+> In an API Management [workspace](workspaces-overview.md), a workspace owner can independently integrate Application Insights and enable Application Insights logging for the workspace's APIs. The general guidance to integrate a workspace with Application Insights is similar to the guidance for an API Management instance; however, configuration is scoped to the workspace only. Currently, you must integrate Application Insights in a workspace by configuring a connection string (recommended) or an instrumentation key.

+* If you plan to configure managed identity credentials to use with Application Insights, complete the following steps:

+ 1. Enable a system-assigned or user-assigned [managed identity for API Management](api-management-howto-use-managed-service-identity.md).

+1. First, create a connection between Application Insights and API Management

+ > Currently, in the portal, API Management only supports connections to Application Insights using an Application Insights instrumentation key. For enhanced security, we recommend using an Application Insights connection string with an API Management managed identity. To configure connection string with managed identity credentials, use the [REST API](#create-a-connection-using-the-rest-api-bicep-or-arm-template) or related tools as shown in a later section of this article. [Learn more](../azure-monitor/app/sdk-connection-string.md) about Application Insights connection strings.

+ > [!NOTE]

+ > If your Application Insights resource is in a different tenant, then you must create the logger using the [REST API](#create-a-connection-using-the-rest-api-bicep-or-arm-template) or related tools as shown in a later section of this article.

+1. Second, enable Application Insights logging for your API or APIs.

+> [!NOTE]

+> Where possible, Microsoft recommends using connection string with managed identity credentials for enhanced security. To configure these credentials, use the [REST API](#create-a-connection-using-the-rest-api-bicep-or-arm-template) or related tools as shown in a later section of this article.

+Follow these steps to use the REST API, Bicep, or ARM template to create an Application Insights logger for your API Management instance. You can configure a logger that uses connection string with managed identity credentials (recommended), or a logger that uses only a connection string.

+### Logger with connection string with managed identity credentials (recommended)

+See the [prerequisites](#prerequisites) for using an API Management managed identity.

+#### Connection string with system-assigned managed identity

+ "description": "Application Insights logger with system-assigned managed identity",

+ "connectionString":"InstrumentationKey=00000000-0000-0000-0000-000000000000;IngestionEndpoint=https://xxxx.applicationinsights.azure.com/;...",

+ "identityClientId":"SystemAssigned"

+ description: 'Application Insights logger with system-assigned managed identity'

+ identityClientId: 'systemAssigned'

+ "description": "Application Insights logger with system-assigned managed identity",

+ "connectionString": "InstrumentationKey=00000000-0000-0000-0000-000000000000;IngestionEndpoint=https://xxxx.applicationinsights.azure.com/;...",

+ "identityClientId": "SystemAssigned"

+ }

+#### Connection string with user-assigned managed identity

+ "description": "Application Insights logger with user-assigned managed identity",

+ "identityClientId":"<ClientID>"

+Include a snippet similar the following in your Bicep template.

+resource aiLoggerWithUserAssignedIdentity 'Microsoft.ApiManagement/service/loggers@2022-08-01' = {

+ description: 'Application Insights logger with user-assigned managed identity'

+ identityClientId: '<ClientID>'

+ "description": "Application Insights logger with user-assigned managed identity",

+ "identityClientId": "<ClientID>"

+### Logger with connection string credentials only

+The Application Insights connection string appears in the **Overview** section of your Application Insights resource.

+If you are configuring the logger for a workspace, use the [Workspace Logger - Create or Update](/rest/api/apimanagement/workspace-logger/create-or-update?view=rest-apimanagement-2023-09-01-preview&preserve-view=true) REST API.

+ "description": "Application Insights logger with connection string",

+ "connectionString":"InstrumentationKey=00000000-0000-0000-0000-000000000000;IngestionEndpoint=https://xxxx.applicationinsights.azure.com/;..."

+Include a snippet similar to the following in your Bicep template.

+If you are configuring the logger for a workspace, create a `Microsoft.ApiManagement/service.workspace/loggers@2023-09-01-preview` resource instead.

+resource aiLoggerWithSystemAssignedIdentity 'Microsoft.ApiManagement/service/loggers@2022-08-01' = {

+ description: 'Application Insights logger with connection string'

+If you are configuring the logger for a workspace, create a `Microsoft.ApiManagement/service.workspace/loggers` resource and set `apiVersion` to `2023-09-01-preview` instead.

+ "description": "Application Insights logger with connection string",

+ "connectionString": "InstrumentationKey=00000000-0000-0000-0000-000000000000;IngestionEndpoint=https://xxxx.applicationinsights.azure.com/;..."

+ },

+You can emit [custom metrics](../azure-monitor/essentials/metrics-custom-overview.md) to Application Insights from your API Management instance. API Management emits custom metrics using policies such as [emit-metric](emit-metric-policy.md) and [azure-openai-emit-token-metric](azure-openai-emit-token-metric-policy.md). The following section uses the `emit-metric` policy as an example.

+Azure Monitor imposes [usage limits](../azure-monitor/essentials/metrics-custom-overview.md#quotas-and-limits) for custom metrics that may affect your ability to emit metrics from API Management. For example, Azure Monitor currently sets a limit of 10 dimension keys per metric, and a limit of 50,000 total active time series per region in a subscription (within a 12 hour period).

+* A managed identity for your API Management instance (recommended)

+> [!NOTE]

+> Where possible, Microsoft recommends using managed identity credentials for enhanced security.

+### Option 1: Configure API Management managed identity

+### Option 2: Configure Event Hubs connection string

+To create an Event Hubs connection string, see [Get an Event Hubs connection string](../event-hubs/event-hubs-get-connection-string.md).

+* You can use a connection string for the Event Hubs namespace or for the specific event hub you use for logging from API Management.

+* The shared access policy for the connection string must enable at least **Send** permissions.

+### Option 1: Logger with managed identity credentials (recommended)

+You can configure an API Management logger to an event hub using either system-assigned or user-assigned managed identity credentials.

+### Logger with system-assigned managed identity credentials

+For prerequisites, see [Configure API Management managed identity](#option-1-configure-api-management-managed-identity).

+#### [REST API](#tab/PowerShell)

+Use the API Management [Logger - Create or Update](/rest/api/apimanagement/current-preview/logger/create-or-update) REST API with the following request body.

+```JSON

+{

+ "properties": {

+ "loggerType": "azureEventHub",

+ "description": "Event Hub logger with system-assigned managed identity",

+ "credentials": {

+ "endpointAddress":"<EventHubsNamespace>.servicebus.windows.net",

+ "identityClientId":"SystemAssigned",

+ "name":"<EventHubName>"

+ }

+ }

+}

+resource ehLoggerWithSystemAssignedIdentity 'Microsoft.ApiManagement/service/loggers@2022-08-01' = {

+ description: 'Event hub logger with system-assigned managed identity'

+ endpointAddress: '<EventHubsNamespace>.servicebus.windows.net'

+ identityClientId: 'systemAssigned'

+ name: '<EventHubName>'

+ "apiVersion": "2022-08-01",

+ "description": "Event Hub logger with system-assigned managed identity",

+ "resourceId": "<EventHubsResourceID>",

+ "endpointAddress": "<EventHubsNamespace>.servicebus.windows.net",

+ "identityClientId": "SystemAssigned",

+ "name": "<EventHubName>"

+#### Logger with user-assigned managed identity credentials

+For prerequisites, see [Configure API Management managed identity](#option-1-configure-api-management-managed-identity).

+Use the API Management [Logger - Create or Update](/rest/api/apimanagement/current-preview/logger/create-or-update) REST API with the following request body.

+ "description": "Event Hub logger with user-assigned managed identity",

+ "identityClientId":"<ClientID>",

+resource ehLoggerWithUserAssignedIdentity 'Microsoft.ApiManagement/service/loggers@2022-08-01' = {

+ description: 'Event Hub logger with user-assigned managed identity'

+ identityClientId: '<ClientID>'

+ "apiVersion": "2022-08-01",

+ "description": "Event Hub logger with user-assigned managed identity",

+ "identityClientId": "<ClientID>",

+### Option 2. Logger with connection string credentials

+For prerequisites, see [Configure Event Hubs connection string](#option-2-configure-event-hubs-connection-string).

+> [!NOTE]

+> Where possible, Microsoft recommends configuring the logger with managed identity credentials. See [Configure logger with managed identity credentials](#option-1-logger-with-managed-identity-credentials-recommended), earlier in this article.

+#### [PowerShell](#tab/PowerShell)

+The following example uses the [New-AzApiManagementLogger](/powershell/module/az.apimanagement/new-azapimanagementlogger) cmdlet to create a logger to an event hub by configuring a connection string.

+```powershell

+# API Management service-specific details

+$apimServiceName = "apim-hello-world"

+$resourceGroupName = "myResourceGroup"

+# Create logger

+$context = New-AzApiManagementContext -ResourceGroupName $resourceGroupName -ServiceName $apimServiceName

+New-AzApiManagementLogger -Context $context -LoggerId "ContosoLogger1" -Name "ApimEventHub" -ConnectionString "Endpoint=sb://<EventHubsNamespace>.servicebus.windows.net/;SharedAccessKeyName=<KeyName>;SharedAccessKey=<key>" -Description "Event hub logger with connection string"

+Include a snippet similar to the following in your Bicep template.

+resource ehLoggerWithConnectionString 'Microsoft.ApiManagement/service/loggers@2022-08-01' = {

+ description: 'Event Hub logger with connection string credentials'

+ connectionString: 'Endpoint=sb://<EventHubsNamespace>.servicebus.windows.net/;SharedAccessKeyName=<KeyName>;SharedAccessKey=<key>'

+ name: 'ApimEventHub'

+ "apiVersion": "2022-08-01",

+ "description": "Event Hub logger with connection string credentials",

+ "resourceId": "<EventHubsResourceID>"

+ "connectionString": "Endpoint=sb://<EventHubsNamespace>/;SharedAccessKeyName=<KeyName>;SharedAccessKey=<key>",

+ "name": "ApimEventHub"

+1. Select the **GetSpeakers** operation. Select **Send** four times in a row.

+ After sending the request four times, you get the **429 Too Many Requests** response.

+* An Azure account with an active subscription. If you don't have an Azure account, you [can create one for free](https://azure.microsoft.com/free/java).

+* [Azure Developer CLI](/azure/developer/azure-developer-cli/install-azd) installed. You can follow the steps with the [Azure Cloud Shell](https://shell.azure.com) because it already has Azure Developer CLI installed.

+* Knowledge of ASP.NET Core development.

+* **(Optional)** To try GitHub Copilot, a [GitHub Copilot account](https://docs.github.com/copilot/using-github-copilot/using-github-copilot-code-suggestions-in-your-editor). A 30-day free trial is available.

+## Skip to the end

+* The **Name** for the web app. It's used as part of the DNS name for your app in the form of `https://<app-name>-<hash>.<region>.azurewebsites.net`.

+* The **Region** to run the app physically in the world. It's also used as part of the DNS name for your app.

+ - **Private endpoints**: Access endpoints for the key vault, the database server, and the Redis cache in the virtual network.

+ - **Key vault**: Accessible only from behind its private endpoint. Used to manage secrets for the App Service app.

+ - **Private DNS zones**: Enable DNS resolution of the key vault, the database server, and the Redis cache in the virtual network.

+## 3. Secure connection secrets

+The creation wizard generated the connectivity string for you already as [.NET connection strings](configure-common.md#configure-connection-strings) and [app settings](configure-common.md#configure-app-settings). However, the security best practice is to keep secrets out of App Service completely. You'll move your secrets to key vault and change your app setting to [Key Vault references](app-service-key-vault-references.md) with the help of Service Connectors.

+ **Step 1:** In the App Service page,

+ 1. In the left menu, select **Settings > Environment variables > Connection strings**.

+ 1. Select **AZURE_SQL_CONNECTIONSTRING**.

+ 1. In **Add/Edit connection string**, in the **Value** field, find the *Password=* part at the end of the string.

+ 1. Copy the password string after *Password=* for use later.

+ This connection string lets you connect to the SQL database secured behind a private endpoint. The password is saved directly in the App Service app, which isn't the best. Likewise, the Redis cache connection string in the **App settings** tab contains a secret. You'll change this.

+ :::image type="content" source="./media/tutorial-dotnetcore-sqldb-app/azure-portal-secure-connection-secrets-1.png" alt-text="A screenshot showing how to see the value of an app setting." lightbox="./media/tutorial-dotnetcore-sqldb-app/azure-portal-secure-connection-secrets-1.png":::

+ **Step 2:** Create a key vault for secure management of secrets.

+ 1. In the top search bar, type "*key vault*", then select **Marketplace** > **Key Vault**.

+ 1. In **Resource Group**, select **msdocs-core-sql-tutorial**.

+ 1. In **Key vault name**, type a name that consists of only letters and numbers.

+ 1. In **Region**, set it to the sample location as the resource group.

+ :::image type="content" source="./media/tutorial-dotnetcore-sqldb-app/azure-portal-secure-connection-secrets-2.png" alt-text="A screenshot showing how to create a key vault." lightbox="./media/tutorial-dotnetcore-sqldb-app/azure-portal-secure-connection-secrets-2.png":::

+ :::column-end:::

+ :::column span="2":::

+ **Step 3:**

+ 1. Select the **Networking** tab.

+ 1. Unselect **Enable public access**.

+ 1. Select **Create a private endpoint**.

+ 1. In **Resource Group**, select **msdocs-core-sql-tutorial**.

+ 1. In **Key vault name**, type a name that consists of only letters and numbers.

+ 1. In **Region**, set it to the sample location as the resource group.

+ 1. In the dialog, in **Location**, select the same location as your App Service app.

+ 1. In **Resource Group**, select **msdocs-core-sql-tutorial**.

+ 1. In **Name**, type **msdocs-core-sql-XYZVvaultEndpoint**.

+ 1. In **Virtual network**, select **msdocs-core-sql-XYZVnet**.

+ 1. In **Subnet**, **msdocs-core-sql-XYZSubnet**.

+ 1. Select **OK**.

+ 1. Select **Review + create**, then select **Create**. Wait for the key vault deployment to finish. You should see "Your deployment is complete."

+ :::column-end:::

+ :::column:::

+ :::image type="content" source="./media/tutorial-dotnetcore-sqldb-app/azure-portal-secure-connection-secrets-3.png" alt-text="A screenshot showing how secure a key vault with a private endpoint." lightbox="./media/tutorial-dotnetcore-sqldb-app/azure-portal-secure-connection-secrets-3.png":::

+ :::column-end:::

+ :::column span="2":::

+ **Step 4:**

+ 1. In the top search bar, type *msdocs-core-sql*, then the App Service resource called **msdocs-core-sql-XYZ**.

+ 1. In the App Service page, in the left menu, select **Settings > Service Connector**. There are already two connectors, which the app creation wizard created for you.

+ 1. Select checkbox next to the SQL Database connector, then select **Edit**.

+ 1. Select the **Authentication** tab.

+ 1. Select **Store Secret in Key Vault**.

+ 1. Under **Key Vault Connection**, select **Create new**.

+ A **Create connection** dialog is opened on top of the edit dialog.

