOM service with Blob storage by using the Azure portal

+2. Select **Deploy DICOM service**.

+3. Select **Add DICOM service**.

+4. Enter a name for the DICOM service.

+ - Select Blob Storage (legacy) for the storage location.

+ - (Optional) Select **Enable data partitions** when you deploy a new DICOM service. After data partitioning is turned on, it can't be turned off. In addition, data partitions can't be turned on for any DICOM service that is already deployed. For more information, see [Enable data partitioning](data-partitions.md).

+ - After the data partitions setting is turned on, the capability modifies the API surface of the DICOM server and makes any previous data accessible under the `Microsoft.Default` partition. Select **Review + create**.

+

+5. (Optional) Select **Next: Tags**.

+6. When you notice the green validation check mark, select **Create** to deploy the DICOM service.

+7. After the deployment process is finished, select **Go to resource**.

+Autoscaling is a capability to dynamically scale FHIR service based on the load reported. The FHIR service in Azure Health Data Services provides the built-in autoscaling capability, which is automated. This capability provides elasticity and enables on demand provisioning of more instances for FHIR service customers.

+> The autoscaling feature is subject to the resources availability in Azure regions.

+Scaling triggers describes when scaling of the service is performed. Conditions defined in the trigger are checked periodically to determine if a service should be scaled or not. Only the following triggers are currently supported: Average CPU, Max Worker Thread, Average LogWrite, Average data IO.

+We recommend that you gradually increase the request rate to see if it reduces HTTP 429 errors. For consistent 429 errors, create a support ticket through the Azure portal. The support team will engage with you to understand your scaling trigger needs.

+When you're working with healthcare data, it's important to ensure that the data is secure, and can't be accessed by unauthorized users or applications. FHIR servers use [OAuth 2.0](https://oauth.net/2/) to ensure this data security. FHIR service in the Azure Health Data Services is secured using [Microsoft Entra ID](../../active-directory/index.yml), which is an example of an OAuth 2.0 identity provider. This article provides an overview of FHIR server authorization and the steps needed to obtain a token to access a FHIR server. While these steps apply to any FHIR server and any identity provider, we walk through the FHIR service and Microsoft Entra ID as our identity provider in this article.

+In order for a client application to access the FHIR service, it must present an access token. The access token is a signed, [Base64](https://en.wikipedia.org/wiki/Base64) encoded collection of properties (claims) that convey information about the client's identity, roles, and privileges granted.

+The FHIR service doesn't care how the token is obtained, as long as it's an appropriately signed token with the correct claims.

+Using [authorization code flow](../../active-directory/develop/v2-oauth2-auth-code-flow.md) as an example, accessing a FHIR server goes through the following four steps.

+1. The client sends a request to the `/authorize` endpoint of Microsoft Entra ID. Microsoft Entra ID will redirect the client to a sign-in page where the user authenticates using appropriate credentials (for example username and password, or two-factor authentication). Select the link for details on [obtaining an authorization code](../../active-directory/develop/v2-oauth2-auth-code-flow.md#request-an-authorization-code). Upon successful authentication, an *authorization code* is returned to the client. Microsoft Entra ID will only allow this authorization code to be returned to a registered reply URL configured in the client application registration (following).

+1. The client application exchanges the authorization code for an *access token* at the `/token` endpoint of Microsoft Entra ID. When requesting a token, the client application may have to provide a client secret (the applications password). Select the link for details on [obtaining an access token](../../active-directory/develop/v2-oauth2-auth-code-flow.md#redeem-a-code-for-an-access-token).

+1. The FHIR service validates that the token contains appropriate claims (properties in the token). If everything checks out, it completes the request and returns a FHIR bundle with results to the client.

+It's important to note that the FHIR service isn't involved in validating user credentials and it doesn't issue the token. The authentication and token creation is done by Microsoft Entra ID. The FHIR service simply validates that the token is signed correctly (is authentic) and that it has appropriate claims.

+Development of FHIR applications often involves debugging access issues. If a client is denied access to the FHIR service, it's useful to understand the structure of the access token and how it can be decoded to inspect the contents (claims) of the token.

+**Part 3**: A signature, which is calculated by concatenating the Base64 encoded contents of the header and the payload and calculating a cryptographic hash of them based on the algorithm (`alg`) specified in the header. A server is able to obtain public keys from the identity provider, validate that the token was issued by a specific identity provider, and hasn't been tampered with.

+Here's an example token:

+As previously mentioned, there are several ways to obtain a token from Microsoft Entra ID. They're described in detail in the [Microsoft Entra developer documentation](../../active-directory/develop/index.yml).

+There are other variations for obtaining a token (for example, on behalf of flow). Check the Microsoft Entra documentation for details. When using the FHIR service, there are also shortcuts to obtaining an access token for debugging purposes [using the Azure CLI](get-healthcare-apis-access-token-cli.md).

+1. Create a new resource group (or use an existing one) by skipping the "create resource group" step, or commenting out the line starting with `New-AzResourceGroup`.

+1. Create a new resource group (or use an existing one) by skipping the "create reource group" step or commenting out the line starting with `az group create`.

+The `fhirUser` custom user attribute is used to link a B2C user with a user resource in the FHIR service. In this example, a user named **Test Patient1** is created in the B2C tenant. In a later step a [patient](https://www.hl7.org/fhir/patient.html) resource is created in the FHIR service. The **Test Patient1** user is linked to the patient resource by setting the `fhirUser` attribute value to the patient resource identifier. For more information about custom user attributes, see [User flow custom attributes in Azure Active Directory B2C](/azure/active-directory-b2c/user-flow-custom-attributes?pivots=b2c-user-flow).

+User flows define the sequence of steps users must follow to sign in. In this example, a user flow is defined so that when a user signs in and the access token provided includes the `fhirUser` claim. For more information, see [Create user flows and custom policies in Azure Active Directory B2C](../../active-directory-b2c/tutorial-create-user-flows.md).

+1. Give the user flow a name unique to the B2C tenant. The name doesn't have to be globally unique. In this example, the name of the user flow is **USER_FLOW_1**. Make note of the name.

+1. In the **Redirect URI (recommended)** drop-down list, select ***Public client/native (mobile & desktop)**. Populate the value with the [Postman](https://www.postman.com) callback URI [https://oauth.pstmn.io/v1/callback](#create-a-new-b2c-resource-application). This callback URI is for testing purposes.

+ If you add a permission to the list, any user in the B2C tenant can obtain an access token with the API permission. If a level of access isn't appropriate for a user within the B2C tenant, don't add it to the array because there isn't a way to limit permissions to a subset of users.

+1. Create a new resource group (or use an existing one) by skipping the "create resource group" step, or commenting out the line starting with `New-AzResourceGroup`.

+1. Create a new resource group (or use an existing one) by skipping the "create resource group" step, or commenting out the line starting with `az group create`.

+When you follow the steps in the [Get the FHIR resource](use-postman.md#get-the-fhir-resource) section, the request returns an empty response because the FHIR service is new and doesn't have any patient resources.

+It's important to note that users in the B2C tenant aren't able to read any resources until the user (such as a patient or practitioner) is linked to a FHIR resource. A user with the `FhirDataWriter` or `FhirDataContributor` role in the Microsoft Entra ID where the FHIR service is tenanted must perform this step.

+Create an explicit link between the test user in the B2C tenant and the resource in the FHIR service. Create the link by using Extension Attributes in Microsoft Graph. For more information, see [Define custom attributes in Azure Active Directory B2C](../../active-directory-b2c/user-flow-custom-attributes.md).

+1. Scroll to the **Configure New Token** section and enter the following values.

+&scope={{fhirurl}}/.default

+|Changes in private link configuration at the workspace level don't propagate to the child services.|September 4,2024 9:00 am PST| To fix this issue a service reprovisioning is required. To reprovision the service, reach out to FHIR service team|--|

+|Customers accessing the FHIR Service via a private endpoint are experiencing difficulties, specifically receiving a 403 error when making API calls from within the vNet. This problem affects FHIR instances provisioned after August 19th that utilize private link.|August 22,2024 11:00 am PST|-- | September 3.2024 9:00 am PST|

+ 1. In the certificate manager, you must see the entry for **Microsoft Root Certificate Authority 2011** and **Microsoft Code Signing PCA 2011**.

+ :::image type="content" source="./media/common-questions-appliance/certificate-1.png" alt-text="Screenshot of certificate 1." lightbox="./media/common-questions-appliance/certificate-1.png":::

+ a. Validate that the connection state is Approved.

+ b. If the connection is in a Pending state, you need to get it approved.

+ c. You might also navigate to the private endpoint resource and review if the virtual network matches the Migrate project private endpoint virtual network.

+To validate the private link connection, perform a DNS resolution of the Azure Migrate resource endpoints (private link resource FQDNs) from the on-premises server hosting the Migrate appliance and ensure that it resolves to a private IP address.

+1. The private endpoint details and private link resource FQDNs' information is available in the Discovery and Assessment and Migration and modernization properties pages. Select **Download DNS settings** to view the list. Note, only the private endpoints that were automatically created by Azure Migrate are listed below.

+ [](./media/how-to-use-azure-migrate-with-private-endpoints/azure-migrate-server-migration-properties.png#lightbox)

+2. If you have created a private endpoint for the storage account(s) for replicating over a private network, you can obtain the private link FQDN and IP address as illustrated below.

+ - Go to the **Storage account** > **Networking** > **Private endpoint connections** and select the private endpoint created.

+ - Go to **Settings** > **DNS configuration** to obtain the storage account FQDN and private IP address.

+- Enter ```nslookup <storage-account-name>_.blob.core.windows.net.``` Replace ```<storage-account-name>``` with the name of the storage account used for Azure Migrate.

+- A private IP address of 10.1.0.5 is returned for the storage account. This address belongs to the private endpoint virtual network subnet.

+You can verify the DNS resolution for other Azure Migrate artifacts using a similar approach.

+> For testing, you can manually update your source environment DNS records by editing the DNS hosts file on your on-premises appliance with the private link resource FQDNs and their associated private IP addresses.

+## Validate the Private DNS Zone

+By default, Azure Migrate also creates a private DNS zone corresponding to the _privatelink_ subdomain for each resource type. The private DNS zone is created in the same Azure resource group as the private endpoint resource group. The Azure resource group should contain private DNS zone resources with the following format:

+- privatelink.vaultcore.azure.net for the key vault

+- privatelink.blob.core.windows.net for the storage account

+- privatelink.siterecovery.windowsazure.com for the recovery services vault (for Hyper-V and agent-based replications)

+- privatelink.prod.migration.windowsazure.com - migrate project, assessment project, and discovery site.

+The private DNS zone should be linked to the virtual network that contains the private endpoint for the DNS query to resolve the private IP address of the resource endpoint. If the private DNS zone isn't linked to the correct Virtual Network, any DNS resolution from that virtual network will ignore the private DNS zone.

+This shows a list of links, each with the name of a virtual network in your subscription. The virtual network that contains the Private Endpoint resource must be listed here. Else, [follow this article](../dns/private-dns-getstarted-portal.md#link-the-virtual-network) to link the private DNS zone to a virtual network.

+Once the private DNS zone is linked to the virtual network, DNS requests originating from the virtual network looks for DNS records in the private DNS zone. This is required for correct address resolution to the virtual network where the private endpoint was created.

+Go to the private DNS zone you want to troubleshoot. The Overview page shows all DNS records for that private DNS zone. Verify that a DNS A record exists for the resource. The value of the A record (the IP address) must be the resourcesΓÇÖ private IP address. If you find the A record with the wrong IP address, you must remove the wrong IP address and add a new one. It's recommended that you remove the entire A record and add a new one, and do a DNS flush on the on-premises source appliance.

+ 

+- Firewall settings, either the Azure Firewall connected to the Virtual network or a custom firewall solution deploying in the appliance machine.

+- Network peering, which might impact which DNS servers are used and how traffic is routed.

+- Custom gateway (NAT) solutions might impact how traffic is routed, including traffic from DNS queries.

+#### Possible causes

+#### Remediation

+- [Learn more](./migrate-appliance.md#appliancevmware) about the required Azure roles and permissions.

+- Ensure that the appliance is either hosted in the same virtual network or is connected to the target Azure virtual network (where the Key Vault private endpoint has been created) over a private link. The Key Vault private endpoint is created in the virtual network selected during the project creation experience. You can verify the virtual network details in the **Azure Migrate > Properties** page.

+- Ensure that the appliance has network connectivity to the Key Vault over a private link. To validate the private link connectivity, perform a DNS resolution of the Key Vault resource endpoint from the on-premises server hosting the appliance and ensure that it resolves to a private IP address.

+- Go to **Azure Migrate: Discovery and assessment> Properties** to find the details of private endpoints for resources like the Key Vault created during the key generation step.

+- Select **Download DNS settings** to download the DNS mappings.

+ 

+- Open the command line and run the following nslookup command to verify network connectivity to the Key Vault URL mentioned in the DNS settings file.

+1. If you use a custom DNS server, review your custom DNS settings, and validate that the DNS configuration is correct. For guidance, see

+### Validate private endpoint network connectivity

+You can use the Test-NetConnection command in PowerShell to check if the port is reachable from the appliance to the private endpoint. Ensure that you can resolve the Storage Account and the Key Vault for the Azure migrate project using the private IP address.

+#### Possible causes

+#### Remediation

+- Ensure that the appliance is either hosted in the same virtual network or is connected to the target Azure virtual network (where the private endpoints have been created) over a private link. Private endpoints for the Azure Migrate services are created in the virtual network selected during the project creation experience. You can verify the virtual network details in the **Azure Migrate > Properties** page.

+

+- Ensure that the appliance has network connectivity to the service endpoint URLs and other URLs, mentioned in the error message, over a private link connection. To validate private link connectivity, perform a DNS resolution of the URLs from the on-premises server hosting the appliance and ensure that it resolves to private IP addresses.