+ :::column-end:::

+ :::column:::

+ :::image type="content" source="./media/tutorial-dotnetcore-sqldb-app/azure-portal-secure-connection-secrets-4.png" alt-text="A screenshot showing how to edit the SQL Database service connector with a key vault connection." lightbox="./media/tutorial-dotnetcore-sqldb-app/azure-portal-secure-connection-secrets-4.png":::

+ :::column-end:::

+ :::column span="2":::

+ **Step 5:** In the **Create connection** dialog for the Key Vault connection:

+ 1. In **Key Vault**, select the key vault you created earlier.

+ 1. Select **Review + Create**. You should see that **System assigned managed identity** is set to **Selected**.

+ 1. When validation completes, select **Create**.

+ :::column-end:::

+ :::column:::

+ :::image type="content" source="./media/tutorial-dotnetcore-sqldb-app/azure-portal-secure-connection-secrets-5.png" alt-text="A screenshot showing how to create a Key Vault service connector." lightbox="./media/tutorial-dotnetcore-sqldb-app/azure-portal-secure-connection-secrets-5.png":::

+ :::column-end:::

+ :::column span="2":::

+ **Step 6:** You're back in the edit dialog for **defaultConnector**.

+ 1. In the **Authentication** tab, wait for the key vault connector to be created. When it's finished, the **Key Vault Connection** dropdown automatically selects it.

+ 1. Select **Next: Networking**.

+ 1. Select **Configure firewall rules to enable access to target service**. The app creation wizard already secured the SQL database with a private endpoint.

+ 1. Select **Save**. Wait until the **Update succeeded** notification appears.

+ :::column-end:::

+ :::column:::

+ :::image type="content" source="./media/tutorial-dotnetcore-sqldb-app/azure-portal-secure-connection-secrets-6.png" alt-text="A screenshot showing the key vault connection selected in the SQL Database service connector." lightbox="./media/tutorial-dotnetcore-sqldb-app/azure-portal-secure-connection-secrets-6.png":::

+ :::column-end:::

+ :::column span="2":::

+ **Step 7:** In the Service Connectors page:

+ 1. Select checkbox next to the Cache for Redis connector, then select **Edit**.

+ 1. Select the **Authentication** tab.

+ 1. Select **Store Secret in Key Vault**.

+ 1. Under **Key Vault Connection**, select the key vault you created.

+ 1. Select **Next: Networking**.

+ 1. Select **Configure firewall rules to enable access to target service**. The app creation wizard already secured the SQL database with a private endpoint.

+ 1. Select **Save**. Wait until the **Update succeeded** notification appears.

+ :::column-end:::

+ :::column:::

+ :::image type="content" source="./media/tutorial-dotnetcore-sqldb-app/azure-portal-secure-connection-secrets-7.png" alt-text="A screenshot showing how to edit the Cache for Redis service connector with a key vault connection." lightbox="./media/tutorial-dotnetcore-sqldb-app/azure-portal-secure-connection-secrets-7.png":::

+ :::column-end:::

+ :::column span="2":::

+ **Step 8:** To verify that you secured the secrets:

+ 1. From the left menu, select **Environment variables > Connection strings** again.

+ 1. Next to **AZURE_SQL_CONNECTIONSTRING**, select **Show value**. The value should be `@Microsoft.KeyValut(...)`, which means that it's a [key vault reference](app-service-key-vault-references.md) because the secret is now managed in the key vault.

+ 1. To verify the Redis connection string, select the **App setting** tab. Next to **AZURE_REDIS_CONNECTIONSTRING**, select **Show value**. The value should be `@Microsoft.KeyValut(...)` too.

+ :::column-end:::

+ :::column:::

+ :::image type="content" source="./media/tutorial-dotnetcore-sqldb-app/azure-portal-secure-connection-secrets-8.png" alt-text="A screenshot showing how to see the value of the .NET connection string in Azure." lightbox="./media/tutorial-dotnetcore-sqldb-app/azure-portal-secure-connection-secrets-8.png":::

+ **Step 1:** Back in the App Service page, in the left menu, select **Development Tools** > **SSH**, then select **Go**.

+ 1. Select the URL of your app.

+> The sample application implements the [cache-aside](/azure/architecture/patterns/cache-aside) pattern. When you visit a data view for the second time, or reload the same page after making data changes, **Processing time** in the webpage shows a much faster time because it's loading the data from the cache instead of the database.

+ |Enter a new environment name | Type a unique name. The AZD template uses this name as part of the DNS name of your web app in Azure (`<app-name>-<hash>.azurewebsites.net`). Alphanumeric characters and hyphens are allowed. |

+ - **Private endpoints**: Access endpoints for the key vault, the database server, and the Redis cache in the virtual network.

+ - **Key vault**: Accessible only from behind its private endpoint. Used to manage secrets for the App Service app.

+ - **Private DNS zones**: Enable DNS resolution of the key vault, the database server, and the Redis cache in the virtual network.

+1. In the AZD output, find the settings `AZURE_SQL_CONNECTIONSTRING` and `AZURE_REDIS_CONNECTIONSTRING`. Only the setting names are displayed. They look like this in the AZD output:

+ - AZURE_SQL_CONNECTIONSTRING

+ - AZURE_REDIS_CONNECTIONSTRING

+ - AZURE_KEYVAULT_RESOURCEENDPOINT

+ - AZURE_KEYVAULT_SCOPE

+ Open SSH session to App Service container at: https://&lt;app-name>-&lt;hash>.scm.azurewebsites.net/webssh/host

+ - Endpoint: https://&lt;app-name>-&lt;hash>.azurewebsites.net/

+`Location '<region>' is not accepting creation of new Windows Azure SQL Database servers at this time.`

+- For basic access from a command-line tool, you can run `sqlcmd` from the app's SSH terminal. The app's container doesn't come with `sqlcmd`, so you must [install it manually](/sql/tools/sqlcmd/sqlcmd-utility?tabs=go%2Clinux&pivots=cs1-bash#download-and-install-sqlcmd). Remember that the installed client doesn't persist across app restarts.

+The creation wizard generated the connectivity string for you already as an [app setting](configure-common.md#configure-app-settings). However, the security best practice is to keep secrets out of App Service completely. You'll move your secrets to key vault and change your app setting to a [Key Vault reference](app-service-key-vault-references.md) with the help of Service Connectors.

+ 1. In **Name**, type **msdocs-spring-cosmosdb-XYZVaultEndpoint**.

+ 1. In the App Service page, in the left menu, select **Settings > Service Connector**. There's already a connector, which the app creation wizard created for you.

+ 1. Select **Store Secret in Key Vault**.

+ 1. In the **Authentication** tab, wait for the key vault connector to be created. When it's finished, the **Key Vault Connection** dropdown automatically selects it.

+ 1. Select **Configure firewall rules to enable access to target service**. If you see the message, "No Private Endpoint on the target service," ignore it. The app creation wizard already secured the SQL database with a private endpoint.

+ 1. Select the URL of your app.

+ |Enter a new environment name | Type a unique name. The AZD template uses this name as part of the DNS name of your web app in Azure (`<app-name>-<hash>.azurewebsites.net`). Alphanumeric characters and hyphens are allowed. |

+ - Endpoint: https://&lt;app-name>-&lt;hash>.azurewebsites.net/

+ 

+ 

+ 

+ 

+ 

+Application Gateway allows you to rewrite selected content of requests and responses. With this feature, you can translate URLs, query string parameters and modify request and response headers. It also allows you to add conditions to ensure that the URL or the specified headers are rewritten only when certain conditions are met. These conditions are based on the request and response information.

+

+* Choose to rewrite the URL of all requests on a listener or only those requests that match one or more of the conditions you set. These conditions are based on the request properties (request header and server variables).

+Rewrite actions are used to specify the URL. Request headers or response headers that you want to rewrite and the new URL destination value. The value of a URL or a new or existing header can be set to the following types of values:

+You can use rewrite conditions to evaluate the content of HTTP(S) requests and responses. This optional configuration enables you to perform a rewrite only when one or more conditions are met. The application gateway uses these types of variables to evaluate the content of requests and responses:

+Application Gateway uses regular expressions for pattern matching in the condition. You should use Regular Expression 2 (RE2) compatible expressions when writing your conditions. If you're running an Application Gateway Web Application Firewall (WAF) with Core Rule Set 3.1 or earlier, you might have issues when using [Perl Compatible Regular Expressions (PCRE)](https://www.pcre.org/). Issues can happen when using lookahead and lookbehind (negative or positive) assertions.

+> Use of */* to prefix and suffix the pattern shouldn't be specified in the pattern to match value. For example, (\d)(\d) matches two digits. /(\d)(\d)/ won't match two digits.

+> The case of the condition variable needs to match case of the capture variable. For example, if the condition variable is defined as user-agent, the capture variable must be for user-agent ({http_req_user-agent_2}).

+If you want to use the whole value, you shouldn't mention the number. Simply use the format {http_req_headerName}, etc. without the groupNumber.

+Application Gateway uses server variables to store useful information about the server, the connection with the client, and the current request on the connection. Examples of information stored include the client's IP address and the web browser type. Server variables change dynamically, for example, when a new page loads or when a form is posted. You can use these variables to evaluate rewrite conditions and rewrite headers. In order to use the value of server variables to rewrite headers, you need to specify these variables in the syntax {var_*serverVariableName*}

+| add_x_forwarded_for_proxy | The X-Forwarded-For client request header field with the `client_ip` variable (see explanation later in this table) appended to it in the format IP1, IP2, IP3, and so on. If the X-Forwarded-For field isn't in the client request header, the `add_x_forwarded_for_proxy` variable is equal to the `$client_ip` variable. This variable is useful when you want to rewrite the X-Forwarded-For header set by Application Gateway so that the header contains only the IP address without the port information. |

+| client_ip | The IP address of the client from which the application gateway received the request. If there's a reverse proxy before the application gateway and the originating client, `client_ip` returns the IP address of the reverse proxy. |

+| host | In this order of precedence: the host name from the request line, the host name from the Host request header field, or the server name matching a request. Example: In the request `http://contoso.com:8080/article.aspx?id=123&title=fabrikam`, the host value is `contoso.com` |

+| query_string | The list of variable/value pairs that follows the "?" in the requested URL. Example: In the request `http://contoso.com:8080/article.aspx?id=123&title=fabrikam`, query_string value is `id=123&title=fabrikam` |

+| request_uri | The full original request URI (with arguments). Example: in the request `http://contoso.com:8080/article.aspx?id=123&title=fabrikam*`, request_uri value is `/article.aspx?id=123&title=fabrikam` |

+| uri_path | Identifies the specific resource in the host that the web client wants to access. This is the part of the request URI without the arguments. Example: In the request `http://contoso.com:8080/article.aspx?id=123&title=fabrikam`, uri_path value is `/article.aspx` |

+* **Rewrite Condition**: This configuration is optional. Rewrite conditions evaluate the content of the HTTP(S) requests and responses. The rewrite action occurs if the HTTP(S) request or response matches the rewrite condition. If you associate more than one condition with an action, the action occurs only when all the conditions are met. In other words, the operation is a logical AND operation.

+ * **URL path**: The value to which the path is to be rewritten.

+ * **URL Query String**: The value to which the query string is to be rewritten.

+ * **Reevaluate path map**: Used to determine whether the URL path map is to be reevaluated or not. If kept unchecked, the original URL path is used to match the path-pattern in the URL path map. If set to true, the URL path map is reevaluated to check the match with the rewritten path. Enabling this switch helps in routing the request to a different backend pool post rewrite.

+* Enabling 'Reevaluate path map' isn't allowed for basic request routing rules. This is to prevent infinite evaluation loop for a basic routing rule.

+* There needs to be at least 1 conditional rewrite rule or 1 rewrite rule which doesn't have 'Reevaluate path map' enabled for path-based routing rules to prevent infinite evaluation loop for a path-based routing rule.

+* Incoming requests would be terminated with a 500 error code in case a loop is created dynamically based on client inputs. The Application Gateway continues to serve other requests without any degradation in such a scenario.

+When you configure URL rewrite or host header rewrite, the WAF evaluation happens after the modification to the request header or URL parameters (post-rewrite). And when you remove the URL rewrite or host header rewrite configuration on your Application Gateway, the WAF evaluation is done before the header rewrite (pre-rewrite). This order ensures that WAF rules are applied to the final request that would be received by your backend pool.

+Here, with only header rewrite configured, the WAF evaluation is done on `"Accept" : "text/html"`. But when you configure URL rewrite or host header rewrite, then the WAF evaluation is done on `"Accept" : "image/png"`.

+

+When the app service sends a redirection response, it uses the same hostname in the location header of its response as the one in the request it receives from the application gateway. So the client makes the request directly to `contoso.azurewebsites.net/path2` instead of going through the application gateway (`contoso.com/path2`). Bypassing the application gateway isn't desirable.

+

+

+

+It isn't possible to create a rewrite rule to delete the host header. If you attempt to create a rewrite rule with the action type set to delete and the header set to host, it results in an error.

+

+* The first rule has a condition that checks the *query_string* variable for *category=shoes* and has an action that rewrites the URL path to /*listing1* and has **Reevaluate path map** enabled

+* The second rule has a condition that checks the *query_string* variable for *category=bags* and has an action that rewrites the URL path to /*listing2* and has **Reevaluate path map** enabled

+* The third rule has a condition that checks the *query_string* variable for *category=accessories* and has an action that rewrites the URL path to /*listing3* and has **Reevaluate path map** enabled

+If the user requests *contoso.com/listing?category=any*, then it's matched with the default path since none of the path patterns in the path map (/listing1, /listing2, /listing3) are matched. Since you associated the previous rewrite set with this path, this rewrite set is evaluated. Because the query string won't match the condition in any of the 3 rewrite rules in this rewrite set, no rewrite action takes place. Therefore, the request is routed unchanged to the backend associated with the default path (which is *GenericList*).

+If the user requests *contoso.com/listing?category=shoes*, then the default path is matched. However, in this case the condition in the first rule matches. Therefore, the action associated with the condition is executed, which rewrites the URL path to /*listing1* and reevaluates the path-map. When the path-map is reevaluated, the request matches the path associated with pattern */listing1* and the request is routed to the backend associated with this pattern (ShoesListBackendPool).

+For a URL redirect, Application Gateway sends a redirect response to the client with the new URL. That, in turn, requires the client to resend its request to the new URL provided in the redirect. The URL that the user sees in the browser updates to the new URL.

+- If a response has more than one header with the same name, rewriting the value of one of those headers results in dropping the other headers in the response. This can happen with Set-Cookie header since you can have more than one Set-Cookie header in a response. One such scenario is when you're using an app service with an application gateway and have configured cookie-based session affinity on the application gateway. In this case the response contains two Set-Cookie headers. For example: one used by the app service, `Set-Cookie: ARRAffinity=ba127f1caf6ac822b2347cc18bba0364d699ca1ad44d20e0ec01ea80cda2a735;Path=/;HttpOnly;Domain=sitename.azurewebsites.net` and another for application gateway affinity, `Set-Cookie: ApplicationGatewayAffinity=c1a2bd51lfd396387f96bl9cc3d2c516; Path=/`. Rewriting one of the Set-Cookie headers in this scenario can result in removing the other Set-Cookie header from the response.