+- Go to **Azure Migrate: Discovery and assessment> Properties** to find the details of private endpoints for the service endpoints created during the key generation step.

+ 

+|*.windows.net <br/>*.msftauth.net <br/> *.msauth.net <br/>*.microsoft.com <br/> *.live.com <br/>*.office.com <br/> *.microsoftonline.com <br/>*.microsoftonline-p.com <br/> | Used for access control and identity management by Microsoft Entra ID

+|aka.ms/* (optional) | Allow access to _also know as_ links; used to download and install the latest updates for appliance services

+|download.microsoft.com/download | Allow downloads from Microsoft download center

+- Open the command line and run the following nslookup command to verify privatelink connectivity to the URLs listed in the DNS settings file. Repeat this step for all URLs in the DNS settings file.

+### Import/export request fails with the error "403: This request is not authorized to perform this operation"

+The export/import/download report request fails with the error _"403: This request is not authorized to perform this operation"_ for projects with private endpoint connectivity.

+#### Possible causes

+This error might occur if the export/import/download request was not initiated from an authorized network. This can happen if the import/export/download request was initiated from a client that is not connected to the Azure Migrate service (Azure virtual network) over a private network.

+**Option 1** _(recommended)_:

+To resolve this error, retry the import/export/download operation from a client residing in a virtual network that is connected to Azure over a private link. You can open the Azure portal in your on-premises network or your appliance VM and retry the operation.

+1. **Locate the storage account**: The storage account name is available on the Azure Migrate: Discovery and Assessment properties page. The storage account name will have the suffix _usa_.

+2. Navigate to the storage account and edit the storage account networking properties to allow access from all/other networks.

+#### Possible causes

+> This error is only applicable for agentless VMware VM migrations.

+#### Remediation

+ To do so, launch the appliance configuration manager from your appliance server and select **View appliance services** from the **Setup prerequisites** panel. The appliance and its components are automatically updated. If not, follow the instructions to update the appliance services manually.

+#### Possible causes

+#### Remediation

+The private endpoint details and private link resource FQDN information are available in the Discovery and Assessment and Migration and modernization properties pages. Select **Download DNS settings** on both the properties pages to view the full list.

+# Chambers in the Azure Modeling and Simulation Workbench

+In the Azure Modeling and Simulation Workbench, chambers are a security boundary for a group virtual machines (VM) (nodes) and share common users. A chamber provides a full-featured and secure environment for users to run engineering applications and workloads together in isolation. Chamber VMs are all on the same subnet and have no internet access.

+## Key features

+* Chambers offer optimized infrastructure, allowing users to choose from varied VM sizes, storage options, and compute resources to constitute workloads.

+* Chambers enable a preconfigured, isolated environment for license server access and full-featured workload tools.

+* Chambers are encapsulated in the [Workbench](./concept-workbench.md) resource.

+Only provisioned users can access the chamber environment. User provisioning is done at the chamber level using Azure's [Identity Access Management](/azure/role-based-access-control/role-assignments-portal). This enables cross-team and/or cross-organization collaboration on the same projects through chambers. Multifactor authentication (MFA) enabled through Microsoft Entra ID is recommended to enhance your organization's security.

+Users can resize and tailor the chambers to support storage requirement needs throughout the design process. Chamber users can also allocate chamber VMs on demand, select the right-sized VM/CPU for the task/job at hand, and decommission the workload when the job is done to save costs.

+### Cost optimization

+Administrators can optimize their resource consumption without necessarily destroying resources or moving data by:

+* [Managing](./how-to-guide-chamber-vm.md) the size and number of virtual machines.

+* [Idling](./how-to-guide-chamber-idle.md) unused chambers to reduce cost without deleting VMs or storage.

+* [Managing](./how-to-guide-manage-chamber-storage.md) the size and performance tier of chamber storages.

+## Next steps

+> [!div class="nextstepaction"]

+> [Create a chamber VM](./how-to-guide-chamber.md)

+ Title: "Connectors: Azure Modeling and Simulation Workbench"

+description: Connector implementation in Azure Modeling and Simulation Workbench.

+#Customer intent: As a Modeling and Simulation Workbench user, I want to understand the component.

+# Connectors in Azure Modeling and Simulation Workbench

+Connectors define the network access method between users and the Azure Modeling and Simulation Workbench chamber. Connectors support connectivity through allowlisted public IPs, VPN, or Azure ExpressRoute. A chamber can have only one connector configured at a time. Connectors also configure copy-paste functionality into chamber VMs. Connector types are immutable and once created can't be changed to another access model. Connectors are part of the Idle mode setting to reduce cost.

+## Public IP access via allowlist

+The Workbench can be built to allow users to connect directly from the internet, allowing flexible, open access. When a Public IP Connection is built, connections are permitted using an allowlist. The allowlist uses CIDR (Classless Interdomain Routing) notation to conveniently manage access from large network ranges, such as conference centers or corporate exit nodes. Only IPs listed in the allowlist are able to make connections to its associated chamber.

+## Private Azure networking

+A connector can be created for private network access from Azure virtual networks. This method is best suited where a private or controlled connection is required. Azure ExpressRoutes provide a dedicated connection from an on-premises infrastructure to an Azure data center and can be peered to the Workbench. With a VPN gateway, the Workbench can use a private network with extra encryption layers.

+### VPN

+A VPN connector can be created which deploys infrastructure specifically for VPN access. The VPN connector is required if the chamber is accessed through a point-to-site or site-to-site VPN.

+### Azure ExpressRoute

+[Azure ExpressRoute](/azure/expressroute/expressroute-introduction) provides secure, dedicated, encrypted connectivity from on-premises to an Azure landing zone. A Workbench Owner must create a connector expressly for ExpressRoute, providing the necessary virtual network, supporting network infrastructure, and peer the appropriate vnets.

+## Next step

+> [!div class="nextstepaction"]

+> [Create a connector](./how-to-guide-set-up-networking.md)

+Users with access to the chamber can bring data into the chamber via AzCopy and an expiring SAS URI token they get from the chamber component. They then use AzCopy to move data into the data pipeline endpoint. The chamber recognizes the data pipeline request and moves the file into the chamber. For traceability purposes, when a file is moved into the chamber, the data pipeline automatically creates a file object in the chamber that represents the file data.

+1. **Identify file to export.** The export process is triggered when a user places a file to export into a designated area within the chamber. A chamber Admin or chamber User copies the file to the data out folder within the pipeline. The data pipeline detects the copied file and creates a file object. The file creation activity is traceable in the logs and enables the next step of the data pipeline.

+1. **Request file to export.** A Chamber Admin reviews the files staged in the data pipeline and requests to export. The pipeline manager creates a file request object. The export request activity is traceable in the logs and enables the next step of the data pipeline.

+1. **Approve/reject export request.** The Workbench Owner either approves or rejects the export file request. Only a Workbench Owner can approve or reject requests. The individual who approves or denies can't be the same person who initially requested the export.

+1. **Download file.** If a file is approved for export, the user gets a download URI from the file request object and copies it out of the chamber using AzCopy. The URI has an expiration timestamp and must be downloaded before it expires. If the URI expires, you need to request a new download URI.

+ > [!NOTE]

+ > Larger files take longer to be available to download after being approved and to download using AzCopy. Check the expiration on the download URI and request a new one if the window has expired.

+## Next steps

+- [License service](./concept-license-service.md)

+A license service automates the installation of a license manager to help customers accelerate their engineering design. A license service is integrated into Azure Modeling and Simulation Workbench.

+For each deployed chamber within the workbench, we set up a license server and expose the FLEXlm HostID's to procure licenses. Users then request tool licenses referencing the specific HostID. Once the license file is received from the tool vendor, users import it to the chamber license server to enable the license service.

+For semiconductor Electronic Design Automation (EDA), our service automation deploys license servers for each of the four common software vendors (Synopsys, Cadence, Siemens, and Ansys) as part of resource creation to enable multi-vendor flows. The workbench also supports license service beyond these common EDA tool vendors with some manual configuration.

+This flow is extendible and can also include other software vendors across industry verticals.

+- Learn more about the benefits and key features of using [shared storage](./shared-storage.md).

+ Title: "Storage: Azure Modeling and Simulation Workbench"

+description: Types of storage offered in Modeling and Simulation Workbench.

+#CustomerIntent: As a Workbench user, I want to understand the types of storage available in the Azure Modeling and Simulation Workbench.

+# Storage and access in Azure Modeling and Simulation Workbench

+The Modeling and Simulation Workbench offers several tiers of storage classes. There are important differences in capacity and performance that make some volumes more suitable for certain situations.

+## Local storage on VMs

+Depending on the [Virtual Machine (VM) selected](./concept-vm-offerings.md), local temporary storage might not be available. Modeling and Simulation Workbench doesn't have controls for specifying data and OS disks as in conventional Azure VMs. Since VMs are frequently created and deleted, Microsoft recommends that users install applications and workspaces to the chamber or shared storage volume to improve reliability. Chamber and shared storages are high-performance and high-reliability volumes based on Azure NetApp Files.

+## Chamber-tier storage

+Chamber-accessible storage is accessible across the entire chamber, its VMs, and users. Chamber-tier storage has three classes: user home directories, data pipeline mount points, and chamber storage.

+### User home directories

+The conventional Linux `/home` directory is mounted at `/mount/sharedhome`. The `/mount/sharedhome` is a single volume accessible across all chamber VMs and isn't accessible outside the chamber. This volume isn't high-performance and users are discouraged from attempting to install large files or operate intense workloads there. This directory is intended for user resource (rc), configuration, and small private directories.

+### Data pipeline mount points

+The data pipeline file structure has two directories: `/mount/datapipeline/datain` where imported data is staged and `/mount/datapipeline/dataout` where file exports are staged for file requests. This volume is large to accommodate large file imports and exports but files shouldn't be stored here long term. This mount is only for data import and export operations and isn't high-performance.

+### Chamber Storage

+Chamber Storage is the high-performance, high-capacity storage solution for use within chambers. Based on Azure NetApp Files, it's available in two high-performance tiers, and dynamically scalable after creation. Chamber Storage can be accessed at `/mount/chamberstorages` where a different directory exists for each created volume. Volumes are sizable in 4 TB increments up to the user's subscription quota.

+> [!TIP]

+> Users are encouraged to place all working directories and point all application runs at a chamber storage volume for increased performance and data reliablity.

+## Workbench tier shared storage

+Shared storage is accessible across select chambers in a Workbench. With each shared storage volume, you specify which chambers have access to the volume. Shared storage volumes appear under the `/mount/sharedstorage` mount point in every VM in the chamber to which access was granted.

+To enable secure cross team and/or cross-enterprise collaboration, a shared storage resource allows for selective data sharing between chambers. Shared storage is built on Azure NetApp Files storage volumes and is available to deploy in multiples of 4 TB. Workbench owners can create multiple shared storage instances on demand and dynamically link them to existing chambers to facilitate collaboration.

+Users who are provisioned to a specific chamber can access all shared storage volumes linked to that chamber. Once users get deprovisioned from a chamber or that chamber gets deleted, they lose access to any linked shared storage volumes.

+## Key features of shared storage

+**Performance**: Shared storage is based on Azure NetApp Files and is ideal for complex engineering or scientific workloads such as simulations.

+**Scalability**: Users can adjust the storage capacity and performance tier according to their needs, just like chamber private storage.

+**Management**: Workbench Owners can manage storage capacity, resize storage, and change performance tiers through the Azure portal.

+> [!IMPORTANT]

+> All members of a chamber have access to a shared storage resource once that chamber has been granted access to the storage volume. Do not place any data in shared storage that you do not wish to share with all members of that chamber. Create a separate chamber for select users if access needs to be restricted.

+## Resources

+* [Create chamber storage](./how-to-guide-manage-chamber-storage.md)

+* [Create shared storage](./how-to-guide-manage-shared-storage.md)

+* [About chamber VM offerings and local storage](./concept-vm-offerings.md)

+ Title: "VM offerings: Azure Modeling and Simulation Workbench"

+description: VM offerings available in the Azure Modeling and Simulation Workbench.

+#CustomerIntent: As a Workbench User, I want to understand what VMs are offered on the Azure Modeling and Simulation Workbench so that I can pick the right VM for my needs.

+# VM Offerings in Azure Modeling and Simulation Workbench

+Azure Modeling and Simulation Workbench offers a select set of virtual machines (VM) optimized for large, complex modeling and simulation workloads, semiconductor design, and other scientific or industrial workloads.

+This article provides an overview of the Azure VM families that are available in Modeling and Simulation Workbench. A summary of the series, common and optimal workloads, and additional information can help you choose the best VM for your scenario.

+## Quotas

+VM quotas in Modeling and Simulation Workbench are handled differently than in traditional Azure VM offerings. Modeling and Simulation Workbench operates in a Microsoft managed environment, therefore VM quotas aren't directly associated with the owner's Azure subscription. Quota requests should be sent through your Microsoft account manager.

+## General purpose

+General purpose VM sizes provide balanced CPU-to-memory ratio. Ideal for testing and development, small to medium databases, and low to medium traffic web servers. They make ideal management VMs for managing chambers, Facilitating file imports or exports, compiling applications, or installing applications to shared storage.

+### Dv4-series

+The 'D' family of VM sizes are one of Azure's general purpose VM sizes. They're designed for a range of demanding workloads, such as enterprise applications, web and application servers, development and test environments, and batch processing tasks. They're favored for running enterprise-grade applications, supporting moderate to high-traffic web servers, and performing data-intensive batch processing.

+The Dv4 run on Intel® Xeon® Platinum 8473C (Sapphire Rapids), Intel® Xeon® Platinum 8370C (Ice Lake), or Intel® Xeon® Platinum 8272CL (Cascade Lake) processors in a hyper-threaded configuration, providing a better value proposition for most general-purpose workloads. Dv4 series don't have local storage.