+- Request header names can contain alphanumeric characters and hyphens. Header names containing other characters are discarded when a request is sent to the backend target.

+- Application Gateway Ingress Controller (AGIC) is not supported and works only with L7 proxy through HTTP(S) listeners.

+* Azure Linux (CBL-Mariner) 2.0 and 3.0

+* [Examples of complete Function projects in PowerShell](/samples/browse/?products=azure-functions&languages=powershell).

+ > [!NOTE]

+ > If you do not provide a start date and time for the first recurrence, a recurrence will immediately run when you save the logic app, which might cause the VMs to start or stop before the scheduled run.

+ > [!NOTE]

+ > If you do not provide a start date and time for the first recurrence, a recurrence will immediately run when you save the logic app, which might cause the VMs to start or stop before the scheduled run.

+> + No further development, enhancements, or updates will be available for Start/Stop v2 except when required to remain on supported versions of components and Azure services.

+> + The TriggerAutoUpdate and UpdateStartStopV2 functions are now deprecated and will be removed in the future. To update Start/Stop v2, we recommend that you stop the site, install to the latest version from our [GitHub repository](https://github.com/microsoft/startstopv2-deployments), and then start the site. To disable the automatic update functionality, set the Function App's **AzureClientOptions:EnableAutoUpdate** [application setting](../functions-how-to-use-azure-function-app-settings.md?tabs=azure-portal%2Cto-premium#get-started-in-the-azure-portal) to **false**. No built-in notification system is available for updates. After an update to Start/Stop v2 becomes available, we will update the [readme.md](https://github.com/microsoft/startstopv2-deployments/blob/main/README.md) in the GitHub repository. Third-party GitHub file watchers might be available to notify you of changes.

+> + As of August 19, 2024, Start/Stop v2 has been updated to the [.NET 8 isolated worker model](../functions-versions.md?tabs=isolated-process%2Cv4&pivots=programming-language-csharp#languages).

+description: Statistics about Application Insights SDKs and autoinstrumentation

+Statsbeat collects essential and nonessential [custom metrics](../essentials/metrics-custom-overview.md) about Application Insights SDKs and autoinstrumentation. Statsbeat serves three benefits for Application Insights customers:

+* Service health and reliability (outside-in monitoring of connectivity to ingestion endpoint)

+* Support diagnostics (self-help insights and CSS insights)

+* Product improvement (insights for design optimizations)

+Statsbeat data is stored in a Microsoft data store. It doesn't affect customers' overall monitoring volume and cost.

+> [!NOTE]

+> Statsbeat doesn't support [Azure Private Link](../../automation/how-to/private-link-security.md).

+| C# | Java | JavaScript | Node.js | Python |

+|-|--|-|--|--|

+| Currently not supported | Supported | Currently not supported | Supported | Supported |

+| Geo name | Region name |

+|-|-|

+| Europe | North Europe |

+| Europe | West Europe |

+| France | France Central |

+| France | France South |

+| Germany | Germany West Central |

+| Norway | Norway East |

+| Norway | Norway West |

+| Sweden | Sweden Central |

+| Switzerland | Switzerland North |

+| Switzerland | Switzerland West |

+| United Kingdom | United Kingdom South |

+| United Kingdom | United Kingdom West |

+## Supported metrics

+Statsbeat collects [essential](#essential-statsbeat) and [nonessential](#nonessential-statsbeat) metrics:

+| Language | Essential metrics | Non-essential metrics |

+|-|-|--|

+| Java | ✅ | ✅ |

+| Node.js | ✅ | ❌ |

+| Python | ✅ | ❌ |

+| Metric name | Unit | Supported dimensions |

+||-||

+| Request Success Count | Count | `Resource Provider`, `Attach Type`, `Instrumentation Key`, `Runtime Version`, `Operating System`, `Language`, `Version`, `Endpoint`, `Host` |

+| Requests Failure Count | Count | `Resource Provider`, `Attach Type`, `Instrumentation Key`, `Runtime Version`, `Operating System`, `Language`, `Version`, `Endpoint`, `Host`, `Status Code` |

+| Request Duration | Count | `Resource Provider`, `Attach Type`, `Instrumentation Key`, `Runtime Version`, `Operating System`, `Language`, `Version`, `Endpoint`, `Host` |

+| Retry Count | Count | `Resource Provider`, `Attach Type`, `Instrumentation Key`, `Runtime Version`, `Operating System`, `Language`, `Version`, `Endpoint`, `Host`, `Status Code` |

+| Throttle Count | Count | `Resource Provider`, `Attach Type`, `Instrumentation Key`, `Runtime Version`, `Operating System`, `Language`, `Version`, `Endpoint`, `Host`, `Status Code` |

+| Exception Count | Count | `Resource Provider`, `Attach Type`, `Instrumentation Key`, `Runtime Version`, `Operating System`, `Language`, `Version`, `Endpoint`, `Host`, `Exception Type` |

+| Metric name | Unit | Supported dimensions |

+|-|-||

+| Attach | Count | `Resource Provider`, `Resource Provider Identifier`, `Attach Type`, `Instrumentation Key`, `Runtime Version`, `Operating System`, `Language`, `Version` |

+| Metric name | Unit | Supported dimensions |

+|-|-|--|

+| Feature | Count | `Resource Provider`, `Attach Type`, `Instrumentation Key`, `Runtime Version`, `Feature`, `Type`, `Operating System`, `Language`, `Version` |

+| Metric name | Unit | Supported dimensions |

+||-|-|

+| Read Failure Count | Count | `Resource Provider`, `Attach Type`, `Instrumentation Key`, `Runtime Version`, `Operating System`, `Language`, `Version` |

+| Write Failure Count | Count | `Resource Provider`, `Attach Type`, `Instrumentation Key`, `Runtime Version`, `Operating System`, `Language`, `Version` |

+## Firewall configuration

+Metrics are sent to the following locations, to which outgoing connections must be opened in firewalls:

+| Location | URL |

+|-|-|

+| Europe | `westeurope-5.in.applicationinsights.azure.com` |

+| Outside of Europe | `westus-0.in.applicationinsights.azure.com` |

+## Disable Statsbeat

+### [Java](#tab/java)

+> [!NOTE]

+> Only nonessential Statsbeat can be disabled in Java.

+### [Node](#tab/node)

+Statsbeat is enabled by default. It can be disabled by setting the environment variable `APPLICATION_INSIGHTS_NO_STATSBEAT` to `true`.

+### [Python](#tab/python)

+Statsbeat is enabled by default. It can be disabled by setting the environment variable `APPLICATIONINSIGHTS_STATSBEAT_DISABLED_ALL` to `true`.

+| [Azure Monitor for Azure Cache for Redis](../../azure-cache-for-redis/redis-cache-insights-overview.md) | GA | [Yes](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/redisCacheInsights) | Provides a unified, interactive view of overall performance, failures, capacity, and operational health. |

+| [Azure Monitor Log Analytics Workspace](../logs/log-analytics-workspace-insights-overview.md) | GA | [Yes](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/lawsInsights) | Log Analytics Workspace Insights provides comprehensive monitoring of your workspaces through a unified view of your workspace usage, performance, health, agent, queries, and change log. This article will help you understand how to onboard and use Log Analytics Workspace Insights. |

+| [Azure Activity Log Insights](../essentials/activity-log-insights.md) | Preview | [Yes](https://portal.azure.com/#blade/Microsoft_Azure_DataProtection/BackupCenterMenuBlade/backupReportsConfigure/menuId/backupReportsConfigure) | Provides built-in monitoring and alerting capabilities in a Recovery Services vault. |

+| [Azure Monitor for SAP solutions](/azure/virtual-machines/workloads/sap/monitor-sap-on-azure) | GA | No | An Azure-native monitoring product for anyone running their SAP landscapes on Azure. It works with both SAP on Azure Virtual Machines and SAP on Azure Large Instances. Collects telemetry data from Azure infrastructure and databases in one central location and visually correlates the data for faster troubleshooting. You can monitor different components of an SAP landscape, such as Azure virtual machines (VMs), high-availability clusters, SAP HANA database, and SAP NetWeaver, by adding the corresponding provider for that component. |

+For a more extensive discussion of the recommended visualization tools and when to use them, see [Analyze and visualize monitoring data](best-practices-analysis.md)

+## August 2024

+|Subservice | Article | Description |

+||||

+|Agents|[MM)|New Removal Tool|

+|Application-Insights|[Migrate to workspace-based Application Insights resources](app/convert-classic-resource.md)|We've updated the table that converts values used in Classic AI resources to Workspace-based resources.|

+|Application-Insights|[Application Insights for ASP.NET Core applications](app/asp-net-core.md)|The option to disable telemetry correlation has been documented for ASP.NET Core.|

+|Application-Insights|[Configure Application Insights for your ASP.NET website](app/asp-net.md)|The option to disable telemetry correlation has been documented for ASP.NET.|

+|Application-Insights|[Configuration options: Azure Monitor Application Insights for Java](app/java-standalone-config.md)|The option to disable telemetry correlation has been documented for Java.|

+|Application-Insights|[Monitor your Node.js services and apps with Application Insights](app/nodejs.md)|The option to disable telemetry correlation has been documented for Node.js.|

+|Application-Insights|[What is autoinstrumentation for Azure Monitor Application Insights?](app/codeless-overview.md)|Further "autoinstrumentation" explanation has been added, alongside an example, to better convey the meaning of this term.|

+|Application-Insights|[Microsoft Entra authentication for Application Insights](app/azure-ad-authentication.md)|Options to enable Entra authentication for .NET and Node.js autoinstrumentation are documented.|

+|Application-Insights|[Application Insights availability tests](app/availability.md)|We clarified information about using a "availability test string identifier", which previously caused some confusion when referred to as a "GUID".|

+|Containers|[Optimize monitoring costs for Container insights](containers/container-insights-cost.md)|Rewritten to consolidate cost saving options and analysis.|

+|Containers|[Configure log collection in Container insights](containers/container-insights-data-collection-configure.md)|New article to consolidate all guidance for container location.|

+|Containers|[Filter log collection in Container insights](containers/container-insights-data-collection-filter.md)|New article to describe all options to filter container logs.|

+|Containers|[Container insights log schema](containers/container-insights-logs-schema.md)|Rewritten to focus on definition and configuration of log schema, including metadata option.|

+|Containers|[Access Syslog data in Container Insights](containers/container-insights-syslog.md)|Removed duplicate information on configuration.|

+|Containers|[Data transformations in Container insights](containers/container-insights-transformations.md)|Added details to filtering example and added a new example to send data to multiple tables.|

+|Containers|[Enable private link for Kubernetes monitoring in Azure Monitor](containers/container-insights-private-link.md)|New article to consolidate private link guidance for Container insights.|

+|Containers|[High scale logs collection in Container Insights (Preview)](containers/container-insights-high-scale.md)|New feature.|

+|Containers|[Monitor your Kubernetes cluster performance with Container insights](containers/container-insights-analyze.md)|Added explanation of "Other processes" column.|

+|Essentials |[Manage data collection rules (DCRs) and associations in Azure Monitor](essentials/data-collection-rule-view.md)|Added guidance for new UI feature to manage DCR associations.|

+|Essentials|[Use Azure Policy to install and manage the Azure Monitor agent](agents/azure-monitor-agent-policy.md)|Added information on new UI feature to create associations.|

+|Essentials|[Create and edit data collection rules (DCRs) and associations in Azure Monitor](essentials/data-collection-rule-create-edit.md)|Removed duplicate information.|

+|Essentials|[Data collection rules (DCRs) in Azure Monitor](essentials/data-collection-rule-overview.md)|Added diagram.|

+|Essentials|[Monitor and troubleshoot DCR data collection in Azure Monitor](essentials/data-collection-monitor.md)|Corrected error in KQL using InputStreamId.|

+|General|[Analyze and visualize monitoring data](best-practices-analysis.md)|We've updated our visualization recommendations to better guide customers when to use Azure Managed Grafana and when to use Azure Workbooks.|

+|Logs|[Best practices for Azure Monitor Logs](best-practices-logs.md)|Updated overview of features that enhance resilience of your Log Analytics workspace, including a new video. |

+|Logs|[Set up a table with the Auxiliary plan in your Log Analytics workspace (Preview)](logs/create-custom-table-auxiliary.md)|New article that explains how to set up a table with the Auxiliary plan. |

+|Logs|[Azure Monitor Logs overview](logs/data-platform-logs.md)|Updated Azure Monitor Logs overview provides a high-level overview of data collection, management, retrieval, and consumption for a range of use cases.|

+|Logs|[Run search jobs in Azure Monitor](logs/search-jobs.md)|New video that explains how to use search jobs in Azure Monitor Logs.|

+|Logs|[Aggregate data in a Log Analytics workspace by using summary rules (Preview)](logs/summary-rules.md)|New video that explains how to use summary rules to optimize data in your Log Analytics workspace.|

+ Cool access storage is available with the Standard, Premium, and Ultra service levels. The throughput experience for any of these service levels with cool access is the same for cool access as it is for data in the hot tier. It may differ when data that resides in the cool tier is accessed. For more information, see [Azure NetApp Files storage with cool access](cool-access-introduction.md) and [Performance considerations for storage with cool access](performance-considerations-cool-access.md).

+* [Performance considerations for Azure NetApp Files storage with cool access](performance-considerations-cool-access.md)

+ The retrieval policy set to `Default`. Cool data is only retrieved to the hot tier only when performing random reads. Sequential reads are served directly from the cool tier.

+ Cold data is retrieved only by performing random reads.

+ Cold data is retrieved by performing both sequential and random reads.

+ Cold data is served directly from the cool tier and not retrieved to the hot tier.

+ This option specifies whether the volume supports cool access.

+* [Performance considerations for Azure NetApp Files storage with cool access](performance-considerations-cool-access.md)

+ Title: Performance considerations for Azure NetApp Files storage with cool access

+description: Understand use cases for cool access and the effect it can have on performance.

+# Performance considerations for Azure NetApp Files storage with cool access

+Data sets aren't always actively used. Up to 80% of data in a set can be considered "cool," meaning it's not currently in use or hasn't been accessed recently. When storing data on high performance storage such as Azure NetApp Files, the money spent on the capacity being used is essentially being wasted since cool data doesn't require high performance storage until it's being accessed again.

+[Azure NetApp Files storage with cool access](cool-access-introduction.md) is intended to reduce costs for cloud storage in Azure. There are performance considerations in specific use cases that need to be considered.

+Accessing data that has moved to the cool tiers incurs more latency, particularly for random I/O. In a worst-case scenario, all of the data being accessed might be on the cool tier, so every request would need to conduct a retrieval of the data. It's uncommon for all of the data in an actively used dataset to be in the cool tier, so it's unlikely to observe such latency.

+When the default cool access retrieval policy is selected, sequential I/O reads are served directly from the cool tier and doesn't repopulate into the hot tier. Randomly read data is repopulated into the hot tier, increasing the performance of subsequent reads. Optimizations for sequential workloads often reduce the latency incurred by cloud retrieval as compared to random reads and improves overall performance.

+In a recent test performed using Standard storage with cool access for Azure NetApp Files, the following results were obtained.

+## 100% sequential reads on hot/cool tier (single job)

+In the following scenario, a single job on one D32_V5 virtual machine (VM) was used on a 50-TiB Azure NetApp Files volume using the Ultra performance tier. Different block sizes were used to test performance on hot and cool tiers.

+>[!NOTE]

+>The maximum for the Ultra service level is 128 MiB/s per tebibyte of allocated capacity. An Azure NetApp Files regular volume can manage a throughput up to approximately 5,000 MiB/s.

+The following graph shows the cool tier performance for this test using a variety of queue depths. The maximum throughput for a single VM was approximately 400 MiB/s.

+Hot tier performance was around 2.75x better, capping out at approximately 11,180 MiB/s.

+This graph shows a side-by-side comparison of cool and hot tier performance with a 256K block size.

+## 100% sequential reads on hot/cool tier (multiple jobs)

+For this scenario, the test was conducted with 16 job using a 256=KB block size on a single D32_V5 VM on a 50-TiB Azure NetApp Files volume using the Ultra performance tier.

+>[!NOTE]

+>The maximum for the Ultra service level is 128 MiB/s per tebibyte of allocated capacity. An Azure NetApp Files regular volume can manage a throughput of up to approximately 5,000 MiB/s.

+It's possible to push for more throughput for the hot and cool tiers using a single VM when running multiple jobs. The performance difference between hot and cool tiers is less drastic when running multiple jobs. The following graph displays results for hot and cool tiers when running 16 jobs with 16 threads at a 256-KB block size.

+- Throughput improved by nearly three times for the hot tier.

+- Throughput improved by 6.5 times for the cool tier.

+- The performance difference for the hot and cool tier decreased from 2.9x to just 1.3x.

+## Maximum viable job scale for cool tier ΓÇô 100% sequential reads

+The cool tier has a limit of how many jobs can be pushed to a single Azure NetApp Files volume before latency starts to spike to levels that are generally unusable for most workloads.

+In the case of cool tiering, that limit is around 16 jobs with a queue depth of no more than 15. The following graph shows that latency spikes from approximately 23 milliseconds (ms) with 16 jobs/15 queue depth with slightly less throughput than with a queue depth of 14. Latency spikes as high as about 63 ms when pushing 32 jobs and throughput drops by roughly 14%.

+## What causes latency in hot and cool tiers?

+Latency in the hot tier is a factor of the storage system itself, where system resources are exhausted when more I/O is sent to the service than can be handled at any given time. As a result, operations need to queue until previously sent operations can be complete.

+Latency in the cool tier is generally seen with the cloud retrieval operations: either requests over the network for I/O to the object store (sequential workloads) or cool block rehydration into the hot tier (random workloads).

+## Mixed workload: sequential and random

+A mixed workload contains both random and sequential I/O patterns. In mixed workloads, performance profiles for hot and cool tiers can have drastically different results compared to a purely sequential I/O workload but are very similar to a workload that's 100% random.

+The following graph shows the results using 16 jobs on a single VM with a queue depth of one and varying random/sequential ratios.

+The impact on performance when mixing workloads can also be observed when looking at the latency as the workload mix changes. The graphs show how latency impact for cool and hot tiers as the workload mix goes from 100% sequential to 100% random. Latency starts to spike for the cool tier at around a 60/40 sequential/random mix (greater than 12 ms), while latency remains the same (under 2 ms) for the hot tier.

+## Results summary

+- When a workload is 100% sequential, the cool tier's throughput decreases by roughly 47% versus the hot tier (3330 MiB/s compared to 1742 MiB/s).

+- When a workload is 100% random, the cool tierΓÇÖs throughput decreases by roughly 88% versus the hot tier (2,479 MiB/s compared to 280 MiB/s).

+- The performance drop for hot tier when doing 100% sequential (3,330 MiB/s) and 100% random (2,479 MiB/s) workloads was roughly 25%. The performance drop for the cool tier when doing 100% sequential (1,742 MiB/s) and 100% random (280 MiB/s) workloads was roughly 88%.

+- Hot tier throughput maintains about 2,300 MiB/s regardless of the workload mix.

+- When a workload contains any percentage of random I/O, overall throughput for the cool tier is closer to 100% random than 100% sequential.

+- Reads from cool tier dropped by about 50% when moving from 100% sequential to an 80/20 sequential/random mix.

+- Sequential I/O can take advantage of a `readahead` cache in Azure NetApp Files that random I/O doesn't. This benefit to sequential I/O helps reduce the overall performance differences between the hot and cool tiers.

+## General recommendations

+To avoid worst-case scenario performance with cool access in Azure NetApp Files, follow these recommendations:

+- If your workload frequently changes access patterns in an unpredictable manner, cool access may not be ideal due to the performance differences between hot and cool tiers.

+- If your workload contains any percentage of random I/O, performance expectations when accessing data on the cool tier should be adjusted accordingly.

+- Configure the coolness window and cool access retrieval settings to match your workload patterns and to minimize the amount of cool tier retrieval.

+## Next steps

+* [Azure NetApp Files storage with cool access](cool-access-introduction.md)

+* [Manage Azure NetApp Files storage with cool access](manage-cool-access.md)

+To lock down your application to accept traffic only from point of presence (POP) servers utilized by Microsoft's content delivery network (CDN) offerings (**Azure Front Door**, **Azure Front Door Classic**, or **Azure CDN from Microsoft**), you need to set up IP access control lists (ACLs) for your backend. You might also restrict the set of accepted values for the header 'X-Forwarded-Host' sent by Azure Content Delivery Network from Microsoft. These steps are detailed as followed:

+To configure Microsoft's backend IP ranges with Azure Content Delivery Network from Microsoft, use the AzureFrontDoor.Backend [service tag](../virtual-network/service-tags-overview.md). For a complete list, see [IP Ranges and Service tags](https://www.microsoft.com/en-us/download/details.aspx?id=56519) for Microsoft services.

+ Title: What is a connected registry?

+description: Overview and scenarios of the connected registry feature of Azure Container Registry, including its benefits and use cases.

+#customer intent: As a reader, I want to understand the overview and scenarios of the connected registry feature of Azure Container Registry so that I can utilize it effectively.

+In this article, you learn about the *connected registry* feature of [Azure Container Registry](container-registry-intro.md). A connected registry is an on-premises or remote replica that synchronizes container images with your cloud-based Azure container registry. Use a connected registry to help speed-up access to registry artifacts on-premises or remote.

+## Billing and Support

+The connected registry is a preview feature of the **Premium** container registry service tier, and subject to [limitations](#limitations). For information about registry service tiers and limits, see [Azure Container Registry service tiers](container-registry-skus.md).

+>[!IMPORTANT]

+> Please note that there are **Important upcoming changes** to the connected registry Deployment Model Support and Billing starting from January 1st, 2025. For any inquiries or assistance with the transition, please reach out to the customer support team.

+### Billing

+- The connected registry incurs no charges until it reaches general availability (GA).

+- Post-GA, a monthly price of $10 will apply for each connected registry deployed.

+- This price represents Microsoft's commitment to deliver high-quality services and product support.

+- The price is applied to the Azure subscription associated with the parent registry.

+### Support

+- Microsoft will end support for the connected registry deployment on IoT Edge devices on January 1st, 2025.

+- After January 1st, 2025 connected registry will solely support Arc-enabled Kubernetes clusters as the deployment model.

+- Microsoft advises users to begin planning their transition to Arc-enabled Kubernetes clusters as the deployment model.

+Connected registry is available in the following continents and regions:

+```

+| Continent | Available Regions |

+||-|

+| Australia | Australia East |

+| Asia | East Asia |

+| | Japan East |

+| | Japan West |

+| | Southeast Asia |

+| Europe | North Europe |

+| | Norway East |

+| | West Europe |

+| North America | Canada Central |

+| | Central US |

+| | East US |

+| | South Central US |

+| | West Central US |

+| | West US 3 |

+| South America | Brazil South |

+```

+The connected registry is deployed on a server or device on-premises, or an environment that supports container workloads on-premises such as Azure IoT Edge and Azure Arc-enabled Kubernetes. The connected registry synchronizes container images and other OCI artifacts with a cloud-based Azure container registry.

+The following image shows a typical deployment model for the connected registry using IoT Edge.

+The following image shows a typical deployment model for the connected registry using Azure Arc-enabled Kubernetes.

+Each connected registry is a resource you manage within a cloud-based Azure container registry. The top parent in the connected registry hierarchy is an Azure container registry in the Azure cloud. The connected registry can be deployed either on Azure IoT Edge or Arc-enabled Kubernetes clusters.

+To install the connected registry, use Azure tools on a server or device on your premises, or in an environment that supports on-premises container workloads, such as [Azure IoT Edge](../iot-edge/tutorial-nested-iot-edge.md).

+Deploy the connected registry Arc extension to the Arc-enabled Kubernetes cluster. Secure the connection with TLS using default configurations for read-only access and a continuous sync window. This setup allows the connected registry to synchronize images from the Azure container registry (ACR) to the connected registry on-premises, enabling image pulls from the connected registry.

+* **Active** - The connected registry is currently deployed on-premises. It can't be deployed again until it's deactivated.

+**ReadOnly mode** - The default mode, when the connected registry is in ReadOnly mode, clients can only pull (read) artifacts. This configuration is used in scenarios where clients need to pull a container image to operate. This default mode aligns with our secure-by-default approach and is effective starting with CLI version 2.60.0.

+**ReadWrite mode** - This mode allows clients to pull and push artifacts (read and write) to the connected registry. Artifacts that are pushed to the connected registry will be synchronized with the cloud registry. The ReadWrite mode is useful when a local development environment is in place. The images are pushed to the local connected registry and from there synchronized to the cloud.

+Each connected registry must be connected to a parent. The top parent is the cloud registry. For hierarchical scenarios such as [nested IoT Edge][overview-connected-registry-and-iot-edge], you can nest connected registries in either mode. The parent connected to the cloud registry can operate in either mode.

+Child registries must be compatible with their parent capabilities. Thus, both ReadOnly and ReadWrite modes of the connected registries can be children of a connected registry operating in ReadWrite mode, but only a ReadOnly mode registry can be a child of a connected registry operating in ReadOnly mode.

+On-premises clients use standard tools such as the Docker CLI to push or pull content from a Connected registry. To manage client access, you create Azure container registry [tokens][repository-scoped-permissions] for access to each connected registry. You can scope the client tokens for pull or push access to one or more repositories in the registry.

+- Number of tokens and scope maps is [limited](container-registry-skus.md) to 20,000 each for a single container registry. This indirectly limits the number of connected registries for a cloud registry, because every Connected registry needs a sync and client token.

+- [Image locking](container-registry-image-lock.md) through repository/manifest/tag metadata isn't currently supported for connected registries.

+- [Repository delete](container-registry-delete.md) isn't supported on the connected registry using ReadOnly mode.

+- Connected registry is coupled with the registry's home region data endpoint. Automatic migration for [geo-replication](container-registry-geo-replication.md) isn't supported.

+- Deletion of a connected registry needs manual removal of the containers on-premises and removal of the respective scope map or tokens in the cloud.

+ - `minMessageTtl` is one day

+ - `maxSyncWindow` is seven days

+## Conclusion

+| Cost and usage (actual) | ΓÇó EA<br> ΓÇó MCA that you bought through the Azure website <br> ΓÇó MCA enterprise<br> ΓÇó MCA that you buy through a Microsoft partner <br> ΓÇó Azure internal | ΓÇó EA - Enrollment, department, account, subscription, and resource group <br> ΓÇó MCA - Billing account, billing profile, Invoice section, subscription, and resource group <br> ΓÇó Microsoft Partner Agreement (MPA) - Customer, subscription, and resource group |

+| Cost and usage (amortized) | ΓÇó EA <br> ΓÇó MCA that you bought through the Azure website <br> ΓÇó MCA enterprise <br> ΓÇó MCA that you buy through a Microsoft partner <br> ΓÇó Azure internal | ΓÇó EA - Enrollment, department, account, subscription, and resource group <br> ΓÇó MCA - Billing account, billing profile, Invoice section, subscription, and resource group <br> ΓÇó MPA - Customer, subscription, and resource group |

+- Azure internal accounts and the Microsoft Online Service Program (MOSP), commonly referred to as pay-as-you-go, support only the 'Cost and Usage Details (Usage Only)' dataset for billing scopes and subscriptions.

+This article applies to the pay-as-you-go cost and usage details (usage only) file schema. Pay-as-you-go is also called Microsoft Online Services Program (MOSP) and Microsoft Online Subscription Agreement (MOSA).

+The schema outlined here is applicable only to the 'Cost and Usage Details (Usage Only)' dataset and does not cover purchase information.

+- **Red Hat Plans** (***plans and renewal are temporarily unavailable***) - A reservation covers the software plan costs. The discounts apply only to RedHat meters and not to the virtual machine usage.

+> The Red Hat Linux Enterprise software reservation plan and renewal are temporarily unavailable. Disregard any renewal emails until the plan is available.

+After you buy a Red Hat Linux plan, the discount is automatically applied to deployed Red Hat virtual machines (VM) that match the reservation. A Red Hat Linux plan covers the cost of running the Red Hat software on an Azure VM.

+Like Reserved VM Instances, Red Hat plan purchases offer instance size flexibility. Instance size flexibility applies your discount even when you deploy a VM with a different vCPU count and to different VM sizes within the software plan.

+- [Understand reservation usage for your pay-as-you-go subscription](understand-reserved-instance-usage.md)

+|[Copy activity](copy-activity-overview.md) (source/-)|&#9312; (only for version 1.0) &#9313;|

+|[Lookup activity](control-flow-lookup-activity.md)|&#9312; (only for version 1.0) &#9313;|

+For version 2.0 (Preview), you need to [install a Vertica ODBC driver](#install-vertica-odbc-driver-for-the-version-20-preview) manually. For version 1.0, the service provides a built-in driver to enable connectivity, therefore you don't need to manually install any driver.

+If your data store is located inside an on-premises network, an Azure virtual network, or Amazon Virtual Private Cloud, you need to configure a [self-hosted integration runtime](create-self-hosted-integration-runtime.md) to connect to it. If you use the version 2.0 (Preview), your self-hosted integration runtime version should be 5.44.8984.1 or above.

+For more information about the network security mechanisms and options supported by Data Factory, see [Data access strategies](data-access-strategies.md).

+### For version 1.0

+If your data store is a managed cloud data service, you can use the Azure Integration Runtime. If the access is restricted to IPs that are approved in the firewall rules, you can add [Azure Integration Runtime IPs](azure-integration-runtime-ip-addresses.md) to the allowlist.

+ You can also use the [managed virtual network integration runtime](tutorial-managed-virtual-network-on-premise-sql-server.md) feature in Azure Data Factory to access the on-premises network without installing and configuring a self-hosted integration runtime.