+[View the Dv4 family page](/azure/virtual-machines/sizes/general-purpose/dv4-series)

+| Size Name | vCPUs (Qty.) | Memory (GB) | Max Bandwidth (Mbps) |

+|--|--|-|-|

+| Standard_D2_v4 | 2 | 8 | 5000 |

+| Standard_D4_v4 | 4 | 16 | 10000 |

+| Standard_D8_v4 | 8 | 32 | 12500 |

+| Standard_D16_v4 | 16 | 64 | 12500 |

+| Standard_D32_v4 | 32 | 128 | 16000 |

+| Standard_D48_v4 | 48 | 192 | 24000 |

+| Standard_D64_v4 | 64 | 256 | 30000 |

+## Compute optimized

+Compute optimized VM sizes have a high CPU-to-memory ratio. These sizes are good for medium traffic web servers, network appliances, batch processes, and application servers.

+### Fsv2-series

+The Fsv2-series run on the 3rd Generation Intel® Xeon® Platinum 8370C (Ice Lake), the Intel® Xeon® Platinum 8272CL (Cascade Lake) processors, or the Intel® Xeon® Platinum 8168 (Skylake) processors. It features a sustained all core Turbo clock speed of 3.4 GHz and a maximum single-core turbo frequency of 3.7 GHz. Intel® AVX-512 instructions are new on Intel Scalable Processors. These instructions provide up to a 2X performance boost to vector processing workloads on both single and double precision floating point operations. Fsv2-series VMs feature Intel® Hyper-Threading Technology.

+Fsv2-series have fixed-sized local storage.

+[View the Fsv2 family page](/azure/virtual-machines/sizes/compute-optimized/fsv2-series)

+| Size | vCPUs | Memory: GiB | Temp storage (SSD) GiB | Expected network bandwidth (Mbps) |

+||||||

+| Standard_F16s_v2 | 16 | 32 | 128 | 12500 |

+| Standard_F32s_v2 | 32 | 64 | 256 | 16000 |

+| Standard_F48s_v2 | 48 | 96 | 384 | 21000 |

+| Standard_F64s_v2 | 64 | 128 | 512 | 28000 |

+| Standard_F72s_v2 | 72 | 144 | 576 | 30000 |

+## Memory optimized

+Memory optimized VM sizes offer a high memory-to-CPU ratio that is great for relational database servers, medium to large caches, and in-memory analytics.

+### Esv5-series

+Esv5-series virtual machines run on Intel® Xeon® Platinum 8473C (Sapphire Rapids), or Intel® Xeon® Platinum 8370C (Ice Lake) processor reaching an all core turbo clock speed of up to 3.5 GHz. Esv5-series virtual machines don't have temporary storage.

+[View the Esv5 family page](/azure/virtual-machines/ev5-esv5-series)

+| Size | vCPU (Qty.) | Memory: GiB | Max bandwidth (Mbps) |

+|||||

+| Standard_E2s_v5 | 2 | 16 | 12500 |

+| Standard_E4s_v5 | 4 | 32 | 12500 |

+| Standard_E8s_v5 | 8 | 64 | 12500 |

+| Standard_E16s_v5 | 16 | 128 | 12500 |

+| Standard_E20s_v5 | 20 | 160 | 12500 |

+| Standard_E32s_v5 | 32 | 256 | 16000 |

+| Standard_E48s_v5 | 48 | 384 | 24000 |

+| Standard_E64s_v5 | 64 | 512 | 30000 |

+| Standard_E96s_v5 | 96 | 672 | 35000 |

+### M family

+The 'M' family of VM size series are one of Azure's ultra memory-optimized VM instances. They're designed for memory-intensive workloads, such as large in-memory databases, data warehousing, and high-performance computing (HPC). The M-family is equipped with substantial RAM capacities and high vCPU capabilities, M-family VMs support applications and services that require massive amounts of memory and significant computational power. This makes them well-suited for handling tasks like real-time data processing, complex scientific simulations, and large-scale enterprise resource planning (ERP) systems, ensuring peak performance for the most demanding data-centric applications.

+M-series VMs have fixed-size temporary storage.

+[View the M series page](/azure/virtual-machines/m-series)

+| Size | vCPU | Memory: GiB | Temp storage (SSD) GiB | Expected network bandwidth (Mbps) |

+|-||-||--|

+| Standard_M64s | 64 | 1024 | 2048 | 16000 |

+| Standard_M128s | 128 | 2048 | 4096 | 30000 |

+| Standard_M64m | 64 | 1792 | 7168 | 16000 |

+| Standard_M128m | 128 | 3892 | 14336 | 32000 |

+## Next step

+> [!div class="nextstepaction"]

+> [Create a chamber VM](./how-to-guide-chamber-vm.md)

+# Customer intent: As a Modeling and Simulation Workbench user, I want to understand workbench components.

+The Azure Modeling and Simulation Workbench is a Platform-as-a-Service (PaaS) that provides a secure environment for managed, cloud-based collaboration and access to large-scale compute infrastructure. The Modeling and Simulation Workbench provides conventional cloud resources, such as computing, storage, and networking, in an isolated, managed environment. The components are arranged as a hierarchy of containers, presented in the user's subscription but deployed in Microsoft's manged environment. Multiple enterprises can collaboratively work on projects within a workbench using Modeling and Simulation Workbench's secure design environment.

+This article presents an overview of the individual components, which make up the Azure Modeling and Simulation Workbench.

+## Workbench

+A Workbench is the top-level container for the Azure Modeling and Simulation Workbench. It hosts conventional Azure resources in a closed environment. Workbenches house user and data isolation chambers, virtual machines, and networking infrastructure. A Workbench has no managing controls and only a Workbench Owner can deploy.

+## Chambers

+[Chambers](./concept-chamber.md) are contained within a Workbench object and contain user data and workloads in an isolated environment. Users assigned to a chamber only have visibility to users and resources in that same chamber. Compute resources are deployed into a chamber as Workload VMs and several classes of storage are available.

+Chamber Workload VMs are the Workbench's compute resource and the encapsulating container for traditional VMs. Unlike traditional Infrastructure-as-a-Service offerings, Workload VMs are created with a sensible set of defaults, eliminating the expertise required to securely deploy a VM into a cloud environment. Workload VMs are isolated from the internet and VMs in other chambers, but have access to all VMs in the same chamber. User provisioning is automated at the chamber level. Chamber VMs offer a select set of the Azure virtual machine (VM) offerings that span diverse memory-to-core ratios and suit different workload requirements. VM offerings include general purpose, compute optimized memory optimized VMs.

+## Storage

+Storage components work together to provide high performance for engineering workflows. The storage service enables you to migrate and run enterprise file applications. Modeling and Simulation Workbench offers a range of storage configurations that offer high-performance, shared, or isolated access. Storage is preconfigured to be accessible to chambers or between a select set of chambers.

+## Networking

+Networking is presented as a [Connector](./concept-connector.md) object that attaches to a chamber. Connectors can be provisioned to allow connection directly from the internet or an Azure virtual network. Azure virtual network connections enable over-provisioned network resources with high bandwidth and low latency. Network quality and throughput impacts job runtime drastically. Azure offers built-in, custom options for fast, scalable, and secure connectivity aided by its wide and private optical-fiber capacity, enabling low-latency access globally. Azure also offers accelerated networking to reduce the number of hops and deliver improved performance.

+<!--

+- Remote desktop service - As robust security is mandatory to protect IP within and outside chambers, remote desktop access needs to be secured, with custom restrictions on data transfer through the sessions. Customer IT admins can enable multifactor authentication through [Microsoft Entra ID](/azure/active-directory/) and provision role assignments to Modeling and Simulation Workbench users. -->

+* [Storage](./concept-storage.md)

+* [User personas](./concept-user-personas.md)

+* [Chambers](./concept-chamber.md)

+ Title: "Disaster recovery: Azure Modeling and Simulation Workbench"

+description: This article provides an overview of disaster recovery for Azure Modeling and Simulation Workbench.

+This article explains how to configure a disaster recovery environment for Azure Modeling and Simulation Workbench. Azure data center outages are rare but can last anywhere from a few minutes to hours. Data Center outages can cause disruption to the environments hosted in that data center. This article gives Azure Modeling and Simulation workbench customers a resource to continue operations in the cloud in the event of a data center outage in the primary region hosting your workbench instance.

+A typical disaster recovery workflow starts with a failure of a critical service in your primary region. As the issue gets investigated, Azure publishes an expected time for the primary region to recover. If this timeframe isn't acceptable for business continuity, and the problem doesn't impact your secondary region, you would start the process to fail over to the secondary region.

+To be prepared for a data center outage, you can have a Modeling and Simulation workbench instance provisioned in a secondary region.

+These Workbench resources can be configured to match the resources that exist in the primary Azure Modeling and Simulation workbench instance. Users in the workbench instance environment can be provisioned ahead of time, or when you switch to the secondary region. Chamber and connector resources can be put in a stopped state post deployment to invoke idle billing meters when not being used actively.

+## Verify Microsoft Entra ID tenant information

+The workspace source and destination can be in the same subscription. If source and destination for workbench are different subscriptions, the subscriptions must exist within the same Microsoft Entra ID tenant. Use Azure PowerShell to verify that both subscriptions have the same tenant ID.

+1. Application Client key

+2. Application Secret key

+In the event of a primary region failure, and decision to work in a backup region, you would create a Modeling and Simulation Workbench instance in your backup region.

+1. Register to the Azure Modeling and Simulation Workbench Resource Provider as described in [Create an Azure Modeling and Simulation Workbench](/azure/modeling-simulation-workbench/quickstart-create-portal#register-azure-modeling-and-simulation-workbench-resource-provider).

+1. Upload data into the new backup instance following Upload Files section of instructions, if necessary.

+ Title: "Add redirect URIs: Azure Modeling and Simulation Workbench"

+description: Add redirect URIs for Azure Modeling and Simulation Workbench.

+#CustomerIntent: As a administrator, I want to add authentication URI from the Azure Modeling and Simulation Workbench to the Entra Id application registration.

+# Add redirect URIs for Modeling and Simulation Workbench

+A redirect Uniform Resource Identifier (URI) is the location where the Microsoft identity platform redirects a user's client and sends security tokens after authentication. Each has two redirect URIs that must be registered in Microsoft Entra ID. A single Application Registration handles all the redirects and security tokens for a workbench.

+## Prerequisites

+* An application registration in Microsoft Entra ID for the Azure Modeling and Simulation Workbench

+* A Workbench instance with a chamber and created.

+## Add redirect URIs for the application in Microsoft Entra ID

+ Title: "Manage chamber idle mode: Azure Modeling and Simulation Workbench"

+description: Place a chamber into idle mode to optimize cost in Azure Modeling and Simulation Workbench.

+#CustomerIntent: As a Chamber Admin, I want to reduce cost and place a chamber into Idle mode.

+# Manage chamber idle mode

+To optimize cost management, chambers can be put into an idle state to reduce the running cost, while still maintaining the core infrastructure. Before enabling chamber idle, ensure that there are no running workloads and no active remote desktop user connections.

+> [!IMPORTANT]

+> To place a chamber into or take a chamber out of idle mode, you must perform the operations on both the chamber and its connector in the correct order, waiting for each operation to successfully complete before proceeding.

+## Prerequisites

+* An instance of Azure Modeling and Simulation Design Workbench with at least one chamber and connector.

+* A user role with at Chamber Admin assignment for the target chambers.

+## Place a chamber into idle state

+To place a chamber into idle, the connector must be stopped before the chamber is stopped. Perform the following steps in the Azure portal.

+1. Navigate to the chamber to be placed into idle.

+1. From the **Settings** menu at the left, select **Connector**.

+1. Select the connector to be stopped.

+1. From the top action bar, select **Stop**. Connectors typically take about 8 minutes to shut down and dispose of resources.

+ :::image type="content" source="media/howtoguide-idle/connector-stop.png" alt-text="Screenshot of connector action bar with Stop button highlighted in red.":::

+ Wait until the connector completely stops and the Power state shows **Stopped**.

+ :::image type="content" source="media/howtoguide-idle/connector-verify-stop.png" alt-text="Screenshot of connector overview with Power state of status highlighted in red.":::

+1. Navigate back to the parent chamber.

+1. From the top action bar, select **Stop**. Chambers typically take about 8 minutes to shut down and dispose of resources.

+ :::image type="content" source="media/howtoguide-idle/chamber-stop.png" alt-text="Screenshot of chamber action bar with Stop button highlighted in red.":::

+ Wait until the chamber completely stops and the Power state shows **Stopped**.

+ :::image type="content" source="media/howtoguide-idle/chamber-verify-stop.png" alt-text="Screenshot of chamber overview with Power state as Stopped.":::

+ > [!TIP]

+ > The Activity log will show successful stop of both chamber and connector.

+ :::image type="content" source="media/howtoguide-idle/connector-log-stop.png" alt-text="Screenshot of activity log showing chamber successfully stopped.":::

+ :::image type="content" source="media/howtoguide-idle/connector-log-stop.png" alt-text="Screenshot of activity log showing connector successfully stopped.":::

+## Take a chamber out of idle state

+To take a chamber out of idle state, both the chamber and connector must be started in the correct order. The chamber must be fully running before the connector can be started.

+1. Navigate to the chamber to be taken out of idle state.

+1. From the top action bar, select **Start**. Chambers typically take about 8 minutes to start and create resources. Before proceeding, ensure that the chamber is successfully running by verifying that the Power state of the chamber **Running**.

+1. Navigate to the chamber's connector by selecting **Connector** from the **Settings** menu at the left.

+1. Select the connector to be stopped.

+1. From the top action bar, select **Start**. Connectors typically take about 8 minutes to start and create resources. The Power state of the connector must show as **Running** before a connector can be used for connecting to a desktop or file upload and download.

+ Title: "Create and manage chamber VMs: Azure Modeling and Simulation Workbench"

+description: How to create and manage a chamber VMs in the Azure Modeling and Simulation Workbench.