+### Install Vertica ODBC driver for the version 2.0 (Preview)

+To use Vertica connector with version 2.0 (Preview), install the Vertica ODBC driver on the machine running the self-hosted Integration runtime by following these steps:

+1. Download the Vertica client setup for ODBC driver from [Client Drivers | OpenTextΓäó VerticaΓäó](https://www.vertica.com/download/vertica/client-drivers/). Take Windows system setup as an example:

+ :::image type="content" source="media/connector-vertica/download.png" alt-text="Screenshot of a Windows system setup example.":::

+1. Open the downloaded .exe to begin the installation process.ΓÇ»

+ :::image type="content" source="media/connector-vertica/install.png" alt-text="Screenshot of the installation process.":::

+1. Select **ODBC driver** under Vertica Component List, then select **Next** to start the installation.

+ :::image type="content" source="media/connector-vertica/select-odbc-driver.png" alt-text="Screenshot of selecting ODBC driver.":::

+1. After the installation process is successfully completed, you can go to Start -> ODBC Data Source Administrator to confirm the successful installation.

+ :::image type="content" source="media/connector-vertica/confirm-the successful-installation.png" alt-text="Screenshot of confirming the successful installation.":::

+If you use version 2.0 (Preview), the following properties are supported for Vertica linked service:

+| server | The name or the IP address of the server to which you want to connect. | Yes |

+| port | The port number of the server listener. | No, default is 5433 |

+| database | Name of the Vertica database. | Yes |

+| uid | The user ID that is used to connect to the database. | Yes |

+| pwd | The password that the application uses to connect to the database. | Yes |

+| version | The version when you select version 2.0 (Preview). The value is `2.0`. | Yes |

+| connectVia | The [Integration Runtime](concepts-integration-runtime.md) to be used to connect to the data store. Learn more from [Prerequisites](#prerequisites) section. You can only use the self-hosted integration runtime and its version should be 5.44.8984.1 or above. |No |

+ "version": "2.0",

+ "server": "<server>",

+ "port": 5433,

+ "uid": "<username>",

+ "database": "<database>",

+ "pwd": {

+ "type": "SecureString",

+ "value": "<password>"

+ }

+ "version": "2.0",

+ "server": "<server>",

+ "port": 5433,

+ "uid": "<username>",

+ "database": "<database>",

+ "pwd": {

+ "type": "AzureKeyVaultSecret",

+ "store": {

+ "referenceName": "<Azure Key Vault linked service name>",

+ "type": "LinkedServiceReference"

+ },

+ "secretName": "<secretName>"

+If you use version 1.0, the following properties are supported:

+| Property | Description | Required |

+|: |: |: |

+| type | The type property must be set to: **Vertica** | Yes |

+| connectionString | An ODBC connection string to connect to Vertica.<br/>You can also put password in Azure Key Vault and pull the `pwd` configuration out of the connection string. Refer to the following samples and [Store credentials in Azure Key Vault](store-credentials-in-key-vault.md) article with more details. | Yes |

+| connectVia | The [Integration Runtime](concepts-integration-runtime.md) to be used to connect to the data store. Learn more from [Prerequisites](#prerequisites) section. If not specified, it uses the default Azure Integration Runtime. |No |

+**Example:**

+```json

+{

+ "name": "VerticaLinkedService",

+ "properties": {

+ "type": "Vertica",

+ "typeProperties": {

+ "connectionString": "Server=<server>;Port=<port>;Database=<database>;UID=<user name>;PWD=<password>"

+ },

+ "connectVia": {

+ "referenceName": "<name of Integration Runtime>",

+ "type": "IntegrationRuntimeReference"

+ }

+ }

+}

+```

+| query | Use the custom SQL query to read data. For example: `"SELECT * FROM MyTable"`. | No (if "schema+table" in dataset is specified) |

+## Upgrade the Vertica version

+Here are steps that help you upgrade your Vertica version:

+1. Install a Vertica ODBC driver by following the steps in [Prerequisites](#install-vertica-odbc-driver-for-the-version-20-preview).

+1. In **Edit linked service page**, select **2.0 (Preview)** under **Version** and configure the linked service by referring to [Linked service properties](#linked-service-properties).

+1. Apply a self-hosted integration runtime with version 5.44.8984.1 or above. Azure integration runtime is not supported by version 2.0 (Preview).

+ Title: Tutorial to copy data to Azure Data Box Disk | Microsoft Docs

+> Azure Data Box now supports access tier assignment at the blob level. The steps contained within this tutorial reflect the updated data copy process and are specific to block blobs.

+> Access tier assignment is not supported when copying data using the Data Box Split Copy Tool. If your use case requires access tier assignment, follow the steps containined within the [Copy data to disks](#copy-data-to-disks) section to copy your data to the appropriate access tier using the Robocopy utility.

+>

+> For help with determining the appropriate access tier for your block blob data, refer to the [Determine appropriate access tiers for block blobs](#determine-appropriate-access-tiers-for-block-blobs) section.

+>

+> Access tier assignment is not supported when copying data using the Data Box Split Copy Tool. If your use case requires access tier assignment, follow the steps containined within the [Copy data to disks](#copy-data-to-disks) section to copy your data to the appropriate access tier using the Robocopy utility.

+>

+> The Data Box Split Copy tool is not supported with managed disks.

+shell> system sanity

+### Restart an appliance

+shell> system reboot

+### Shutdown an appliance

+shell> system shutdown

+### Show installed software version

+shell> system version

+### Show current system date/time

+shell> date

+shell>

+### Turn on NTP time sync

+shell> ntp enable 129.6.15.28

+shell>

+### Turn off NTP time sync

+shell> ntp disable 129.6.15.28

+shell>

+Use the following command to start an immediate, unscheduled backup of the data on your OT sensor. For more information, see [Set up backup and restore files](../how-to-manage-individual-sensors.md#set-up-backup-and-restore-files).

+|**admin** | `system backup create` | No attributes |

+shell> system backup create

+shell>

+```

+### List current backup files

+Use the following commands to list the backup files currently stored on your OT network sensor.

+|User |Command |Full command syntax |

+||||

+|**admin** | `system backup list` | No attributes |

+|**cyberx** , or **admin** with [root access](references-work-with-defender-for-iot-cli-commands.md#access-the-system-root-as-an-admin-user) | `cyberx-xsense-system-backup-list` | No attributes |

+For example, for the *admin* user:

+```bash

+shell> system backup list

+backup files:

+ e2e-xsense-1664469968212-backup-version-22.3.0.318-r-71e6295-2022-09-29_18:30:20.tar

+ e2e-xsense-1664469968212-backup-version-22.3.0.318-r-71e6295-2022-09-29_18:29:55.tar

+shell>

+Use the following command to restore data on your OT network sensor using the most recent backup file. When prompted, confirm that you want to proceed.

+shell> system restore

+shell>

+| **admin** | `cyberx-backup-memory-check` | No attributes |

+For example, for the *admin* user:

+shell> cyberx-backup-memory-check

+shell>

+Use the following commands to change passwords for local users on your OT sensor. The new password must be at least 8 characters, contain lowercase and uppercase, alphabetic characters, numbers and symbols.

+When you change the password for the *admin* the password is changed for both SSH and web access.

+|**admin** | `system password` | `<username>` |

+The following example shows the *admin* user's changing the password. The new password does not appear on the screen when you type it, make sure to write to make a note of it and ensure that it is correctly typed when asked to reenter the password.

+shell>system password user1

+Enter New Password for user1:

+Reenter Password:

+shell>

+### Change networking configuration or reassign network interface roles

+|**admin** | `sudo dpkg-reconfigure iot-sensor` | No attributes |

+For example, with the **admin** user:

+shell> sudo dpkg-reconfigure iot-sensor

+### Validate and show network interface configuration

+shell> network validate

+shell>

+### Check network connectivity from the OT sensor

+Use the following command to send a ping message from the OT sensor.

+### Locate a physical port by blinking interface lights

+shell> network blink eth0

+### List connected physical interfaces

+Use the following command to list the connected physical interfaces on your OT sensor.

+shell> network list

+shell>

+While your OT sensor automatically learns your network subnets during the initial deployment, we recommend analyzing the detected traffic and updating them as needed to optimize your map views and device inventory.

+ | **Remove subnet** | Select to remove any subnets that aren't related to your IoT/OT network scope.|

+Use the *admin* user when using the Defender for IoT CLI, which is an administrative account with access to all CLI commands. On the on-premises management console, use the *cyberx* user.

+|Reboot and shutdown | *admin*, *cyberx*, *cyberx_host* | [Restart an appliance](cli-ot-sensor.md#restart-an-appliance)<br>[Shut down an appliance](cli-ot-sensor.md#shutdown-an-appliance) |

+|List backup files | *admin*, *cyberx* | [List current backup files](cli-ot-sensor.md#list-current-backup-files) <br>[Start an immediate, unscheduled backup](cli-ot-sensor.md#start-an-immediate-unscheduled-backup) |

+When signing in as the *admin* user, run the following command to access the host machine as the root user. Access the host machine as the root user enables you to run CLI commands that aren't available to the *admin* user.

+description: Learn about planned features coming soon and features in development for Azure Deployment Environments.

+This roadmap presents a set of planned feature releases aimed at improving how enterprise developers set up application infrastructure. It focuses on making the process easier and ensuring strong centralized management and governance. This list highlights key features planned for the next six months. It isn't exhaustive but shows major areas of investment. Some features might release as previews and evolve based on your feedback before becoming generally available. We always listen to your input, so the timing, design, and delivery of some features might change.

+Deploying app infrastructure has been challenging due to complex dependencies, unclear configurations, compatibility issues, and managing security risks. Azure Deployment Environments (ADE) aims to remove these obstacles and make developers more agile. By allowing developers to quickly and easily set up the infrastructure needed to deploy, test, and run cloud-based applications, we're changing the development process. Our ongoing investment in this area shows our commitment to improving the end-to-end developer experience and helping teams innovate without barriers.

+- Enhanced Integration with Azure Developer CLI (azd):

+ - Supports ADE's extensibility model.

+ - Enables deployments using any preferred Infrastructure as Code (IaC) framework.

+ - Allows simple commands like `azd up` and `azd deploy` for deploying code.

+ - Facilitates real-time testing, rapid issue identification, and quick resolution.

+- Tracking and Managing Environment Operations:

+ - Logs and deployment outputs can be managed directly in the developer portal.

+ - Makes it easier for dev teams to troubleshoot and fix deployments.

+Azure Deployment Environments allows platform engineers and dev leads to securely provide curated, project-specific IaC templates directly from source control repositories. With support for an extensibility model, organizations can use their preferred IaC frameworks, including third-party options like Pulumi and Terraform, for seamless deployments.

+Customized deployments make it easy for platform engineers and dev leads to tailor deployments and ensure they can securely meet the unique needs of their organization or development team.

+- Pre- and Post-Deployment Scripts:

+ - Configure as part of environment definitions.

+ - Allow integration of more logic, validations, and custom actions into deployments.

+ - Leverage internal APIs and systems for more customized and efficient workflows.

+- Support for Private Registries:

+ - Allow platform engineers to store custom container images in a private Azure Container Registry (ACR).

+ - Ensure controlled and secure access.

+- Private virtual network configuration for the runner executing the template deployments:

+ - Allows enterprises to control access to confidential data and resources from internal systems.

+- Default Autodeletion:

+ - Eliminates orphaned cloud resources.

+ - Ensures budget efficiency by avoiding unnecessary costs.

+- [DNS FAQ](./dns-faq.yml)

+> EDS M23 preview is now available on Azure Data Manager for Energy in Developer tier only.

+- Data partition name (the data partition in which EDS needs to be enabled for automated triggering of EDS-Scheduler)

+> Support for [multiple data partitions](https://community.opengroup.org/osdu/platform/data-flow/ingestion/external-data-sources/core-external-data-workflow/-/issues/51) is currently enabled for manual triggering of the EDS Ingest DAG, but this feature has not yet been implemented for the EDS Scheduler.

+- Below issues are specific to [OSDU&reg;](https://osduforum.org/) M23 release:

+The Naturalization DAG workflow won't be included in the M23 release.

+

+* [OSDU EDS Documentation](https://osdu.pages.opengroup.org/platform/data-flow/ingestion/osdu-airflow-lib/)

+* [EDS M23 release notes](https://community.opengroup.org/osdu/governance/project-management-committee/-/wikis/M23-Release-Notes)

+* [EDS issues](https://community.opengroup.org/osdu/platform/data-flow/ingestion/external-data-sources/core-external-data-workflow/-/issues)

+ - **EDS Fetch & Ingest DAG**: Facilitates fetching data from external providers and ingesting it into the OSDU platform. It involves steps like registering with providers, creating data jobs, and triggering ingestion. With the M23 release, EDS Fetch and Ingest DAG includes new features like Parent and Reference data mapping.

+[VNet-FAQ]: ../virtual-network/virtual-networks-faq.md

+[ER-OCI]: /azure/virtual-machines/workloads/oracle/configure-azure-oci-networking

+3. Configure the Azure Firewall private IP address as a custom DNS address in your virtual network DNS server settings to direct DNS traffic to the Azure Firewall.

+

+> [!NOTE]

+> If you choose to use a custom DNS server, select any IP address within the virtual network, excluding those in the Azure Firewall subnet.

+- Learn how to [deploy and configure an Azure Firewall](tutorial-firewall-deploy-portal.md).

+zone_pivot_groups: front-door-dev-exp-portal-cli

+This article will guide you through how to configure Azure Front Door Premium tier to connect to your Storage Account privately using the Azure Private Link service with Azure CLI.

+## Prerequisites - CLI

+* An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+* Have a functioning Azure Front Door Premium profile, an endpoint and an origin group. For more information on how to create an Azure Front Door profile, see [Create a Front Door - CLI](create-front-door-cli.md).

+## Enable Private Link to a Storage Static Website in Azure Front Door Premium

+1. Run [az afd origin create](/cli/azure/afd/origin#az-afd-origin-create) to create a new Azure Front Door origin. Enter the following settings to configure the Storage Static Website you want Azure Front Door Premium to connect with privately. Notice the `private-link-location` must be in one of the [available regions](private-link.md#region-availability) and the `private-link-sub-resource-type` must be **web**.

+```azurecli-interactive

+az afd origin create --enabled-state Enabled \

+ --resource-group testRG \

+ --origin-group-name default-origin-group \

+ --origin-name pvtStaticSite \

+ --profile-name testAFD \

+ --host-name example.z13.web.core.windows.net\

+ --origin-host-header example.z13.web.core.windows.net\

+ --http-port 80 \

+ --https-port 443 \

+ --priority 1 \

+ --weight 500 \

+ --enable-private-link true \

+ --private-link-location EastUS \

+ --private-link-request-message 'AFD Storage static website origin Private Link request.' \

+ --private-link-resource /subscriptions/00000000-0000-0000-0000-00000000000/resourceGroups/testRG/providers/Microsoft.Storage/storageAccounts/testingafdpl \

+ --private-link-sub-resource-type web

+

+```

+## Approve Private Endpoint Connection from Storage Account

+1. Run [az network private-endpoint-connection list](/cli/azure/network/private-endpoint-connection#az-network-private-endpoint-connection-list) to list the private endpoint connections for your storage account. Note down the 'Resource ID' of the private endpoint connection available in your storage account, in the first line of your output.