+#CustomerIntent: As a Workbench Owner, I want to create and manage a chamber to isolate users, workloads and data.

+# Chamber VMs

+Chamber workload virtual machines (VM) are Azure VMs managed by the Workbench. Chamber VMs don't require expert users to select, deploy, configure, or manage. VMs are deployed quickly, preconfigured with drivers for the most common EDA (Electronic Design Automation) workloads, and with access to thousands of managed applications.

+Chamber VMs deploy quickly and with little configuration in as little as 10 minutes. Chamber VMs are automatically:

+* Deployed directly into the chamber with no more configuration

+* Networked to the chamber's private virtual network

+* Mounted to any existing chamber storage, user home directories, and the [Data Pipeline](./concept-data-pipeline.md) mount points

+* Preconfigured with drivers to work with major semiconductor design tools

+User administration is managed from the parent chamber and all users of a chamber have access into all VMs in the chamber.

+This article shows how to create, manage, and delete a chamber VM.

+## Prerequisites

+* A Modeling and Simulation Workbench with at least one chamber.

+* A user account with Workbench Owner privileges (Subscription Owner or Subscription Contributor) role.

+## Create a chamber VM

+A chamber VM can only be deployed into an existing chamber. Once deployed, the chamber VM can't be moved to other chambers or renamed. The location of a chamber VM can't be specified as VMs are deployed to the same location as the parent Workbench.

+The Azure Modeling and Simulation Workbench offers a select set of high-performance VMs. To see the VM offerings and features, refer to [Modeling and Simulation Workbench VM Offerings](./concept-vm-offerings.md).

+All VMs are created with Red Hat Enterprise Linux version 8.8.

+1. From the chamber overview page, select **Chamber VM** from the **Settings** menu in the left pane.

+ :::image type="content" source="media/howtoguide-create-chamber-vm/chamber-vm-menu.png" alt-text="Screenshot of chamber settings menu with chamber VM in red box.":::

+1. On the chamber VM page, select **Create** from the action bar.

+ :::image type="content" source="media/howtoguide-create-chamber-vm/chamber-vm-create.png" alt-text="Screenshot of chamber VM action bar with 'Create' button annotated in red box.":::

+1. In the Create chamber VM dialog, enter the name of the chamber VM, the VM type, and the number of VMs to be created (default is 1). The VM image type will be expanded in the future to support software for other scientific and engineering applications.

+ :::image type="content" source="media/howtoguide-create-chamber-vm/chamber-vm-create-dialog.png" alt-text="Screenshot of Create chamber VM dialog with textboxes and ReviewCreate button marked in red.":::\.

+ Read about the [Chamber VM offerings](./concept-vm-offerings.md) to help you select the correct VM for your workload.

+1. Select **Review + create**.

+1. If prevalidation checks are successful, the **Create** button is enabled. Select **Create**. A chamber VM typically can take up to 10 minutes to deploy. Once deployed, the **Power state** status shows as "Running".

+## Manage a chamber VM

+Once a chamber VM is created, a Workbench Owner or chamber Admin can administer it. Chamber VMs can only be stopped, started, or restarted. Chamber VMs can't be migrated or resized. Chamber VMs don't accept user role assignments. User administration happens at the chamber level. Chambers have access to shared storage (shared between chambers) and chamber storage, which is accessible only within the chamber by the members. IP addresses are managed by the deployment engine. Data and OS disks aren't configurable in chamber VMs. Microsoft recommends installing all your applications and data on the chamber storage volumes to allow you to create and destroy VMs that are instantly ready for use. All VMs have access to the chamber License servers.

+* [Manage users](./how-to-guide-manage-users.md)

+* [How to start, stop, or restart a chamber](./how-to-guide-start-stop-restart.md)

+* [Manage Storage](./how-to-guide-manage-chamber-storage.md)

+* [About license servers](./concept-license-service.md)

+## Delete a chamber VM

+If a chamber VM is no longer needed, it can be deleted. VMs don't need to be stopped before being deleted. Once a chamber is deleted, it can't be recovered.

+1. Navigate to the chamber VM.

+1. Select **Delete** from the action bar. Deleting a chamber can take up to 10 minutes.

+## Related content

+* [Manage users](./how-to-guide-manage-users.md)

+* [Start, stop, or restart a chamber](./how-to-guide-start-stop-restart.md)

+* [Manage chamber storage](./how-to-guide-manage-chamber-storage.md)

+* [License servers](./concept-license-service.md)

+ Title: "Create and manage chambers: Azure Modeling and Simulation Workbench"

+description: How to create and manage a chamber in the Azure Modeling and Simulation Workbench.

+#CustomerIntent: As a Workbench Owner, I want to create and manage a chamber to isolate users, workloads and data.

+# Create a chamber in the Azure Modeling and Simulation Workbench

+The Azure Modeling and Simulation Workbench provides a secure, cloud-based environment to collaborate with other organizations. Chambers are isolated areas with no access to the internet or other chambers, making them ideal work environments for enterprises. In a complex project where isolation is needed, a chamber should be created for each independent work group, or enterprise that requires confidentiality and control of their data.

+This article shows how to create, manage, and delete a chamber.

+## Prerequisites

+* A Modeling and Simulation Workbench top-level Workbench is created.

+* A user account with Workbench Owner privileges (Subscription Owner or Subscription Contributor) role.

+## Create a chamber

+A Workbench Owner can create a chamber in an existing Workbench. Chambers can't be renamed or moved once created, nor can the location be specified. Chambers are deployed to the same location as the parent Workbench.

+1. From the Workbench overview page, select **Chamber** from the **Settings** menu in the left pane.

+1. In the chamber page, select **Create** from the action bar.

+ :::image type="content" source="media/howtoguide-create-chamber/chamber-create-button.png" alt-text="Screenshot of chamber action bar with Create button annotated in red box.":::

+1. In the next dialog, only the name of a chamber is required. Enter a name and select **Next**.

+ :::image type="content" source="media/howtoguide-create-chamber/chamber-create-name.png" alt-text="Screenshot of chamber name dialog.":::

+1. If prevalidation checks are successful, select **Create**. A chamber typically takes around 15 minutes to deploy.

+## Manage a chamber

+Once a chamber is created, a Workbench Owner or chamber Admin can administer it. A chamber can be stopped, started, or restarted. Chambers are the scope of user role assignments, and defining boundary for data.

+* [Manage users](./how-to-guide-manage-users.md)

+* [Manage license servers or upload licenses](./how-to-guide-licenses.md)

+* [Start, stop, or restart a chamber](./how-to-guide-start-stop-restart.md)

+* [Upload data](./how-to-guide-upload-data.md)

+* [Download data](./how-to-guide-download-data.md)

+## Delete a chamber

+If a chamber is no longer needed, it can be deleted only if it's empty. All nested resources under the chamber must first be deleted before the chamber can be deleted. A chamber's nested resources include virtual machines (VM), connectors, and chamber storage. Once a chamber is deleted, it can't be recovered.

+1. Navigate to chamber.

+1. Ensure that all nested resources are deleted. From the **Settings** menu at the left, visit each of the nested resources and ensure that they're empty. Visit the [Deleting nested resources](#deleting-nested-resources) section to learn how to delete each of those resources.

+1. Select **Delete** from the action bar. Deleting a chamber can take up to 10 minutes.

+### Deleting nested resources

+Nested resources of a chamber must first be deleted before the top-level chamber can be deleted. A chamber can't be deleted if it still has a connector, chamber storage, or VM deployed within it. License servers are chamber infrastructure, aren't user deployable, and don't apply to this requirement.

+* [Manage connectors](./how-to-guide-set-up-networking.md)

+* [Manage chamber storage](./how-to-guide-manage-chamber-storage.md)

+* [Manage chamber VMs](./how-to-guide-chamber-vm.md)

+## Related content

+* [Manage license servers](./how-to-guide-licenses.md)

+ Title: "Configure Red Hat firewalls: Azure Modeling and Simulation Workbench"

+description: Configure firewalls in Red Hat VMs in Azure Modeling and Simulation Workbench.

+#CustomerIntent: As a Chamber Admin, I want to configure firewalls on individual VMs to allow applications to communicate within a chamber.

+# Configure firewalls in Red Hat

+Chamber VMs run Red Hat Enterprise Linux as the operating system. By default, the firewall is configured to deny all inbound connections except to managed services. To allow inbound communication, rules must be added to the firewall to allow traffic to pass. Similarly, if a rule is no longer needed, it should be removed.

+This article presents the most common firewall configuration commands. For full documentation or more complex scenarios, see [Chapter 40. Using and configuring `firewalld`](https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/configuring_and_managing_networking/using-and-configuring-firewalld_configuring-and-managing-networking) of the Red Hat Enterprise Linux 8 documentation.

+All the operations referenced here require `sudo` privileges and thus need the Chamber Admin role.

+> [!IMPORTANT]

+> VMs can only communicate with other VMs in the same chamber. Chamber-to-chamber traffic is never permitted and modifying firewall rules won't enable inter-chamber traffic.

+## Prerequisites

+## List all open ports

+List all currently open ports and associated protocol.

+```bash

+$ sudo firewall-cmd --list-all

+public (active)

+ target: default

+ icmp-block-inversion: no

+ interfaces: eth0

+ sources:

+

+ ports: 6817-6819/tcp 60001-63000/tcp

+ protocols:

+ forward: no

+ masquerade: no

+ forward-ports:

+ source-ports:

+ icmp-blocks:

+ rich rules:

+```

+## Open ports for traffic

+You can open a single or consecutive range of ports for network traffic. Changes to `firewall-d` are temporary and don't persist if the service is restarted or reloaded unless committed.

+### Open a single port

+Open a single port with `firewalld` for a given protocol using the `--add-port=portnumber/porttype` option. This example opens port 5510/TCP.

+```bash

+$ sudo firewall-cmd --add-port=33500/tcp

+success

+```

+Commit the rule to the permanent set:

+```bash

+$ sudo firewall-cmd --runtime-to-permanent

+success

+```

+### Open a range of ports

+Open a range of ports with `firewalld` for a specified protocol with the `--add-port=startport-endport/porttype` option. This command is useful in distributed computing scenarios where workers are dispatched to a large number of nodes and multiple workers might be on the same physical node. This example opens 100 consecutive ports starting at port 5000 with the UDP protocol.

+```bash

+$ sudo firewall-cmd --add-port=5000-5099/udp

+success

+```

+Commit the rule to the permanent set:

+```bash

+$ sudo firewall-cmd --runtime-to-permanent

+success

+```

+## Remove port rules

+If rules are no longer needed, they can be removed with the same notation as adding and using the `--remove-port=portnumber/porttype`. This example removes a single port:

+```bash

+$ sudo firewall-cmd --remove-port=33500/tcp

+success

+```

+Commit the rule to the permanent set:

+```bash

+$ sudo firewall-cmd --runtime-to-permanent

+success

+```

+## Related content

+* [Upload data to a chamber](./how-to-guide-upload-data.md)

+* [Download data from a chamber](./how-to-guide-download-data.md)

+ Title: "Export data: Azure Modeling and Simulation Workbench"

+- A user who's a Workbench Owner (Subscription Owner or Subscription Contributor), and a user provisioned as a Chamber Admin or Chamber User.

+1. On the left menu, select **Settings** > **Connector**. In the resource list, select the displayed connector.

+To learn how to manage chamber storage in Azure Modeling and Simulation Workbench, see [Manage chamber storage](./how-to-guide-manage-chamber-storage.md).

+ Title: "Enable copy/paste: Azure Modeling and Simulation Workbench"

+description: Enable copy/paste functionality in Azure Modeling and Simulation Workbench.

+#CustomerIntent: As a Workbench administrator, I want to enable copy/paste functionality to allow users to be able to copy and paste into and out of a Workbench VM.

+# Enable copy/paste in Azure Modeling and Simulation Workbench

+Copy/paste functionality is disabled by default for all chambers created in the Azure Modeling and Simulation Workbench. Workbench Owners can enable copy/paste for an entire chamber. Enabling copy/paste allows users to move text data between their local workstations and chamber VMs. Enabling copy/paste changes the security boundary of the service since data can be directly copied out instead of the data pipeline controls.

+The Workbench Owner can enable this copy/paste when the connector is first created or later when needed. This article shows how to manage copy/paste configuration using OpenText Exceed TurboX (ETX), the remote client solution.

+> [!WARNING]

+> If copy/paste is enabled, users can export data through clipboard operations and without having to request file downloads. Only enable copy/paste if these additional controls aren't needed.

+## Prerequisites

+## View the current setting of copy/paste

+The current setting of the control can be viewed on the connector overview page.

+1. Navigate to the connector of the chamber to be checked.

+1. On the Overview page, check the **Copy/paste** status in the right column.

+ :::image type="content" source="media/howtoguide-enable-copy-paste/copy-paste-status.png" alt-text="Screenshot of connector overview with copy/paste status outlined in red.":::

+## Enable or disable copy/paste

+1. Navigate to the connector of the chamber to be configured.

+1. On the Overview page, select **Configure copy/paste** from the action bar.

+ :::image type="content" source="media/howtoguide-enable-copy-paste/copy-paste-configure-button.png" alt-text="Screenshot of connector overview with copy/paste configuration button highlighted in red.":::

+The copy/paste control dialog appears.

+1. Select the desired setting. Select **Save**.

+ :::image type="content" source="media/howtoguide-enable-copy-paste/copy-paste-control.png" alt-text="Screenshot of copy/paste control dialog showing enable and disable radio buttons.":::

+## Copy and paste using the client

+When copying from or pasting to a virtual machine (VM), you must use the ETX client's controls.

+#### [Windows client](#tab/windows)

+In the Windows native ETX client, the copy/paste menu can be accessed from the application menu in the upper left.

+1. Select the application icon at the far left of the title bar.

+1. Select **Edit** then either **Copy X Selection** or **Paste to X Selection**.

+1. Highlighting either option produces another flyout menu of sources or destinations.

+ :::image type="content" source="media/howtoguide-enable-copy-paste/etx-windows-copy-paste-menu.png" alt-text="Screenshot of Windows ETX copy/paste menu.":::

+#### [Web client](#tab/web)

+In the web client, the menu is accessed from the main screen.

+1. Select the blue box and white arrow in the left corner. The menu flies out and a menu icon is displayed.

+1. Select the menu icon to reveal copy/paste actions.

+ :::image type="content" source="media/howtoguide-enable-copy-paste/etx-web-client-copy-paste.png" alt-text="Screenshot of ETX web client copy/paste menu.":::

+## Related content

+* [Manage connectors](./how-to-guide-set-up-networking.md)

+* [Upload data](./how-to-guide-upload-data.md)

+* [Download data](./how-to-guide-download-data.md)

+ Title: "Manage license

+description: Learn how to upload a license file to chamber license service in Azure Modeling and Simulation Workbench.

+1. Search for **Modeling and Simulation Workbench**. Select the workbench that you want to update the licenses in from the resource list.

+1. In the **Update license** pop-up dialog, select the **Update** button to activate your license service. The new license is loaded, causing the service to restart.

+> [!IMPORTANT]

+> Loading a new license causes the license server to restart. This could affect actively running jobs.

+> [!div class="nextstepaction"]

+> [Import data](./how-to-guide-upload-data.md)

+ Title: "Manage chamber storage: Azure Modeling and Simulation Workbench"

+description: Learn how to manage chamber storage in Azure Modeling and Simulation Workbench.

+# Customer intent: As a Chamber Admin in Azure Modeling and Simulation Workbench, I want to manage chamber storage.

+# Manage chamber storage in Azure Modeling and Simulation Workbench

+Chamber Admins and Workbench Owners can manage the storage capacity in Azure Modeling and Simulation Workbench to fit their organization's specific needs. For example, they can increase or decrease the amount of chamber storage. They can also change the performance tier.

+This article explains how Chamber Admins and Workbench Owners manage chamber storage.

+## Prerequisites

+## Access storage options in a chamber

+If you're a Workbench Owner or Chamber Admin, complete the following steps to access the chamber storage options:

+1. Enter **Modeling and Simulation Workbench** in the global search. Then, under **Services**, select **Modeling and Simulation Workbench**.

+1. Select your workbench from the resource list.

+1. On the left menu, select **Settings** > **Chamber**. A resource list appears. Select the chamber where you want to manage the storage.

+1. On the left menu, select **Settings** > **Storage**. In the resource list, select the displayed storage.

+### Resize chamber storage

+If you're a Workbench Owner or Chamber Admin, you can increase or decrease a chamber's storage capacity by changing the storage size.

+You can't change the storage size to less than what you're currently using for that storage instance. In addition, you can't change the storage size to more than the available capacity for the region where your workbench is installed. The default storage quota limit is 25 TB across all workbenches installed in your subscription per region. For more information about resource capacity limits, contact your Microsoft account manager.

+Complete the following steps to increase or decrease the storage size:

+1. In the storage overview, select **Resize**.

+1. In the **Resize** pop-up dialog, enter the desired storage size.

+1. Select the **Change** button to confirm the resize request.

+1. Select **Refresh** to show the new size in the storage overview.

+> [!IMPORTANT]

+> Azure NetApp Files capacity availability is limited per region. Azure NetApp Files quota availability is limited per region and customer subscription. To request an increase in storage quota, contact your Microsoft account manager.

+### Change the performance tier

+If you're a Workbench Owner or a Chamber Admin, you can change the performance tier for storage.

+You can change the storage performance tier to a higher tier, such as from standard to ultra, at any time. You can change the storage performance tier to a lower tier, such as from ultra to standard, after the cool-down period. The Azure Net App Files cool-down period is one week from when you created the storage or one week from the last time that you increased the storage tier.

+Complete the following steps to change the performance tier:

+1. In the chamber storage overview, select **Change tier**.

+1. In the **Change tier** pop-up dialog, select the desired storage tier from the combo box.

+1. Select the **Update** button to confirm the request to change the tier.

+1. Select **Refresh** to show the new tier in the storage overview.

+ Title: "Manage shared storage: Azure Modeling and Simulation Workbench"

+description: Learn how to manage shared storage in Azure Modeling and Simulation Workbench.

+# Customer intent: As a Chamber Admin in Azure Modeling and Simulation Workbench, I want to manage shared storage.

+# Manage shared storage in Azure Modeling and Simulation Workbench

+Shared storage is accessible between one or more chambers and is the only means that data can be exchanged between chambers. Chamber Admins and Workbench Owners can manage the Shared storage in Azure Modeling and Simulation Workbench. For example, they can increase or decrease the amount of chamber storage. They can also change the performance tier.

+This article explains how Chamber Admins and Workbench Owners manage chamber storage.

+## Prerequisites

+## Sign in to the Azure portal

+Open your web browser and go to the [Azure portal](https://portal.azure.com/). Enter your credentials to sign in to the portal.

+## Create shared storage

+If you're a Workbench Owner or Chamber Admin, complete the following steps to access the shared storage options:

+1. Enter **Modeling and Simulation Workbench** in the global search. Under **Services**, select **Modeling and Simulation Workbench**.

+1. Select your workbench from the resource list.

+1. On the left menu, select **Settings** > **Shared storage**.

+1. Select **Create** from the action bar. The Create shared storage configuration appears.

+1. Fill in a name, set the capacity in 4-TB increments, and select the chambers that the shared storage should be accessible to.

+ :::image type="content" source="media/howtoguide-shared-storage/shared-storage-create.png" alt-text="Screenshot of shared storage create dialog.":::

+1. Select **Review + Create**. If the validation checks pass, select **Create**.

+## Manage shared storage

+If you're a Workbench Owner or Chamber Admin, complete the following steps to access the chamber storage options:

+1. Enter **Modeling and Simulation Workbench** in the global search. Then, under **Services**, select **Modeling and Simulation Workbench**.

+1. Select your workbench from the resource list.

+1. On the left menu, select **Settings** > **Shared storage**. In the resource list, select the storage to be managed.

+### Resize chamber storage

+If you're a Workbench Owner or Chamber Admin, you can increase or decrease a chamber's storage capacity by changing the storage size.

+You can't change the storage size to less than what you're currently using for that storage instance. In addition, you can't change the storage size to more than the available capacity for the region where your workbench is installed. The default storage quota limit is 25 TB across all workbenches installed in your subscription per region. For more information about resource capacity limits, contact your Microsoft account manager.

+Complete the following steps to increase or decrease the storage size:

+1. In the storage overview, select **Resize**.

+1. In the **Resize** pop-up dialog, enter the desired storage size.

+1. Select the **Change** button to confirm the resize request.

+1. Select **Refresh** to show the new size in the storage overview.

+> [!IMPORTANT]

+> Azure NetApp Files capacity availability is limited per region. Azure NetApp Files quota availability is limited per region and customer subscription. To request an increase in storage quota, contact your Microsoft account manager.

+### Change the performance tier

+If you're a Workbench Owner or a Chamber Admin, you can change the performance tier for storage.

+You can change the storage performance tier to a higher tier, such as from standard to ultra, at any time. You can change the storage performance tier to a lower tier, such as from ultra to standard, after the cool-down period. The Azure Net App Files cool-down period is one week from when you created the storage or one week from the last time that you increased the storage tier.

+Complete the following steps to change the performance tier:

+1. In the chamber storage overview, select **Change tier**.

+1. In the **Change tier** pop-up dialog, select the desired storage tier from the combo box.

+1. Select the **Update** button to confirm the request to change the tier.

+1. Select **Refresh** to show the new tier in the storage overview.

+ Title: "Manage users: Azure Modeling and Simulation Workbench"

+description: Learn how to manage users' access to Azure Modeling and Simulation Workbench.

+* Users to be added must already exist in your company's Microsoft Entra ID tenant. If you want to invite guests to collaborate in your chamber, you must add them to your Microsoft Entra ID tenant.

+* Email fields for users must be populated in the Microsoft Entra ID user profile. The email alias must exactly match the user's Microsoft Entra sign-in alias. For example, a Microsoft Entra sign-in alias of <jane.doe@contoso.com> must also have email alias of <jane.doe@contoso.com>.

+* Users assigned at the *resource group level* can see Azure Modeling and Simulation Workbench resources and create workloads in a chamber.

+* Users assigned at the *chamber level* can perform Azure Modeling and Simulation Workbench operations in the Azure portal and access the chamber workloads.

+ > [!NOTE]

+ > This procedure won't immediately interrupt active remote desktop dashboard sessions, but it will block future logins. To interrupt or block any active sessions, you must restart the connector. A connector restart will affect all active users and sessions, so use it with caution. It won't stop any active jobs that are running on the workloads.

+ Title: "Register resource provider: Azure Modeling and Simulation Workbench"

+description: Register the Azure Modeling and Simulation Workbench resource provider.

+#CustomerIntent: As an administrator, I want to register the resource provider so I can install Azure Modeling and Simulation Workbench

+# Register Azure Modeling and Simulation Workbench resource provider

+To install the Azure Modeling and Simulation Workbench, the resource provider must be registered with the target subscription. Registering the resource provider gives the subscription access to the application. You should only register the resource providers you intend to use with the subscription.

+## Prerequisites

+* An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+* The Azure account must have permission to manage resource providers and to manage resources for the subscription. The permission is included in the Contributor and Owner roles.

+* The Azure account must have permission to manage applications in Microsoft Entra ID. The following Microsoft Entra roles include the required permissions:

+ * [Application administrator](/azure/active-directory/roles/permissions-reference#application-administrator)

+ * [Application developer](/azure/active-directory/roles/permissions-reference#application-developer)

+ * [Cloud application administrator](/azure/active-directory/roles/permissions-reference#cloud-application-administrator)

+* A Microsoft Entra tenant.

+## Register the resource provider

+## Re-register the resource provider

+Some application issues and certain updates require the resource provider to be re-registered.

+1. On the Azure portal menu, search for **Subscriptions**. Select it from the available options.

+ :::image type="content" source="/azure/azure-resource-manager/management/media/resource-providers-and-types/search-subscriptions.png" alt-text="Screenshot of the Azure portal in a web browser, showing search subscriptions.":::

+1. On the **Subscriptions** page, select the subscription you want to view. In the example, 'Documentation Testing 1' is shown as an example.

+ :::image type="content" source="/azure/azure-resource-manager/management/media/resource-providers-and-types/select-subscription.png" alt-text="Screenshot of the Azure portal in a web browser, showing select subscriptions.":::

+1. On the left menu, under **Settings**, select **Resource providers**.

+ :::image type="content" source="/azure/azure-resource-manager/management/media/resource-providers-and-types/select-resource-providers.png" alt-text="Screenshot of the Azure portal in a web browser, showing select resource providers.":::

+1. Select the *Microsoft.ModSimWorkbench* resource provider. Then select **Unregister**, wait for the operation to complete, then select **Register**.

+ :::image type="content" source="./media/quickstart-create-portal/register-resource-provider.png" alt-text="Screenshot of the Azure portal in a web browser, showing register resource providers.":::

+ Title: "Set up networking: Azure Modeling and Simulation Workbench"

+description: Learn how to set up networking for an Azure Modeling and Simulation Workbench connector.

+If your organization has a presence in Azure or requires that connections to the Workbench be over a VPN, the VPN or ExpressRoute connector should be used.

+When a connector is created, the Workbench Owner (Subscription Owner) can link an existing virtual network with a VPN gateway and/or ExpressRoute gateway. This link provides a secure connection between your on-premises network and the chamber.

+### Create a VPN or ExpressRoute connector

+1. Before you create a [Connector](./concept-connector.md) for private IP networking via VPN or ExpressRoute, the Workbench needs a role assignment. Azure Modeling and Simulation Workbench requires the **Network Contributor** role set for the resource group in which you're hosting your virtual network connected with ExpressRoute or VPN.

+ | Setting | Value |

+ |:|:--|

+ | **Role** | **Network Contributor** |

+ | **Assign access to** | **User, group, or service principal** |

+ | **Members** | **Azure Modeling and Simulation Workbench** |

+ [!INCLUDE [azure-hpc-workbench-alert](includes/azure-hpc-workbench-alert.md)]

+1. A list of available virtual network subnets within your subscription appears. Select a subnet other than the gateway subnet within the same virtual network for the VPN gateway or ExpressRoute gateway.

+IP addresses can be allowlisted in the Azure portal to allow connections to a chamber. Only one IP address can be specified for a Public IP connector when creating a new Workbench. After the connector is created, you can specify other IP addresses. Standard [CIDR (Classless Inter-Domain Routing)](/azure/virtual-network/virtual-networks-faq) mask notation can be used to allow ranges of IP addresses across a subnet.

+Workbench Owners and Chamber Admins can add to and edit the allowlisted public addresses for a connector after the connector object is created.

+ :::image type="content" source="./media/resources-troubleshoot/chamber-connector-networking-network-allowlist.png" alt-text="Screenshot of the Azure portal in a web browser, showing the allowlist for chamber connector networking.":::

+## Redirect URIs

+To find redirect URIs:

+ :::image type="content" source="./media/quickstart-create-portal/update-aad-app-01.png" alt-text="Screenshot of the connector overview page that shows where you select the reply URLs.":::

+The redirect URIs must be registered with the Application registration to properly authenticate and redirect users to the workbench. To learn how to add redirect URIs, see [How to add redirect URIs](./how-to-guide-add-redirect-uris.md).

+## Ports and IP addresses

+### Ports

+The Azure Modeling and Simulation Workbench require certain ports to be accessible from users workstation. Firewalls and VPNs might block access on these ports to certain destinations, when accessed from certain applications, or when connected to different networks. Check with your system administrator to ensure your client can access the service from all your work locations.