+```azurecli-interactive

+ az network private-endpoint-connection list -g testRG -n testingafdpl --type Microsoft.Storage/storageAccounts

+```

+2. Run [az network private-endpoint-connection approve](/cli/azure/network/private-endpoint-connection#az-network-private-endpoint-connection-approve) to approve the private endpoint connection.

+```azurecli-interactive

+ az network private-endpoint-connection approve --id /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/testRG/providers/Microsoft.Storage/storageAccounts/testingafdpl/privateEndpointConnections/testingafdpl.00000000-0000-0000-0000-000000000000

+```

+## Create Private Endpoint Connection to Web_Secondary

+When creating a private endpoint connection to the storage static website's secondary sub-resource, you need to add a **-secondary** suffix to the origin host header. For example, if your origin host header is `example.z13.web.core.windows.net`, you need to change it to `example-secondary.z13.web.core.windows.net`.

+Once the origin is added and the private endpoint connection is approved, you can test your private link connection to your storage static website.

+1. Select the root management group.

+1. Select **Settings** on the left side of the page.

+1. Select the root management group.

+1. Select **Settings** on the left side of the page.

+1. Turn on the **Permissions for creating new management groups** toggle.

+ If the **Require write permissions for creating new management groups** toggle is unavailable, the cause is one of these conditions:

+1. Select **All services**. In the **Filter services** text box, enter *Management groups* and select it from the list.

+1. Select **All services**. In the **Filter services** text box, enter *Management groups* and select it from the list.

+1. Select **All services**. In the **Filter services** text box, enter *Management groups* and select it from the list.

+1. Select **All services**. In the **Filter services** text box, enter *Management groups* and select it from the list.

+1. From **Add subscription** select the subscription in the list with the correct ID.

+1. Select **All services**. In the **Filter services** text box, enter *Management groups* and select it from the list.

+1. Select **All services**. In the **Filter services** text box, enter *Management groups* and select it from the list.

+1. At the top of the page, select **Create**.

+1. On the **Create management group** pane, choose whether you want to use a new or existing management group:

+ - Selecting **Use existing** presents you with a dropdown list of all the management groups that you can move to this management group.

+- [Quickstart: Create a management group](./create-management-group-portal.md)

+# Azure Policy assignment structure

+Policy assignments define which resources are evaluated by a policy definition or initiative. Further, the policy assignment can determine the values of parameters for that group of resources at assignment time, making it possible to reuse policy definitions that address the same resource properties with different needs for compliance.

+ "properties": {

+ "displayName": "Enforce resource naming rules",

+ "description": "Force resource names to begin with DeptA and end with -LC",

+ "definitionVersion": "1.*.*",

+ "metadata": {

+ "assignedBy": "Cloud Center of Excellence"

+ },

+ "enforcementMode": "DoNotEnforce",

+ "notScopes": [],

+ "policyDefinitionId": "/subscriptions/{mySubscriptionID}/providers/Microsoft.Authorization/policyDefinitions/ResourceNaming",

+ "nonComplianceMessages": [

+ {

+ "message": "Resource names must start with 'DeptA' and end with '-LC'."

+ }

+ ],

+ "parameters": {

+ "prefix": {

+ "value": "DeptA"

+ },

+ "suffix": {

+ "value": "-LC"

+ }

+ },

+ "identity": {

+ "type": "SystemAssigned"

+ },

+ "resourceSelectors": [],

+ "overrides": []

+ }

+## Scope

+The scope used for assignment resource creation time is the primary driver of resource applicability. For more information on assignment scope, see [Understand scope in Azure Policy](./scope.md#assignment-scopes).

+This field must be the full path name of either a policy definition or an initiative definition. The `policyDefinitionId` is a string and not an array. The latest content of the assigned policy definition or initiative is retrieved each time the policy assignment is evaluated. The recommendation is that if multiple policies are often assigned together, to use an [initiative](./initiative-definition-structure.md) instead.

+For built-in definitions and initiatives, you can use specific the `definitionVersion` of which to assess on. By default, the version is set to the latest major version and autoingest minor and patch changes.

+- To autoingest any minor changes of the definition, the version number would be `#.*.*`. The Wildcard represents autoingesting updates.

+- To pin to a minor version path, the version format would be `#.#.*`.

+- All patch changes must be autoinjested for security purposes. Patch changes are limited to text changes and break glass scenarios.

+You use `displayName` and `description` to identify the policy assignment and provide context for its use with the specific set of resources. `displayName` has a maximum length of _128_ characters and `description` a maximum length of _512_ characters.

+The optional `metadata` property stores information about the policy assignment. Customers can define any properties and values useful to their organization in `metadata`. However, there are some _common_ properties used by Azure Policy. Each `metadata` property has a limit of 1,024 characters.

+- `updatedBy` (string): The friendly name of the security principal that updated the assignment, if any.

+- `updatedOn` (string): The Universal ISO 8601 DateTime format of the assignment update time, if any.

+- `parameterScopes` (object): A collection of key-value pairs where the key matches a [strongType](./definition-structure-parameters.md#strongtype) configured parameter name and the value defines the resource scope used in Portal to provide the list of available resources by matching _strongType_. Portal sets this value if the scope is different than the assignment scope. If set, an edit of the policy assignment in Portal automatically sets the scope for the parameter to this value. However, the scope isn't locked to the value and it can be changed to another scope.

+ The following example of `parameterScopes` is for a _strongType_ parameter named `backupPolicyId` that sets a scope for resource selection when the assignment is edited in the portal.

+ "backupPolicyId": "/subscriptions/{SubscriptionID}/resourcegroups/{ResourceGroupName}"

+The optional `resourceSelectors` property facilitates safe deployment practices (SDP) by enabling you to gradually roll out policy assignments based on factors like resource location, resource type, or whether a resource has a location. When resource selectors are used, Azure Policy only evaluates resources that are applicable to the specifications made in the resource selectors. Resource selectors can also be used to narrow down the scope of [exemptions](exemption-structure.md) in the same way.

+ "properties": {

+ "policyDefinitionId": "/subscriptions/{subId}/providers/Microsoft.Authorization/policyDefinitions/ResourceLimit",

+ "definitionVersion": "1.1.*",

+ "resourceSelectors": [

+ {

+ "name": "SDPRegions",

+ "selectors": [

+ {

+ "kind": "resourceLocation",

+ "in": [

+ "eastus",

+ "westus"

+ ]

+ }

+ }

+ ]

+ },

+ "systemData": { ...

+ },

+ "id": "/subscriptions/{subId}/providers/Microsoft.Authorization/policyAssignments/ResourceLimit",

+ "type": "Microsoft.Authorization/policyAssignments",

+ "name": "ResourceLimit"

+ "properties": {

+ "policyDefinitionId": "/subscriptions/{subId}/providers/Microsoft.Authorization/policyDefinitions/ResourceLimit",

+ "definitionVersion": "1.1.*",

+ "resourceSelectors": [

+ {

+ "name": "SDPRegions",

+ "selectors": [

+ {

+ "kind": "resourceLocation",

+ "in": [

+ "eastus",

+ "westus",

+ "centralus",

+ "southcentralus"

+ ]

+ }

+ }

+ ]

+ },

+ "systemData": { ...

+ },

+ "id": "/subscriptions/{subId}/providers/Microsoft.Authorization/policyAssignments/ResourceLimit",

+ "type": "Microsoft.Authorization/policyAssignments",

+ "name": "ResourceLimit"

+A **resource selector** can contain multiple `selectors`. To be applicable to a resource selector, a resource must meet requirements specified by all its selectors. Further, up to 10 `resourceSelectors` can be specified in a single assignment. In-scope resources are evaluated when they satisfy any one of these resource selectors.

+Let's take a look at an example. Imagine you have a policy initiative named _CostManagement_ that includes a custom policy definition with `policyDefinitionReferenceId` _corpVMSizePolicy_ and a single effect of `audit`. Suppose you want to assign the _CostManagement_ initiative, but don't yet want to see compliance reported for this policy. This policy's `audit` effect can be replaced by `disabled` through an override on the initiative assignment, as shown in the following sample:

+ "properties": {

+ "policyDefinitionId": "/subscriptions/{subId}/providers/Microsoft.Authorization/policySetDefinitions/CostManagement",

+ "overrides": [

+ {

+ "kind": "policyEffect",

+ "value": "disabled",

+ "selectors": [

+ {

+ "kind": "policyDefinitionReferenceId",

+ "in": [

+ "corpVMSizePolicy"

+ ]

+ }

+ }

+ ]

+ },

+ "systemData": { ...

+ },

+ "id": "/subscriptions/{subId}/providers/Microsoft.Authorization/policyAssignments/CostManagement",

+ "type": "Microsoft.Authorization/policyAssignments",

+ "name": "CostManagement"

+- `kind`: The property the assignment overrides. The supported kinds are `policyEffect` and `policyVersion`.

+ - `kind`: The property of a selector that describes which characteristic narrows down the scope of the override. Allowed values for `kind: policyEffect`:

+ - `policyDefinitionReferenceId`: This property specifies which policy definitions within an initiative assignment should take on the effect override.

+ Allowed value for `kind: policyVersion`:

+One override can be used to replace the effect of many policies by specifying multiple values in the `policyDefinitionReferenceId` array. A single override can be used for up to 50 `policyDefinitionReferenceId`, and a single policy assignment can contain up to 10 overrides, evaluated in the order in which they're specified. Before the assignment is created, the effect chosen in the override is validated against the policy rule and parameter allowed value list (in cases where the effect is [parameterized](./definition-structure-parameters.md)).

+The `enforcementMode` property provides customers the ability to test the outcome of a policy on existing resources without initiating the policy effect or triggering entries in the [Azure Activity log](../../../azure-monitor/essentials/platform-logs-overview.md).

+This scenario is commonly referred to as _What If_ and aligns to safe deployment practices. `enforcementMode` is different from the [Disabled](./effects.md#disabled) effect, as that effect prevents resource evaluation from happening at all.

+If `enforcementMode` isn't specified in a policy or initiative definition, the value _Default_ is used. [Remediation tasks](../how-to/remediate-resources.md) can be started for [deployIfNotExists](./effects.md#deployifnotexists) policies, even when `enforcementMode` is set to _DoNotEnforce_.

+The **scope** of the assignment includes all child resource containers and child resources. If a child resource container or child resource shouldn't have the definition applied, each can be _excluded_ from evaluation by setting `notScopes`. This property is an array to enable excluding one or more resource containers or resources from evaluation. `notScopes` can be added or updated after creation of the initial assignment.

+To set a custom message that describes why a resource is non-compliant with the policy or initiative definition, set `nonComplianceMessages` in the assignment definition. This node is an array of `message` entries. This custom message is in addition to the default error message for non-compliance and is optional.

+ {

+ "message": "Default message"

+ }

+If the assignment is for an initiative, different messages can be configured for each policy definition in the initiative. The messages use the `policyDefinitionReferenceId` value configured in the initiative definition. For more information, see [policy definitions properties](./initiative-definition-structure.md#policy-definition-properties).

+ {

+ "message": "Default message"

+ },

+ {

+ "message": "Message for just this policy definition by reference ID",

+ "policyDefinitionReferenceId": "10420126870854049575"

+ }

+This segment of the policy assignment provides the values for the parameters defined in the [policy definition or initiative definition](./definition-structure-parameters.md). This design makes it possible to reuse a policy or initiative definition with different resources, but check for different business values or outcomes.

+ "prefix": {

+ "value": "DeptA"

+ },

+ "suffix": {

+ "value": "-LC"

+ }

+In this example, the parameters previously defined in the policy definition are `prefix` and `suffix`. This particular policy assignment sets `prefix` to **DeptA** and `suffix` to **-LC**. The same policy definition is reusable with a different set of parameters for a different department, reducing the duplication and complexity of policy definitions while providing flexibility.

+For policy assignments with effect set to `deployIfNotExists` or `modify`, the requirement is to have an identity property to do remediation on non-compliant resources. When an assignment uses an identity, the user must also specify a location for the assignment.

+ "type": "SystemAssigned"

+}

+ "type": "UserAssigned",

+ "userAssignedIdentities": {

+ "/subscriptions/SubscriptionID/resourceGroups/{rgName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/test-identity": {}

+ }

+},

+- Review what a management group is with [Organize your resources with Azure management groups](../../management-groups/overview.md).

+When initiative or policy definitions are assigned, Azure Policy determines which resources are [applicable](./policy-applicability.md) then evaluates those resources that aren't [excluded](./assignment-structure.md#excluded-scopes) or [exempted](./exemption-structure.md). Evaluation yields **compliance states** based on conditions in the policy rule and each resources adherence to those requirements.

+Policy assignments with `audit`, `auditIfNotExists`, or `modify` effects are considered non-compliant for _new_, _updated_, or _existing_ resources when the conditions of the policy rule evaluate to `TRUE`.

+Policy assignments with `append`, `deny`, and `deployIfNotExists` effects are considered non-compliant for _existing_ resources when the conditions of the policy rule evaluate to `TRUE`. _New_ and _updated_ resources are automatically remediated or denied at request time to enforce compliance. When a previously existing non-compliant resource is updated, the compliance state remains non-compliant until the resource deployment and Policy evaluation complete.

+> The `deployIfNotExists` and `auditIfNotExists` effects require the IF statement to be TRUE and the

+1. The policy definition has a default compliance state of non-compliant and there's no active [attestation](./attestation-structure.md) for the applicable resource stating otherwise.

+1. The resource was attested as non-compliant.

+To determine the reason a resource is non-compliant or to find the change responsible, see [Determine causes of non-compliance](../how-to/determine-non-compliance.md). To [remediate](./remediation-structure.md) non-compliant resources for `deployIfNotExists` and `modify` policies, see [Remediate non-compliant resources with Azure Policy](../how-to/remediate-resources.md).

+Policy assignments with `append`, `audit`, `auditIfNotExists`, `deny`, `deployIfNotExists`, or `modify` effects are considered compliant for _new_, _updated_, or _existing_ resources when the conditions of the policy rule evaluate to `FALSE`.

+1. The policy definition has a default compliance state of compliant and there's no active [attestation](./attestation-structure.md) for the applicable resource stating otherwise.

+1. The resource was attested as compliant.

+> _Exempt_ is different than _excluded_. For more information, see [Understand scope in Azure Policy](./scope.md).

+Unknown is the default compliance state for definitions with `manual` effect, unless the default was explicitly set to compliant or non-compliant. This state indicates that an [attestation](./attestation-structure.md) of compliance is warranted. This compliance state only occurs for policy assignments with `manual` effect.

+Protected state signifies that the resource is covered under an assignment with a [denyAction](./effect-deny-action.md) effect.

+This compliance state is visible in Azure portal when the Azure Policy Resource Provider isn't registered, or when the signed in account doesn't have permission to read compliance data.

+> `Microsoft.PolicyInsights` Resource Provider is registered and that the user has the appropriate Azure role-based access control (Azure RBAC) permissions as described in

+> To register `Microsoft.PolicyInsights`, follow the steps in [Azure resource providers and types](../../../azure-resource-manager/management/resource-providers-and-types.md).

+This compliance state indicates that the evaluation cycle isn't started for the policy or resource.

+Now that you have an understanding of what compliance states exist and what each one means, let's look at an example using compliant and non-compliant states.