+- **53/TCP** and **53/UDP**: DNS queries.

+- **443/TCP**: Standard https port for accessing the VM dashboard and any Azure portal page.

+- **5510/TCP**: Used by the ETX client to provide VDI access for both the native and web-based client.

+- **8443/TCP**: Used by the ETX client to negotiate and authenticate to ETX management nodes.

+### IP addresses

+For the Public IP connector, Azure IP addresses are taken from Azure's IP ranges for the location in which the Workbench was deployed. A list of all Azure IP addresses and Service tags is available at [Azure IP Ranges and Service Tags ΓÇô Public Cloud](https://www.microsoft.com/download/details.aspx?id=56519&msockid=1b155eb894cc6c3600a84ac5959a6d3f). It's not possible to list all Workbench IP addresses when the public IP connector is implemented.

+> [!CAUTION]

+> The pool of IP addresses can increase not only by adding VMs, but users as well. Connection nodes are scaled when more users are added to the chamber. Discovery of endpoint IP addresses may be incomplete once the userbase increases.

+For more control over destination IP addresses and to minimize changes to corporate firewalls, a VPN and ExpressRoute connector is suggested. When using a VPN Gateway, the access point of the workbench is limited only to the gateway IP address.

+> [!div class="nextstepaction"]

+> [Import data](./how-to-guide-upload-data.md)

+ Title: "Start, stop, and restart chambers, connectors, and VMs: Azure Modeling and Simulation Workbench"

+description: How to start, stop, and restart chambers, connectors, and VMs in the Azure Modeling and Simulation Workbench.

+#CustomerIntent: As a workbench user, I want to control chambers, VMs, and connectors.

+# Start, stop, and restart chambers, connectors, and VMs

+**Applies to:** :heavy_check_mark: Chambers :heavy_check_mark: Connectors :heavy_check_mark: Chamber VMs

+Chambers, connectors, and virtual machines (VM) in the Azure Modeling and Simulation Workbench can be started, stopped, or restarted as needed. Idle mode, a cost optimization feature requires that chambers and connectors be stopped to realize cost savings. These resources are running after creation and don't need to be started.

+License servers are controlled by the chamber in which they reside and don't have their own start/stop controls. License servers can only be enabled or disabled. See [Manage license servers](./how-to-guide-licenses.md) to learn how to manage chamber license servers.

+## Prerequisites

+* An instance of the Azure Modeling and Simulation Workbench with a chamber, connector, or VM.

+* A user role with either Chamber Admin or Workbench Owner privileges.

+## Start a chamber, connector, or VM

+If stopped, use the following procedure to start. This procedure applies to chambers, connectors, and VMs. The action bar is located on the main page of the resource selected and is identical for each of these resources.

+1. Navigate to the resource to be started. For chambers, select **Chamber** from the **Settings** menu in the Workbench overview. Connectors and VMs are listed in the **Settings** menu of their respective chamber.

+1. Select **Start** from the action bar at the top of overview page. The start operation can take up to 8 minutes.

+1. Verify that the operation succeeded by checking the **Power state** field on the overview page of the resource. The status should be **Running** if the resource started successfully.

+## Stop a chamber, connector, or VM

+If a chamber, connector, or VM is running, it can be stopped with the following procedure. Stopping properly shuts down and releases resources and doesn't destroy any user data.

+1. Navigate to the resource to be stopped. For chambers, select **Chamber** from the **Settings** menu in the Workbench overview. Connectors and VMs are listed in the **Settings** menu of their respective chamber.

+1. Select **Start** from the action bar at the top of overview page. The stop operation can take up to 8 minutes.

+1. Verify that the operation succeeded by checking the **Power state** field on the overview page of the resource. The status should be **Stopped** if the resource stopped successfully.

+## Restart a chamber, connector, or VM

+A chamber, connector, or VM can be restarted in a single action. Restarting a resource may be necessary after certain updates or if a resource is malfunctioning.

+1. Navigate to the resource to be restarted. For chambers, select **Chamber** from the **Settings** menu in the Workbench overview. Connectors and VMs are listed in the **Settings** menu of their respective chamber.

+1. Select **Restart** from the action bar at the top of overview page. The restart operation can take up to 8 minutes.

+1. Verify that the operation succeeded by checking the **Power state** field on the overview page of the resource. The status should be **Running** if the resource restarted successfully.

+ Title: "Import data: Azure Modeling and Simulation Workbench"

+- A user provisioned as a Chamber Admin or Chamber User.

+> If you're importing multiple smaller files, we recommend that you zip or tarball them into a single file. Gigabyte-sized tarballs and zipped files are supported, depending on your connection type and network speed. The `/mount/datapipeline/datain` directory has a volume size of 1TB, so if the imported dataset is larger than this, free up space by moving the files over to `/mount/chamberstorages/`.

+>

+> Note that the `/mount/datapipeline` volume is Azure Files based, whereas the `/mount/chamberstorages` volume is high-performance Azure NetApp Files. Always copy over the tools, binaries, and IP from the `/mount/datapipeline/datain` folder to `/mount/chamberstorages` volume under the specific chamberΓÇÖs private storage.

+description: A brief overview of Azure Modeling and Simulation Workbench.

+The Azure Modeling and Simulation Workbench is a secure, on-demand service that provides a fully managed engineering design and simulation environment for secure and efficient user collaboration. The service incorporates infrastructure services required to build a successful environment for engineering development, such as: workload specific virtual machines (VM), scheduler, orchestration, license server, remote connectivity, high performance storage, network configurations, security, and access controls.

+<! Multi-Chamber collaboration allows these dev teams and their collaborators to have their own private workspaces, while allowing them to share data across chamber boundaries through shared storage

+The Modeling and Simulation [Workbench](./concept-workbench.md) can be created with one or more isolated [chambers](./concept-chamber.md), where access can be provided to a group of users to work with complete privacy. These isolated chambers allow intellectual property (IP) owners to operate within a private environment to retain full control of their IP and limit who can access it. [Role Based Access Control (RBAC)](/azure/role-based-access-control/overview) allows only provisioned Chamber Users and Chamber Admins to have access to the chamber, through multifactor authentication using [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/) services. Once in the chamber, users have access to all the resources within that specific isolated chamber environment, including private storage and workload VMs.

+The Azure Modeling and Simulation Workbench supports a wide variety of VM sizes suitable for most engineering development type of workloads, and are made available on-demand and scale elastically. These include general purpose VMs such as the D- and E-series, as well as specialized VMs such as the HB- and Fx-series, ideal for silicon Electronic Design Automation (EDA). Each virtual machine comes with its own virtual hardware including CPU cores, memory, hard drives (some with local storage), network interfaces, and operating system (OS) services. An easy to use interface helps to provision and deprovision these VMs as needed.

+description: Learn how to use the Azure portal to create an Azure Modeling and Simulation Workbench.

+To create an application in Microsoft Entra ID, you first register the application and add a client secret. Then you create a Key Vault, set up Key Vault role assignments, and add client secrets to the Key Vault.

+1. If you have access to multiple tenants, use the **Directories + subscriptions** filter in the top menu to switch to the tenant in which you want to register the application.

+ :::image type="icon" source="/azure/active-directory/develop/media/common/portal-directory-subscription-filter.png" alt-text="":::

+1. Select **6 months** for the **Expires**.

+1. Select **Add**. The application properties displays.

+1. Locate the **Client secret value** and document it. You need the client secret value when you create your Key Vault. Make sure you write it down now, as it will never be displayed again after you leave this page.

+ :::image type="content" source="/azure/key-vault/media/rbac/image-1.png" alt-text="Screenshot of new Key Vault settings with RBAC permissions.":::

+ In case the ΓÇÿAzure Modeling and Simulation WorkbenchΓÇÖ isn't discoverable, search for ΓÇÿAzure HPC WorkbenchΓÇÖ.

+1. While you're signed in the Azure portal, go to https://*\<AzurePortalUrl\>*/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.ModSimWorkbench%2Fworkbenches. For example, go to <https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.ModSimWorkbench%2Fworkbenches> for Azure public cloud.

+ :::image type="content" source="./media/quickstart-create-portal/create-03.png" alt-text="Screenshot of the chamber details section showing where you type and select the values.":::

+1. The **Add role assignment** pane opens. Search or scroll for the **Chamber Admin** role in the role list and **select** it. Then select **Next**.

+ > [!NOTE]

+1. Repeat steps 3-6 to assign the **Chamber User** role to other users who need to work on the chamber.

+> [!NOTE]

+> RemAssign any provisioned Chamber Admins or Chamber Users the ΓÇÿReaderΓÇÖ and 'Classic storage account contributor' role at the Resource Group level to enable permissions to access workbench resources and deploy workload VMs.

+Chamber Admins and Chamber Users can now connect into the chamber with remote desktop access. The remote desktop dashboard URL is available in the connector overview page. These users must be on the appropriate network set up for the connector, so for this quickstart their Public IP address needs to be included in the connector Network Access Control Lists (ACL) range.

+1. To delete a resource, select the **Delete** button located on the top pane of the **Overview page** for each resource. You must delete the child resources before deleting their parents. For example, first delete any chamber VMs and connectors. Then delete Storages. Then delete chambers. Delete Workbenches last.

+ Title: Refresh remote connection keys in Azure Modeling and Simulation Workbench

+description: Learn how to refresh remote connection keys in Azure Modeling and Simulation Workbench.

+# Customer intent: As a Chamber User in Azure Modeling and Simulation Workbench, I want to refresh remote connection keys.

+# Refresh remote connection keys

+The Modeling and Simulation Workbench offers provisioned users secure remote connectivity to all chamber workloads. To set up remote access, register a new application in Microsoft Entra ID and add a client secret as described in [Create an Azure Modeling and Simulation Workbench](/azure/modeling-simulation-workbench/quickstart-create-portal#add-a-client-secret). Registering your application establishes a trust relationship between the Modeling and Simulation Workbench remote desktop authentication and the Microsoft identity platform. Creating a client secret allows the Modeling and Simulation Workbench to redirect Microsoft Entra sign-in requests directly to your organization's Microsoft Entra ID and enables a single sign-on experience for onboarded users.

+## Client secret lifetime

+The client secret lifetime is typically set to 12 months. If the workbenchΓÇÖs lifetime extends beyond the secretΓÇÖs lifespan, the app secrets will expire resulting in users losing access to the chambers. Expired client secrets disrupt remote authentication, causing a blue screen.

+To address an expired client secret, you need to create a new secret by following steps outlined in [Create an application in Microsoft Entra ID](/azure/modeling-simulation-workbench/quickstart-create-portal#create-an-application-in-microsoft-entra-id). After creating a new secret, you need to update the Modeling and Simulation Workbench with that new client secret URL.

+## Update the client secret URL

+On the Azure portal workbench resource page, you can update the authentication URLs for the new client secrets linked to the original app registration.

+1. In the Azure portal, navigate to the Modeling and Simulation Workbenches (preview) page.

+1. Select **Auth URL**.

+ 

+1. Enter in the new client secret URL.

+ 

+These actions can only be performed by the Workbench Owner, and allow rotation of Client ID/secrets on deployed workbenches prior to expiration, which ensures business continuity for the engineering team.

+> [!NOTE]

+> Please restart the connector before attempting to make a remote connection with the updated authentication URLs

+description: Learn how to get support for Modeling and Simulation Workbench deployment.

+description: Learn how to troubleshoot issues with an Azure Modeling and Simulation Workbench.

+- Review the [Create an application in Microsoft Entra ID](./quickstart-create-portal.md#create-an-application-in-microsoft-entra-id) article to verify your application registration is set up correctly.

+- Review the redirect URI registrations for the specific chamber and confirm the connector's redirects match those found with the application. If they don't match, re[register the redirect URIs](./how-to-guide-add-redirect-uris.md).

+1. Ensure the user has a valid email set for their Microsoft Entra profile, and that their Microsoft Entra alias matches their email alias. For example, a Microsoft Entra sign-in alias of *jane.doe* must also have an email alias of *jane.doe*. Jane Doe can't sign in to Microsoft Entra ID with jadoe or any other variation.

+1. Validate your `/mount/sharehome` folder has available space. The`/mount/sharedhome` directory is set up to store user keys to establish a secure connection. Don't store uploaded tarballs/binaries in this folder or install tools and use disk capacity, as it may create system connection errors causing an outage. Use /mount/chamberstorages/\<storage name\> directory instead for all your data storage and tool installation needs.

+ Title: "Shared storage: Azure Modeling and Simulation Workbench"

+To enable cross team and/or cross-organization collaboration in a secure manner within the workbench, a shared storage resource allows for selective data sharing between collaborating parties. It's an Azure NetApp Files based storage volume and is available to deploy in multiples of 4 TBs. Workbench owners can create multiple shared storage instances on demand and dynamically link them to existing chambers to facilitate secure collaboration.

+ Title: Relocate an Azure NetApp Files volume to another region

+# Relocate an Azure NetApp Files volume to another region

+Before you begin the relocation planning stage, review the following prerequisites:

+- The target NetApp account should already be created.

+ - [Microsoft Entra ID](../azure-netapp-files/understand-guidelines-active-directory-domain-service-site.md)

+Before you begin the relocation process, complete the following preparations:

+- The network configurations (including separate subnets if needed and IP ranges) should already be planned and prepared.

+- Disable replication to the disaster recovery region. If you've established a disaster recovery (DR) solution using replication to a DR region, turn off replication to the DR site before initiating relocation procedures.

+Once the replication is complete, you can safely delete the replication peering the source volume.

+[Operator Nexus Owner Role (Preview)](#operator-nexus-owner-role-preview)

+| Microsoft.NetworkCloud/clusters/bmcKeySets/delete | Delete a baseboard management controller key set of the provided cluster |

+### Operator Nexus Owner Role (Preview)

+The user with this role has access to perform all actions on any Microsoft.NetworkCloud resource within the scope assignment.