+In this example, you need to be wary of security risks. Assume you assign a policy definition that audits for storage accounts that are exposed to public networks, and that no exemptions are created for this assignment. The policy checks for applicable resources (which includes all storage accounts in the ContosoRG resource group), then evaluates those resources that aren't excluded from evaluation. It audits the three storage accounts exposed to public networks, changing their compliance states to **Non-compliant.** The remainders are marked **compliant**.

+So how is the aggregate compliance state determined if multiple resources or policies have different compliance states themselves? Azure Policy ranks each compliance state so that one _wins_ over another in this situation. The rank order is:

+With this rank order, if there are both non-compliant and compliant states, then the rolled up aggregate would be non-compliant, and so on. Let's look at an example:

+### Compliance percentage

+The compliance percentage is determined by dividing **Compliant**, **Exempt**, and **Unknown** resources by _total resources_. _Total resources_ include resources with **Compliant**, **Non-compliant**, **Unknown**, **Exempt**, **Conflicting**, and **Error** states.

+In the image shown, there are 20 distinct resources that are applicable and only one is **Non-compliant**. The overall resource compliance is 95% (19 out of 20).

+- Get compliance data through [Azure Resource Graph sample queries for Azure Policy](../samples/resource-graph-samples.md)

+The Azure Policy exemptions feature is used to _exempt_ a resource hierarchy or an individual resource from evaluation of initiatives or definitions. Resources that are _exempt_ count toward overall compliance, but can't be evaluated or have a temporary waiver. For more information, see [Understand applicability in Azure Policy](./policy-applicability.md). Azure Policy exemptions also work with the following [Resource Manager modes](./definition-structure.md#resource-manager-modes): `Microsoft.Kubernetes.Data`, `Microsoft.KeyVault.Data`, and `Microsoft.Network.Data`.

+A policy exemption is created as a child object on the resource hierarchy or the individual resource granted the exemption. Exemptions can't be created at the Resource Provider mode component level. If the parent resource to which the exemption applies is removed, then the exemption is removed as well.

+For example, the following JSON shows a policy exemption in the **waiver** category of a resource to an initiative assignment named `resourceShouldBeCompliantInit`. The resource is _exempt_ from only two of the policy definitions in the initiative, the `customOrgPolicy` custom policy definition ( `policyDefinitionReferenceId`: `requiredTags`) and the **Allowed locations** built-in policy definition ( `policyDefinitionReferenceId` : `allowedLocations`):

+ "id": "/subscriptions/{subId}/resourceGroups/{rgName}/providers/Microsoft.Authorization/policyExemptions/resourceIsNotApplicable",

+ "apiVersion": "2020-07-01-preview",

+ "name": "resourceIsNotApplicable",

+ "type": "Microsoft.Authorization/policyExemptions",

+ "properties": {

+ "displayName": "This resource is scheduled for deletion",

+ "description": "This resources is planned to be deleted by end of quarter and has been granted a waiver to the policy.",

+ "metadata": {

+ "requestedBy": "Storage team",

+ "approvedBy": "IA",

+ "approvedOn": "2020-07-26T08:02:32.0000000Z",

+ "ticketRef": "4baf214c-8d54-4646-be3f-eb6ec7b9bc4f"

+ },

+ "policyAssignmentId": "/subscriptions/{mySubscriptionID}/providers/Microsoft.Authorization/policyAssignments/resourceShouldBeCompliantInit",

+ "policyDefinitionReferenceId": [

+ "requiredTags",

+ "allowedLocations"

+ ],

+ "exemptionCategory": "waiver",

+ "expiresOn": "2020-12-31T23:59:00.0000000Z",

+ "assignmentScopeValidation": "Default"

+ }

+You use `displayName` and `description` to identify the policy exemption and provide context for its use with the specific resource. `displayName` has a maximum length of _128_ characters and `description` a maximum length of _512_ characters.

+The `metadata` property allows creating any child property needed for storing relevant information. In the example, properties `requestedBy`, `approvedBy`, `approvedOn`, and `ticketRef` contains customer values to provide information on who requested the exemption, who approved it and when, and an internal tracking ticket for the request. These `metadata` properties are examples, but they aren't required and `metadata` isn't limited to these child properties.

+This field must be the full path name of either a policy assignment or an initiative assignment. The `policyAssignmentId` is a string and not an array. This property defines which assignment the parent resource hierarchy or individual resource is _exempt_ from.

+If the `policyAssignmentId` is for an initiative assignment, the `policyDefinitionReferenceId` property might be used to specify which policy definition in the initiative the subject resource has an exemption to. As the resource might be exempted from one or more included policy definitions, this property is an _array_. The values must match the values in the initiative definition in the `policyDefinitions.policyDefinitionReferenceId` fields.

+- Mitigated: The exemption is granted because the policy intent is met through another method.

+- Waiver: The exemption is granted because the non-compliance state of the resource is temporarily accepted. Another reason to use this category is to exclude a resource or resource hierarchy from one or more definitions in an initiative, but shouldn't be excluded from the entire initiative.

+To set when a resource hierarchy or an individual resource is no longer _exempt_ from an assignment, set the `expiresOn` property. This optional property must be in the Universal ISO 8601 DateTime format `yyyy-MM-ddTHH:mm:ss.fffffffZ`.

+> The policy exemptions isn't deleted when the `expiresOn` date is reached. The object is preserved for record-keeping, but the exemption is no longer honored.

+Exemptions support an optional property `resourceSelectors` that works the same way in exemptions as it does in assignments. The property allows for gradual rollout or rollback of an _exemption_ to certain subsets of resources in a controlled manner based on resource type, resource location, or whether the resource has a location. More details about how to use resource selectors can be found in the [assignment structure](assignment-structure.md#resource-selectors). The following JSON is an example exemption that uses resource selectors. In this example, only resources in `westcentralus` are exempt from the policy assignment:

+ "properties": {

+ "policyAssignmentId": "/subscriptions/{subId}/providers/Microsoft.Authorization/policyAssignments/CostManagement",

+ "policyDefinitionReferenceId": [

+ "limitSku",

+ "limitType"

+ ],

+ "exemptionCategory": "Waiver",

+ "resourceSelectors": [

+ {

+ "name": "TemporaryMitigation",

+ "selectors": [

+ {

+ "kind": "resourceLocation",

+ "in": [

+ "westcentralus"

+ ]

+ }

+ }

+ ]

+ },

+ "systemData": { ...

+ },

+ "id": "/subscriptions/{subId}/resourceGroups/{rgName}/providers/Microsoft.Authorization/policyExemptions/DemoExpensiveVM",

+ "type": "Microsoft.Authorization/policyExemptions",

+ "name": "DemoExpensiveVM"

+In most scenarios, the exemption scope is validated to ensure it's at or under the policy assignment scope. The optional `assignmentScopeValidation` property can allow an exemption to bypass this validation and be created outside of the assignment scope. This validation is intended for situations where a subscription needs to be moved from one management group (MG) to another, but the move would be blocked by policy due to properties of resources within the subscription. In this scenario, an exemption could be created for the subscription in its current MG to exempt its resources from a policy assignment on the destination MG. That way, when the subscription is moved into the destination MG, the operation isn't blocked because resources are already exempt from the policy assignment in question. The use of this property is shown in the following example:

+ "properties": {

+ "policyAssignmentId": "/providers/Microsoft.Management/managementGroups/{mgName}/providers/Microsoft.Authorization/policyAssignments/CostManagement",

+ "policyDefinitionReferenceId": [

+ "limitSku",

+ "limitType"

+ ],

+ "exemptionCategory": "Waiver",

+ "assignmentScopeValidation": "DoNotValidate",

+ },

+ "systemData": { ...

+ },

+ "id": "/subscriptions/{subId}/providers/Microsoft.Authorization/policyExemptions/DemoExpensiveVM",

+ "type": "Microsoft.Authorization/policyExemptions",

+ "name": "DemoExpensiveVM"

+Allowed values for `assignmentScopeValidation` are `Default`and `DoNotValidate`. If not specified, the default validation process occurs.

+The Azure role-based access control (Azure RBAC) permissions needed to manage Policy exemption objects are in the `Microsoft.Authorization/policyExemptions` operation group. The built-in roles [Resource Policy Contributor](../../../role-based-access-control/built-in-roles.md#resource-policy-contributor) and [Security Admin](../../../role-based-access-control/built-in-roles.md#security-admin) both have the `read` and `write` permissions and [Policy Insights Data Writer (Preview)](../../../role-based-access-control/built-in-roles.md#policy-insights-data-writer-preview) has the `read` permission.

+Exemptions have extra security measures because of the effect of granting an exemption. Beyond requiring the `Microsoft.Authorization/policyExemptions/write` operation on the resource hierarchy or individual resource, the creator of an exemption must have the `exempt/Action` verb on the target assignment.

+Exemptions are recommended for time-bound or specific scenarios where a resource or resource hierarchy should still be tracked and would otherwise be evaluated, but there's a specific reason it shouldn't be assessed for compliance. For example, if an environment has the built-in definition `Storage accounts should disable public network access` (ID: `b2982f36-99f2-4db5-8eff-283140c09693`) assigned with _effect_ set to _audit_. Upon compliance assessment, resource `StorageAcc1` is non-compliant, but `StorageAcc1` must have public network access enable for business purposes. At that time, a request should be submitted to create an exemption resource that targets `StorageAcc1`. After the exemption is created, `StorageAcc1` is shown as _exempt_ in compliance review.

+Regularly revisit your exemptions to ensure that all eligible items are appropriately exempted and promptly remove any that don't qualify for exemption. At that time, expired exemption resources can be deleted as well.

+- Learn about [Azure Resource Graph queries on exemptions](../samples/resource-graph-samples.md#azure-policy-exemptions).

+- Review the [Microsoft.Authorization policyExemptions resource type](/azure/templates/microsoft.authorization/policyexemptions?tabs=json).

+There are many settings that determine which resources are capable of being evaluated and which resources Azure Policy evaluates. The primary concept for these controls is _scope_. Scope in Azure Policy is based on how scope works in Azure Resource Manager. For a high-level overview, see [Scope in Azure Resource Manager](../../../azure-resource-manager/management/overview.md#understand-scope).

+This article explains the importance of _scope_ in Azure Policy and the related objects and properties.

+The first instance scope used by Azure Policy is when a policy definition is created. The definition might be saved in either a management group or a subscription. The location determines the scope to which the initiative or policy can be assigned. Resources must be within the resource hierarchy of the definition location to target for assignment. The [resources covered by Azure Policy](../overview.md#resources-covered-by-azure-policy) describes how policies are evaluated.

+- Subscription: The subscription where policy is defined and resources within that subscription can be assigned the policy definition.

+- Management group: The management group where the policy is defined and resources within child management groups and child subscriptions can be assigned the policy definition. If you plan to apply the policy definition to several subscriptions, the location must be a management group that contains each subscription.

+The location should be the resource container shared by all resources you want to use the policy definition on exist. This resource container is typically a management group near the root management group.

+An assignment has several properties that set a scope. The use of these properties determines which resource for Azure Policy to evaluate and which resources count toward compliance. These properties map to the following concepts:

+- Inclusion: A definition evaluates compliance for a resource hierarchy or individual resource. The assignment object's scope determines what to include and evaluate for compliance. For more information, see [Azure Policy assignment structure](./assignment-structure.md).

+- Exclusion: A definition shouldn't evaluate compliance for a resource hierarchy or individual resource. The `properties.notScopes` _array_ property on an assignment object determines what to exclude. Resources within these scopes aren't evaluated or included in the compliance count. For more information, see [Azure Policy assignment structure excluded scopes](./assignment-structure.md#excluded-scopes).

+In addition to the properties on the policy assignment, is the [Azure Policy exemption structure](./exemption-structure.md) object. Exemptions enhance the scope story by providing a method to identify a portion of an assignment to not be evaluated.

+Exemption: A definition evaluates compliance for a resource hierarchy or individual resource, but doesn't evaluate for a reason such as a waiver or mitigation through another method. Resources in this state show as **Exempted** in compliance reports so that they can be tracked. The exemption object is created on the resource hierarchy or individual resource as a child object, which determines the scope of the exemption. A resource hierarchy or individual resource can be exempt from multiple assignments. The exemption might be configured to expire on a schedule by using the `expiresOn` property. For more information, see [Azure Policy exemption structure](./exemption-structure.md).

+> [!NOTE]

+> Due to the impact of granting an exemption for a resource hierarchy or individual resource, exemptions have additional security measures. In addition to requiring the `Microsoft.Authorization/policyExemptions/write` operation on the resource hierarchy or individual resource, the creator of an exemption must have the `exempt/Action` verb on the target assignment.

+| Resources | Inclusion | Exclusion (notScopes) | Exemption |

+| Resources are evaluated | &#10004; | - | - |

+| Resource Manager object | - | - | &#10004; |

+| Requires modifying policy assignment object | &#10004; | &#10004; | - |

+- Learn about the [policy definition structure](./definition-structure-basics.md).

+- Learn more about how to [Organize your resources with Azure management groups](../../management-groups/overview.md).

+## `az login`

+[Sign in to Azure](/cli/azure/reference-index#az-login).

+## `az hdinsight create`

+## `az hdinsight application create`

+## `az hdinsight script-action execute`

+This article provides a summary and overview of the process of creating and configuring an HDInsight cluster integrated with Microsoft Entra ID. This integration relies on a HDInsight feature called Enterprise Security Package (ESP), Microsoft Entra Domain Services and your preexisting on-premises Active Directory.

+Each of these items are discussed in detail. For a walkthrough of completing all of these steps, see [Create and configure Enterprise Security Package clusters in Azure HDInsight](apache-domain-joined-create-configure-enterprise-security-cluster.md).

+After the virtual networks are peered, configure the HDInsight virtual network to use a custom DNS server. And enter the Microsoft Entra Domain Services private IPs as the DNS server addresses. When both virtual networks use the same DNS servers, your custom domain name resolves to the right IP and it's reachable from HDInsight. For example, if your domain name is `contoso.com`, then after this step, `ping contoso.com` should resolve to the right Microsoft Entra Domain Services IP.

+* **SparkML** - SparkML is a newer package that provides a higher-level API built on top of Spark DataFrames for constructing ML pipelines.

+After you create the application, build it to produce the `/bin/Debug/mapper.exe` file in the project directory.

+After you create the application, build it to produce the `/bin/Debug/reducer.exe` file in the project directory.

+ You can list and download these files by using the [Azure CLI](/cli/azure/install-azure-cli). For more information, see [Use Azure CLI with Azure Storage](../../storage/blobs/storage-quickstart-blobs-cli.md).

+ | `sessionid` |bigint |

+The cluster, SQL database, and other objects are created through the Azure portal using an Azure Resource Manager template. The template can be found in [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/hdinsight-linux-with-sql-database/). The Resource Manager template calls a bacpac package to deploy the table schemas to an SQL database. If you want to use a private container for the bacpac files, use the following values in the template:

+ |Cluster sign-in User Name |Keep the prepopulated value `admin`.|

+ |Cluster sign in Password |Enter a password.|

+ |Ssh User Name |Keep the prepopulated value `sshuser`.|

+ |Sql Admin sign-in |Keep the prepopulated value `sqluser`.|

+| [SSH](apache-hadoop-use-sqoop-mac-linux.md) |? |? |Linux, Unix, macOS X, or Windows |

+The following command replaces `sshuser` with the actual username if different. Replace `mycluster` with the actual cluster name. Ensure your working directory is where the file is located.