+| Actions | Description |

+|--||

+| Microsoft.NetworkCloud/* | Perform any action on a Microsoft.NetworkCloud resource |

+> Disruptive command requests against a Kubernetes Control Plane (KCP) node are rejected if there is another disruptive action command already running against another KCP node or if the full KCP is not available. This check is done to maintain the integrity of the Nexus instance and ensure multiple KCP nodes don't become non-operational at once due to simultaneous disruptive actions. If multiple nodes become non-operational, it will break the healthy quorum threshold of the Kubernetes Control Plane.

+ Title: "Azure Operator Nexus: Running bare metal actions directly with nexusctl"

+description: Learn how to bypass Azure and run bare metal actions directly in an emergency using nexusctl.

+# Run emergency bare metal actions outside of Azure using nexusctl

+This article describes the `nexusctl` utility, which can be used in break-glass (emergency) situations to

+run simple actions on bare metal machines without using the Azure console or command-line interface (CLI).

+> [!CAUTION]

+> Do not perform any action against management servers without first consulting with Microsoft support personnel. Doing so could affect the integrity of the Operator Nexus Cluster.

+> [!IMPORTANT]

+> Disruptive command requests against a Kubernetes Control Plane (KCP) node are rejected if there is another disruptive action command already running against another KCP node or if the full KCP is not available. This check is done to maintain the integrity of the Nexus instance and ensure multiple KCP nodes don't become non-operational at once due to simultaneous disruptive actions. If multiple nodes become non-operational, it will break the healthy quorum threshold of the Kubernetes Control Plane.

+>

+> Powering off a KCP node is the only nexusctl action considered disruptive in the context of this check.

+## Prerequisites

+- A [BareMetalMachineKeySet](./howto-baremetal-bmm-ssh.md) must be available to allow ssh access to the bare metal machines. The user must have superuser privilege level.

+- The platform Kubernetes must be up and running on site.

+## Overview

+`nexusctl` is a stand-alone program that can be run using `nc-toolbox` from an `ssh` session on any control-plane or management-plane node. Since `nexusctl` is contained in the `nc-toolbox-breakglass` container image and isn't installed directly on the host, it must be run with a command-line like:

+```

+sudo nc-toolbox nc-toolbox-breakglass nexusctl <command> [subcommand] [options]

+```

+(`nc-toolbox` must always be run as root or with `sudo`.)

+Like most other command-line programs, the `--help` option can be used with any command or subcommand to see more information:

+```

+sudo nc-toolbox nc-toolbox-breakglass nexusctl --help

+sudo nc-toolbox nc-toolbox-breakglass nexusctl baremetal --help

+sudo nc-toolbox nc-toolbox-breakglass nexusctl baremetal power-off --help

+```

+etc.

+> [!NOTE]

+>

+> > There is no bulk execution against multiple machines. Commands are executed on a machine by machine basis.

+## Power off a bare metal machine

+A single bare metal machine can be powered off by connecting to a control-plane or management-plane node via ssh and running the command:

+```

+sudo nc-toolbox nc-toolbox-breakglass nexusctl baremetal power-off --name <machine name>

+```

+If the command is accepted, `nexusctl` responds with another command line that can be used to view the status of the long-running operation. Prefix this command with `sudo nc-toolbox nc-toolbox-breakglass`, as follows:

+```

+sudo nc-toolbox nc-toolbox-breakglass nexusctl baremetal power-off --status --name <machine name> --operation-id <operation-id>

+```

+The status is blank until the operation completes and reaches either a "succeeded" or "failed" state. While it's blank, assume that the operation is still in progress.

+## Start a bare metal machine

+A single bare metal machine can be started by connecting to a control-plane or management-plane node via ssh and running the command:

+```

+sudo nc-toolbox nc-toolbox-breakglass nexusctl baremetal start --name <machine name>

+```

+If the command is accepted, `nexusctl` responds with another command line that can be used to view the status of the long-running operation. Prefix this command with `sudo nc-toolbox nc-toolbox-breakglass`, as follows:

+```

+sudo nc-toolbox nc-toolbox-breakglass nexusctl baremetal start --status --name <machine name> --operation-id <operation-id>

+```

+The status is blank until the operation completes and reaches either a "succeeded" or "failed" state. While it's blank, assume that the operation is still in progress.

+## Unmanage a bare metal machine (set to unmanaged state)

+A single bare metal machine can be switched to an unmanaged state by connecting to a control-plane or management-plane node via ssh and running the command:

+```

+sudo nc-toolbox nc-toolbox-breakglass nexusctl baremetal unmanage --name <machine name>

+```

+While in an unmanaged state, no actions are permitted for that machine, except for returning it to a managed state (see next section). This function can be used to keep a bare metal machine powered off if it's in a rebooting crash loop.

+`unmanage` isn't a long-running command, so there's no associated command to check operation status.

+## Manage a bare metal machine (set to managed state)

+A single bare metal machine can be switched to a managed state by connecting to a control-plane or management-plane node via ssh and running the command:

+```

+sudo nc-toolbox nc-toolbox-breakglass nexusctl baremetal manage --name <machine name>

+```

+`manage` isn't a long-running command, so there's no associated command to check operation status.

+connectedk8s 1.9.2

+managednetworkfabric 6.4.0

+ssh 2.0.5

+ Title: Get started with Azure Operator Service Manager Private Link

+description: Secure backhaul connectivity of on-premises artifact store hosted on Azure Operator Nexus

+# Get started with private link

+## Overview

+This guide describes the Azure Operator Service Manager (AOSM) private link (PL) feature for artifact stores hosted on Azure Operator Nexus. As part of the AOSM edge registry initiative, PL uses Azure private endpoints, and Azure private link service, to securely backhaul Nexus on-premises artifact store traffic. This traffic is never exposed to the internet, instead exclusively traversing Microsoft's private network.

+## Introduction

+This document provides a quick start guide to enable private link feature for AOSM artifact store using AOSM Publisher APIs.

+### Required permissions

+The operations required to link and manage a private endpoint with a Nexus fabric controller (NFC) requires the following nondefault role privileges.

+#### Permissions for linking and managing manual private endpoint

+Remove private endpoint

+```

+"Microsoft.HybridNetwork/publishers/artifactStores/removePrivateEndPoints/action"

+```

+Approve private endpoint

+```

+"Microsoft.HybridNetwork/publishers/artifactStores/approvePrivateEndPoints/action"

+```

+#### Permissions for linking and managing a private endpoint with NFC

+Add NFC private endpoints

+```

+"Microsoft.HybridNetwork/publishers/artifactStores/addNetworkFabricControllerEndPoints/action"

+"Microsoft.ManagedNetworkFabric/networkFabricControllers/joinartifactstore/action"

+```

+List NFC private endpoints

+```

+"Microsoft.HybridNetwork/publishers/artifactStores/listNetworkFabricControllerPrivateEndPoints/action"

+```

+Delete NFC private endpoints

+```

+"Microsoft.HybridNetwork/publishers/artifactStores/deleteNetworkFabricControllerEndPoints/action"

+"Microsoft.ManagedNetworkFabric/networkFabricControllers/disjoinartifactstore/action"

+```

+> [!NOTE]

+> As new NFC permissions are introduced, the recommended role privileges will be updated.

+## Use AOSM APIs to set up private link

+Before resources can be uploaded securely, the following sequence of operations establishes a PL connection to the artifact store.

+### Create publisher and artifact store

+* Create a new publisher resource with identity type set to 'SystemAssigned.'

+ - If the publisher was already created without this property, use a reput operation to update.

+* Use the new property 'backingResourcePublicNetworkAcccess' to disable artifact store public access.

+ - The property is first added in the 2024-04-15 version.

+ - If the ArtifactResource was already created without this property, use a reput operation to update.

+#### Sample publisher bicep script

+```

+param location string = resourceGroup().location

+param publisherName string

+param acrArtifactStoreName string

+/* AOSM publisher resource creation

+*/

+var publisherNameWithLocation = concat(publisherName, uniqueString(resourceGroup().id))

+resource publisher 'Microsoft.HybridNetwork/publishers@2023-09-01' = {

+ name: publisherNameWithLocation

+ location: location

+identity: {

+ type: 'SystemAssigned'

+ }

+ properties: {

+ scope: 'Private'

+ }

+}

+/* AOSM artifact store resource creation

+*/

+resource acrArtifactStore 'Microsoft.HybridNetwork/publishers/artifactStores@2024-04-15' = {

+ parent: publisher

+ name: acrArtifactStoreName

+ location: location

+ properties: {

+ storeType: 'AzureContainerRegistry'

+ backingResourcePublicNetworkAccess: 'Disabled'

+ }

+

+}

+```

+## Manual endpoint operations

+The following operations enable manual management of an artifact store once the PL is established.

+### Manage private endpoint access

+By default, when the artifact store is connected to the vnet, the user doesn't have permissions to the ACR, so the private endpoint winds up in a pending state. The following Azure rest commands and payload enable a user to approve, reject and/or list these endpoints.

+> [!NOTE]

+> In this workflow, the vnet is managed by the customer.

+>

+#### Sample JSON payload:

+```

+{

+ "manualPrivateEndPointConnections": [

+ {

+ "id":"/subscriptions/<subscriptionId>/resourceGroups/<ResourceGroup>/providers/Microsoft.Network/privateEndpoints/peName"

+ }

+ ]

+ }

+```

+#### Sample private endpoint commands

+```

+# approve private endpoints

+az rest --method post --url https://management.azure.com/subscriptions/<Subscription>/resourceGroups/<ResourceGroup>/providers/Microsoft.HybridNetwork/publishers/<Publisher>/artifactStores/<ArtifactStore>/approveprivateendpoints?api-version=2024-04-15 --body '{ \"manualPrivateEndPointConnections\" : [ { \"id\" : \"/subscriptions/<Subscription>/resourceGroups/<ResourceGroup>/providers/Microsoft.Network/privateEndpoints/peName\" } ] }'

+```

+```

+# remove private endpoints

+az rest --method post --url https://management.azure.com/subscriptions/<Subscription>/resourceGroups/<ResourceGroup>/providers/Microsoft.HybridNetwork/publishers/<Publisher>/artifactStores/<ArtifactStore>/removeprivateendpoints?api-version=2024-04-15 --body '{ \"manualPrivateEndPointConnections\" : [ { \"id\" : \"/subscriptions/<Subscription>/resourceGroups/<ReourceGroup>/providers/Microsoft.Network/privateEndpoints/peName\" } ] }'

+```

+```

+# list private endpoints

+az rest --method post --url https://management.azure.com/subscriptions/<Subscription>resourceGroups/<ResourceGroup>/providers/Microsoft.HybridNetwork/publishers/<Publisher>/artifactStores/<artifactStore>/listPrivateEndPoints?api-version=2024-04-15 --body '{}'

+```

+### Add private endpoints to NFC

+The following Azure rest commands enable a user to create, remove, and/or list the association between private endpoint, ACR, and the Nexus managed vnets.

+#### Sample private endpoint commands

+```

+# add nfc private endpoints

+az rest --method post --url https://management.azure.com/subscriptions/<Subscription>/resourceGroups/<ResourceGroup>/providers/Microsoft.HybridNetwork/publishers/<Publisher>/artifactStores/<artifactStore>/addnetworkfabriccontrollerendpoints?apiversion=2024-04-15 --body '{ \"networkFabricControllerIds\":[{\"id\": \"/subscriptions/<Subscription>/resourceGroups/op2lab-nfc-useop1/providers/Microsoft.ManagedNetworkFabric/networkFabricControllers/op2labnfc01\"}] }'

+```

+```

+# list nfc private endpoints

+az rest --method post --url https://management.azure.com/subscriptions/<Subscription>/resourceGroups/<ResourceGroup>/providers/Microsoft.HybridNetwork/publishers/<Publisher>/artifactStores/<artifactStore>/listnetworkfabriccontrollerprivateendpoints?apiversion=2024-04-15 --body '{}'

+```

+```

+# delete nfc private endpoints

+az rest --method post --url https://management.azure.com/subscriptions/<Subscription>/resourceGroups/<ResourceGroup>/providers/Microsoft.HybridNetwork/publishers/<publisher>/artifactStores/<artifactStore>/deletenetworkfabriccontrollerendpoints?api-version=2024-04-15 --body '{ \"networkFabricControllerIds\":[{\"id\": \"/subscriptions/<Subscription>/resourceGroups/op2lab-nfc-useop1/providers/Microsoft.ManagedNetworkFabric/networkFabricControllers/op2labnfc01\"}] }'

+```

+### Testing APIs

+We recommend testing your components with an API testing tool like one of the following:

+Use an [API testing tool](#testing-apis) to call the data connector definitions API to create the data connector UI in order to validate it in the data connectors gallery.

+Use an [API testing tool](#testing-apis) to call the data connector API to create the data connector which combines the connection rules and previous components. Verify the connector is now connected in the UI.

+To create this DCR in a test environment, follow the [Data Collection Rules API](/rest/api/monitor/data-collection-rules/create). Elements of the example in `{{double curly braces}}` indicate variables that require values for ease of use with an [API testing tool](#testing-apis). When you create this resource in the ARM template, the variables expressed here are exchanged for parameters.

+### Does Site Recovery work with reserved instances?

+Yes, you can purchase [reserved Azure virtual machines](https://azure.microsoft.com/pricing/reserved-vm-instances/) in the disaster recovery region, and Site Recovery failover operations use them. No additional configuration is needed.

+### Does Site Recovery work with reserved instances?

+Yes, you can purchase [reserved Azure virtual machines](https://azure.microsoft.com/pricing/reserved-vm-instances/) in the disaster recovery region, and Site Recovery failover operations use them. No additional configuration is needed.

+#### [Azure portal](#tab/azure-portal-1)

+#### [Azure CLI](#tab/Azure-CLI-1)

+You can use log streaming in the Azure CLI with the following command:

+#### [Azure portal](#tab/azure-portal)

+#### [Azure CLI](#tab/Azure-CLI)

+You can use log streaming in the Azure CLI with the following command:

+Use the following steps to get the logs using the Azure Toolkit for IntelliJ:

+* Use Azure Log Analytics. There's a delay when exporting logs to Log Analytics.

+1. Enter a name for the setting, and then choose where you want to send the logs. You can select any combination of the following options:

+ * **Archive to a storage account**

+ * **Stream to an event hub**

+ * **Send to Log Analytics**

+ * **Send to partner solution**

+### Use the Logs pane

+1. In the **Tables** search box, use one of the following queries:

+ * To view logs, enter a query such as the following example:

+ ```kusto

+ AppPlatformLogsforSpring

+ | limit 50

+ ```

+ * To view metrics, enter a query such as the following example:

+ ```kusto

+ AzureMetrics

+ | limit 50

+ ```

+1. In the **Tables** search box, use one of the following queries:

+ * To view logs, enter a query such as the following example:

+ ```kusto

+ AppPlatformLogsforSpring

+ | limit 50

+ ```

+ * To view metrics, enter a query such as the following example:

+ ```kusto

+ AzureMetrics

+ | limit 50

+ ```

+1. You can search the logs of the specific application or instance by setting a filter condition, as shown in the following example:

+ ```kusto

+ AppPlatformLogsforSpring

+ | where ServiceName == "YourServiceName" and AppName == "YourAppName" and InstanceName == "YourInstanceName"

+ | limit 50

+ ```

+ > [!NOTE]

+ > `==` is case sensitive, but `=~` is not.

+```kusto

+```kusto

+```kusto

+To review log entries generated by a specific host, run the following query:

+```kusto

+```kusto

+```kusto

+```kusto

+```kusto

+```kusto

+```kusto

+```kusto

+```kusto

+### Convenient entry points in Azure portal

+Use following steps to navigate to the **Log Analytics** pane with predefined queries:

+1. Go to the **Overview** page for your Azure Spring Apps service instance and then select **Apps** in the navigation pane.

+1. Find your target app and then select the context menu.

+1. In the pop-up context menu, select **View logs**.

+ :::image type="content" source="media/diagnostic-services/view-logs.png" alt-text="Screenshot of the Azure portal that shows the Apps page with the View logs context menu item highlighted." lightbox="media/diagnostic-services/view-logs.png":::

+ This action navigates you to the **Log Analytics** pane with predefined queries.

+There are other entry points to view logs. You can also find the **View logs** button for managed components such as Build Service and Service Registry.

+There's a workaround to convert your multi-line stack traces into a single line. You can modify the Java log output to reformat stack trace messages, replacing newline characters with a token. If you use Java Logback library, you can reformat stack trace messages by adding `%replace(%ex){'[\r\n]+', '\\n'}%nopex` as follows:

+You can then replace the token with newline characters in Log Analytics, as shown in the following example:

+```kusto

+You might be able to use the same strategy for other Java log libraries.

+This section shows you how to grant Azure Spring Apps the [User Access Administrator](../../role-based-access-control/built-in-roles.md#user-access-administrator) and [Network Contributor](../../role-based-access-control/built-in-roles.md#network-contributor) permissions on your virtual network. This permission enables you to grant a dedicated and dynamic service principal on the virtual network for further deployment and maintenance.

+1. Assign the `Network Contributor` and `User Access Administrator` roles to the Azure Spring Cloud Resource Provider. For more information, see [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.yml).

+ > [!NOTE]

+ > Role `User Access Administrator` is in the **Privileged administrator roles** and `Network Contributor` is in the **Job function roles**.

+ --role "User Access Administrator" \

+ --scope ${VIRTUAL_NETWORK_RESOURCE_ID} \

+ --assignee e8de9221-a19c-4c81-b814-fd37c6caf9d2

+az role assignment create \

+ --role "Network Contributor" \

+The route tables to which your custom virtual network is associated must meet the following requirements:

+* You can associate your Azure route tables with your virtual network only when you create a new Azure Spring Apps service instance. You can't change to use another route table after you create an Azure Spring Apps instance.

+* Permissions must be assigned before instance creation. Be sure to grant Azure Spring Cloud Resource Provider the `User Access Administrator` and `Network Contributor` permissions on your route tables.

+* [Troubleshooting Azure Spring Apps in virtual networks](troubleshooting-vnet.md)

+* [Customer responsibilities for Running Azure Spring Apps in a virtual network](vnet-customer-responsibilities.md)

+## Stream logs

+### [Azure portal](#tab/azure-portal)

+### [Azure CLI](#tab/azure-CLI)

+* Service permission granted to the virtual network. The Azure Spring Apps Resource Provider requires `User Access Administrator` and `Network Contributor` permissions to your virtual network in order to grant a dedicated and dynamic service principal on the virtual network for further deployment and maintenance. For instructions and more information, see the [Grant service permission to the virtual network](how-to-deploy-in-azure-virtual-network.md#grant-service-permission-to-the-virtual-network) section of [Deploy Azure Spring Apps in a virtual network](how-to-deploy-in-azure-virtual-network.md).

+* Service permission granted to the virtual network. The Azure Spring Apps Resource Provider requires `User Access Administrator` and `Network Contributor` permissions to your virtual network in order to grant a dedicated and dynamic service principal on the virtual network for further deployment and maintenance. For instructions and more information, see the [Grant service permission to the virtual network](how-to-deploy-in-azure-virtual-network.md#grant-service-permission-to-the-virtual-network) section of [Deploy Azure Spring Apps in a virtual network](how-to-deploy-in-azure-virtual-network.md).

+* Service permission granted to the virtual network. The Azure Spring Apps Resource Provider requires `User Access Administrator` and `Network Contributor` permissions to your virtual network in order to grant a dedicated and dynamic service principal on the virtual network for further deployment and maintenance. For instructions and more information, see the [Grant service permission to the virtual network](how-to-deploy-in-azure-virtual-network.md#grant-service-permission-to-the-virtual-network) section of [Deploy Azure Spring Apps in a virtual network](how-to-deploy-in-azure-virtual-network.md).

+* Service permission granted to the virtual network. The Azure Spring Apps Resource Provider requires `User Access Administrator` and `Network Contributor` permissions to your virtual network in order to grant a dedicated and dynamic service principal on the virtual network for further deployment and maintenance. For instructions and more information, see the [Grant service permission to the virtual network](how-to-deploy-in-azure-virtual-network.md#grant-service-permission-to-the-virtual-network) section of [Deploy Azure Spring Apps in a virtual network](how-to-deploy-in-azure-virtual-network.md).

+- Version-level WORM policy: A time-based retention policy can be configured at the account, container, or version level. If it's configured at the account or container level, it will be inherited by all blobs in the respective account or container. If there is a legal hold on a container, Version-level WORM cannot be created for the same container. This is because the versions can't generated due to the legal hold.

+1. If you've created alert rules that are based on classic storage metrics, then [create alert rules](../../azure-monitor/alerts/alerts-overview.md) that are based on metrics in Azure Monitor.

+* <a id="afs-avrecalls"></a>

+ **Why is the anti virus software on the AFS server recalling tiered files?**

+ When users access tiered files, some anti-virus (AV) software may cause unintended file recalls. This occurs if the AV software is not configured to ignore tiered files (those with the RECALL_ON_DATA_ACCESS attribute).

+ Here's what happens:

+ 1. A user attempts to access a tiered file.

+ 2. The AV software blocks the read handle.

+ 3. The AV application then performs its own read to scan the file for viruses.

+

+ This process may appear as if the AV software is recalling the tiered files, but it's actually triggered by the user's access attempt. To prevent this issue, ensure that your AV vendor configures their software to ignore scanning tiered files with the RECALL_ON_DATA_ACCESS attribute.

+* <a id="afs-networkconnect"></a>

+ **Can SSL inspection software block access to AFS Servers?**

+ Make sure your SSL inspection software (such as Zscaler or FortiGate) allows Azure File Sync (AFS) server endpoints to access Azure. These SSL inspection tools can override firewall settings and selectively allow traffic. Contact your network administrator to resolve this issue. Use the "testnet" command to determine if your AFS server is experiencing this problem.

+

+1. [To Sign a file, Invoke SignTool](#use-signtool-to-sign-a-file).

+1. Install SignTool from the Windows SDK (minimum version: 10.0.2261.755, 20348 Windows SDK version isn't supported with our dlib).

+1. Extract the Trusted Signing dlib zipped content and install it on your signing node in your choice of directory. The node must be the node where you use SignTool to sign files.

+### Authentication

+This Task performs authentication using [DefaultAzureCredential](https://learn.microsoft.com/dotnet/api/azure.identity.defaultazurecredential?view=azure-dotnet), which attempts a series of authentication methods in order. If one method fails, it attempts the next one until authentication is successful.

+Each authentication method can be disabled individually to avoid unnecessary attempts.

+For example, when authenticating with [EnvironmentCredential](https://learn.microsoft.com/dotnet/api/azure.identity.environmentcredential?view=azure-dotnet) specifically, disable the other credentials with the following inputs:

+ExcludeEnvironmentCredential: false

+ExcludeManagedIdentityCredential: true

+ExcludeSharedTokenCacheCredential: true

+ExcludeVisualStudioCredential: true

+ExcludeVisualStudioCodeCredential: true

+ExcludeAzureCliCredential: true

+ExcludeAzurePowershellCredential: true

+ExcludeInteractiveBrowserCredential: true

+Similarly, if using for example an [AzureCliCredential](https://learn.microsoft.com/dotnet/api/azure.identity.azureclicredential?view=azure-dotnet) , then we want to skip over attempting to authenticate with the several methods that come before it in order.

+ - Ensure to execute the [script](https://github.com/azureautomation/Post-Migration-from-Azure-Automation-Update-Management-to-Azure-Update-Manager-Preqrequisite-Cleanup/blob/main/MigrationPrerequisitesCleanup.ps1) that will do the following:

+ - Delete the automation account variable `AzureAutomationAccountEnvironment` created for migration.

+ - Remove the user-managed identity created for migration from the automation account.

+ - Delete the assigned roles for the user-managed identity created for migration.

+ - Delete the user-managed identity created for migration.

+ - To run the above script, you must have Microsoft.Authorization/roleAssignments/write permissions on all the subscriptions that contain Automation Update Management resources such as machines, schedules, log analytics workspace, and automation account. For more information, see [how to assign an Azure role](../role-based-access-control/role-assignments-rest.md).

+ - The script should be executed in the same manner as the [Prerequisite](migration-using-runbook-scripts.md#prerequisite-2-create-user-identity-and-role-assignments-by-running-powershell-script) script.

+We update documentation for Azure Virtual Desktop regularly. In this article, we highlight articles for new features and where there are significant updates to existing articles. To learn what's new in the service, see [What's new for Azure Virtual Desktop](whats-new.md).

+## August 2024

+In August 2024, we made the following changes to the documentation:

+- Published a new set of documentation to learn about peripheral and resource redirection and how to configure different classes of redirection:

+ - [Peripheral and resource redirection over the Remote Desktop Protocol](redirection-remote-desktop-protocol.md)

+ - [Configure audio and video redirection over the Remote Desktop Protocol](redirection-configure-audio-video.md).

+ - [Configure camera, webcam, and video capture redirection over the Remote Desktop Protocol](redirection-configure-camera-webcam-video-capture.md).

+ - [Configure clipboard redirection over the Remote Desktop Protocol](redirection-configure-clipboard.md).

+ - [Configure fixed, removable, and network drive redirection over the Remote Desktop Protocol](redirection-configure-drives-storage.md).

+ - [Configure location redirection over the Remote Desktop Protocol](redirection-configure-location.md).

+ - [Configure Media Transfer Protocol and Picture Transfer Protocol redirection on Windows over the Remote Desktop Protocol](redirection-configure-plug-play-mtp-ptp.md).

+ - [Configure printer redirection over the Remote Desktop Protocol](redirection-configure-printers.md).

+ - [Configure serial or COM port redirection over the Remote Desktop Protocol](redirection-configure-serial-com-ports.md).

+ - [Configure smart card redirection over the Remote Desktop Protocol](redirection-configure-smart-cards.md).

+ - [Configure USB redirection on Windows over the Remote Desktop Protocol](redirection-configure-usb.md).

+ - [Configure WebAuthn redirection over the Remote Desktop Protocol](redirection-configure-webauthn.md).

+- Updated [Set custom Remote Desktop Protocol (RDP) properties on a host pool in Azure Virtual Desktop](customize-rdp-properties.md) to include rewritten steps for Azure PowerShell and added steps for Azure CLI.

+- Updated [Use Microsoft Teams on Azure Virtual Desktop](teams-on-avd.md) to include information on how to publish new Teams as a RemoteApp.

+- Published a new article for [Azure Virtual Desktop on Azure Extended Zones](azure-extended-zones.md).

+- Published a new article to [Configure the session lock behavior for Azure Virtual Desktop](configure-session-lock-behavior.md) and updated [Configure single sign-on for Azure Virtual Desktop using Microsoft Entra ID](configure-single-sign-on.md) to include the relevant information.

+- Published a new article to [Onboard Azure Virtual Desktop session hosts to forensic evidence from Microsoft Purview Insider Risk Management](purview-forensic-evidence.md).

+- Updated [Configure the clipboard transfer direction and data types that can be copied in Azure Virtual Desktop](clipboard-transfer-direction-data-types.md?tabs=intune) to include the steps for using the Microsoft Intune settings catalog.

+## Check BGP learned route

+Check BGP learned route in a hub.

+## <a name="entra-expired"></a>VPN client error: Your authentication with Microsoft Entra expired

+If you're using Microsoft Entra ID authentication, you might encounter one of the following errors:

+**Your authentication with Microsoft Entra is expired. You need to re-authenticate in Entra to acquire a new token. Authentication timeout can be tuned by your administrator.**

+or