+3. After you enter the following line, the job should start. Once the job completes, it returns output similar to the following data:

+[!Code-powershell[main](../../../powershell_scripts/hdinsight/run-python-udf/run-python-udf.ps1?range=135-139)]

+This error points to a problem with custom DNS configuration. DNS servers within a virtual network can forward DNS queries to Azure's recursive resolvers to resolve hostnames within that virtual network (see [Name Resolution in Virtual Networks](../../virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances.md) for details). Access to Azure's recursive resolvers is provided via the virtual IP 168.63.129.16. This IP is only accessible from the Azure VMs. It's nonfunctional if you're using an on-premises DNS server, or your DNS server is an Azure VM, which isn't part of the cluster's virtual network.

+* If your cluster uses a [Network Security Group (NSG)](../../virtual-network/virtual-network-vnet-plan-design-arm.md)

+* If your cluster uses a [User-defined Routes (UDR)](../../virtual-network/virtual-networks-udr-overview.md)

+When you use Private Linked HDInsight clusters, outbound access from the cluster must be configured to allow connections to be made to the HDInsight resource provider.

+## "Virtual network configuration isn't compatible with HDInsight requirement"

+#### 168.63.129.16 isn't in this list

+If your use case involves reading the most recently written data from HBase, this advisory can help you. For high performance, it's optimal that HBase reads are to be served from `memstore`, instead of the remote storage.

+The query advisory indicates that for a given column family in a table > 75% reads that are getting served from `memstore`. This indicator suggests that even if a flush happens on the `memstore` the recent file needs to be accessed and that needs to be in cache. The data is first written to `memstore` the system accesses the recent data there. There's a chance that the internal HBase flusher threads detect that a given region has reached 128M (default) size and can trigger a flush. This scenario happens to even the most recent data that was written when the `memstore` was around 128M in size. Therefore, a later read of those recent records may require a file read rather than from `memstore`. Hence it's best to optimize that even recent data that is recently flushed can reside in the cache.

+ These configurations help ensure that the data is available in cache and that the recent data doesn't undergo compaction. If a TTL is possible in your scenario, then consider using date-tiered compaction. For more information, see [Apache HBase Reference Guide: Date Tiered Compaction](https://hbase.apache.org/book.html#ops.date.tiered)

+Additionally, see if you have a recommendation for region count tuning. If yes, we suggest you try the region tuning to see if that helps in faster flushes. Otherwise, tuning the flusher threads may help you.

+When there's an excessive number of files for compaction, it may lead to more heap usage related to how the files interact with the Azure file system. So it's better to complete the compaction as quickly as possible. Some times in older clusters the compaction configurations related to throttling might lead to slower compaction rate.

+Check the configurations `hbase.hstore.compaction.throughput.lower.bound` and `hbase.hstore.compaction.throughput.higher.bound`. If they're already set to 50M and 100M, leave them as it is. However, if you configured those settings to a lower value (which was the case with older clusters), change the limits to 50M and 100M respectively.

+* In cases where you need a full table or region scan, check if there's a possibility to avoid cache usage for those queries, so that other queries that use of the cache might not evict the blocks that are hot. To ensure the scans don't use cache, use the **scan** API with the **setCaching(false)** option in your code:

+ Title: HBase hbck returns inconsistencies in Azure HDInsight

+description: Base hbck returns inconsistencies in Azure HDInsight

+This article describes troubleshooting steps and possible resolutions for issues when interacting with Azure HDInsight clusters. If you're using hbase-2.x, see [How to use Apache HBase HBCK2 tool](./how-to-use-hbck2-tool.md)

+## Issue: Region isn't in `hbase:meta`

+In this scenario, you need to merge RegionA and RegionC and get RegionD with the same key range as RegionB, then merge RegionB and RegionD. `xxxxxxx` and `yyyyyy` are the hash string at the end of each region name. Be careful here not to merge two discontinuous regions. After each merge, like merge A and C, HBase will start a compaction on RegionD. Wait for the compaction to finish before doing another merge with RegionD. You can find the compaction status on that region server page in HBase HMaster UI.

+It's most likely due to region partial deletion when RegionServer crashes or VM reboots. Currently, the Azure Storage is a flat blob file system and some file operations aren't atomic.

+* If you're using PowerShell, you need to install the [AZ Module](/powershell/azure/).

+> If you are looking for step by step guidance on connecting HDInsight to your on-premises network using an Azure Virtual Network, see [How to connect HDInsight to your on-premises network](connect-on-premises-network.md).

+These steps only open access to the HDInsight health and management service on the Azure cloud. Any other access to the HDInsight cluster from outside the Virtual Network is blocked. To enable access from outside the virtual network, you must add more Network Security Group rules.

+Before deploying your cluster, you can check that many of your network configuration settings are correct by running the [HDInsight Network Validator tool](https://aka.ms/hnv/v2) on an Azure Linux virtual machine in the same virtual network and subnet as the planned cluster.

+This application uses a Spark [ML pipeline](https://downloads.apache.org/spark/docs/3.3.1/ml-pipeline.html) to do a document classification. ML Pipelines provide a uniform set of high-level APIs built on top of DataFrames. The DataFrames help users create and tune practical machine learning pipelines. In the pipeline, you split the document into words, convert the words into a numerical feature vector, and finally build a prediction model using the feature vectors and labels. Do the following steps to create the application.

+For details on the Spark Structured Stream API, along with the input data sources, operations, and output sinks it supports, see [Apache Spark Structured Streaming Programming Guide](https://spark.apache.org/docs/latest/ss-migration-guide.html).

+* [Apache Spark Structured Streaming Programming Guide](https://spark.apache.org/docs/latest/ss-migration-guide.html)

+In this tutorial, we walk through setting up the FHIR&reg; service in Azure Health Data Services to pass the [Touchstone](https://touchstone.aegis.net/touchstone/) tests for the [CARIN Implementation Guide for Blue Button](https://build.fhir.org/ig/HL7/carin-bb/https://docsupdatetracker.net/index.html) (C4BB IG).

+We first focus on testing FHIR service against the [C4BB IG capability statement](https://touchstone.aegis.net/touchstone/testdefinitions?selectedTestGrp=/FHIRSandbox/CARIN/CARIN-4-BlueButton/00-Capability&activeOnly=false&contentEntry=TEST_SCRIPTS). If you run this test against the FHIR service without any updates, the test fails due to missing search parameters and missing profiles.

+As part of the C4BB IG, you'll need to define three [new search parameters](how-to-do-custom-search.md) for the `ExplanationOfBenefit` resource. Two of these (type and service-date) are tested in the capability statement, and one (insurer) is needed for `_include` searches.

+To assist with creation of these search parameters and profiles, we have a [sample http file](https://github.com/microsoft/fhir-server/blob/main/docs/rest/C4BB/C4BB.http) that includes all the steps previously outlined in a single file. Once you've uploaded all the necessary profiles and search parameters, you can run the capability statement test in Touchstone.

+After testing the capabilities statement, we'll test the [read capabilities](https://touchstone.aegis.net/touchstone/testdefinitions?selectedTestGrp=/FHIRSandbox/CARIN/CARIN-4-BlueButton/01-Read&activeOnly=false&contentEntry=TEST_SCRIPTS) of the FHIR service against the C4BB IG. This tests conformance against the eight profiles you loaded in the first test. You'll need to have resources loaded that conform to the profiles. The best path would be to test against resources that you already have in your database. We also have an [http file](https://github.com/microsoft/fhir-server/blob/main/docs/rest/C4BB/C4BB_Sample_Resources.http) available with sample resources pulled from the examples in the IG that you can use to create the resources to test against.

+The next test we'll review is the [EOB query test](https://touchstone.aegis.net/touchstone/testdefinitions?selectedTestGrp=/FHIRSandbox/CARIN/CARIN-4-BlueButton/02-EOBQuery&activeOnly=false&contentEntry=TEST_SCRIPTS). If you've already completed the read test, you already have all the data that you need loaded. This test validates that you can search for specific `Patient` and `ExplanationOfBenefit` resources using various parameters.

+The final test we'll cover is testing [error handling](https://touchstone.aegis.net/touchstone/testdefinitions?selectedTestGrp=/FHIRSandbox/CARIN/CARIN-4-BlueButton/99-ErrorHandling&activeOnly=false&contentEntry=TEST_SCRIPTS). The only step is to delete an ExplanationOfBenefit resource from your database using the ID of the deleted `ExplanationOfBenefit` resource in the test.

+

+This series of tutorials covers a high-level summary of the Center for Medicare and Medicaid Services (CMS) Interoperability and Patient Access rule, and the technical requirements outlined in this rule. We walk through various implementation guides referenced for this rule. We also provide details on how to configure FHIR&reg; service in Azure Health Data Services to support these implementation guides.

+The CMS released the [Interoperability and Patient Access rule](https://www.cms.gov/Regulations-and-Guidance/Guidance/Interoperability/index) on May 1, 2020. This rule requires free and secure data flow between all parties involved in patient care (patients, providers, and payers) to allow patients to access their health information. Interoperability has plagued the healthcare industry for decades, resulting in siloed data that causes negative health outcomes with higher and unpredictable costs for care. CMS is using their authority to regulate Medicare Advantage (MA), Medicaid, Children's Health Insurance Program (CHIP), and Qualified Health Plan (QHP) issuers on the Federally Facilitated Exchanges (FFEs) to enforce this rule.

+* **Patient Access API (Required July 1, 2021)** ΓÇô CMS-regulated payers (as previously defined) are required to implement and maintain a secure, standards-based API that allows patients to easily access their claims and encounter information, including cost, as well as a defined subset of their clinical information through third-party applications of their choice.

+* **Provider Directory API (Required July 1, 2021)** ΓÇô CMS-regulated payers are required by this portion of the rule to make provider directory information publicly available via a standards-based API. Through making this information available, third-party application developers will be able to create services that help patients find providers for specific care needs, and clinicians find other providers for care coordination.

+* **Payer-to-Payer Data Exchange (Originally required Jan 1, 2022 - [Currently Delayed](https://www.cms.gov/Regulations-and-Guidance/Guidance/Interoperability/index))** ΓÇô CMS-regulated payers are, at the patientΓÇÖs request, required to exchange certain patient clinical data with other payers. While there's no requirement to follow any kind of standard, applying FHIR to exchange this data is encouraged.

+As mentioned previously, FHIR R4 is required to meet this mandate. In addition, there are several implementation guides developed that provide guidance for the rule. [Implementation guides](https://www.hl7.org/fhir/implementationguide.html) provide extra context on top of the base FHIR specification. This includes defining additional search parameters, profiles, extensions, operations, value sets, and code systems.

+The FHIR service has the following capabilities to help you configure your database for the various implementation guides.

+* [HL7 FHIR Da Vinci PDex IG](http://hl7.org/fhir/us/davinci-pdex/STU1/https://docsupdatetracker.net/index.html): The Payer Data Exchange Implementation Guide (PDex IG) is focused on ensuring that payers provide all relevant patient clinical data to meet the requirements for the Patient Access API. This uses the US Core profiles on R4 Resources, and includes (at a minimum) encounters, providers, organizations, locations, dates of service, diagnoses, procedures, and observations. While this data may be available in FHIR format, it may also come from other systems in the format of claims data, HL7 V2 messages, and C-CDA documents.

+* [HL7 US Core IG](https://www.hl7.org/fhir/us/core/toc.html): The HL7 US Core Implementation Guide (US Core IG) is the backbone for the PDex IG previously described. While the PDex IG limits some resources even further than the US Core IG, many resources just follow the standards in the US Core IG.

+* [HL7 FHIR Da Vinci - PDex US Drug Formulary IG](http://hl7.org/fhir/us/Davinci-drug-formulary/https://docsupdatetracker.net/index.html): Part D Medicare Advantage plans have to make formulary information available via the Patient API. They do this using the PDex US Drug Formulary Implementation Guide (USDF IG). The USDF IG defines a FHIR interface to a health insurer’s drug formulary information, which is a list of brand-name and generic prescription drugs that a health insurer agrees to pay for. The main use case is so patients can determine if there is a drug available alternative to one that has been prescribed to them, and to compare drug costs.

+[Touchstone](https://touchstone.aegis.net/touchstone/) is a great resource for testing adherence to the various implementation guides. Throughout the upcoming tutorials, we focus on ensuring that the FHIR service is configured to successfully pass various Touchstone tests. The Touchstone site has a lot of great documentation to help you get up and running.

+Now that you have a basic understanding of the Interoperability and Patient Access rule, implementation guides, and available testing tool (Touchstone), we next walk through setting up FHIR service for the CARIN IG for Blue Button.

+FHIR&reg; service in Azure Health Data Services supports [cross-origin resource sharing (CORS)](https://wikipedia.org/wiki/Cross-Origin_Resource_Sharing). CORS allows you to configure settings so that applications from one domain (origin) can access resources from a different domain, known as a cross-domain request.

+To configure a CORS setting in the FHIR service, specify the following settings.

+- **Headers (Access-Control-Allow-Headers)**. A list of headers that the origin request contains. To allow all headers, enter an asterisk (*).

+By using customer-managed keys (CMK), you can protect and control access to your organization's data with keys that you create and manage. You use [Azure Key Vault](/azure/key-vault/) to create and manage CMK, and then use the keys to encrypt the data stored by the FHIR&reg; service.

+- Add a key for the FHIR service in Azure Key Vault. For steps, see [Add a key in Azure Key Vault](/azure/key-vault/keys/quick-create-portal#add-a-key-to-key-vault). Customer-managed keys must meet the following requirements.

+ - To prevent losing the encryption key for the FHIR service, the key vault or managed HSM must have **soft delete** and **purge protection** enabled. These features allow you to recover deleted keys for a certain time (default is 90 days) and block permanent deletion until that time is over.

+To update the key for the FHIR service, use the Azure portal or an ARM template. During the update, choose whether to use a system-assigned or user-assigned managed identity. For a system-assigned managed identity, make sure to assign the **Key Vault Crypto Service Encryption User** role. For more information, see [Assign Azure roles using the Azure portal](/azure/role-based-access-control/role-assignments-portal).

+1. Select a key vault and key, or enter the Key URI for the key that was created previously.

+1. Select an identity type, either System-assigned or User-assigned, that matches the type of managed identity previously configured.

+ :::image type="content" source="media/configure-customer-managed-keys/deploy-name.png" alt-text="Screenshot of the Created FHIR service view with the FHIR service name filled in." lightbox="media/configure-customer-managed-keys/deploy-name.png":::

+In any scenario where the FHIR service can't access the key, API requests return `500` errors and the data is inaccessible until access to the key is restored.

+Common errors that cause databases to become inaccessible are often due to configuration issues. For more information, see [Common errors with customer-managed keys](/sql/relational-databases/security/encryption/troubleshoot-tde).

+The FHIR&reg; service supports the `$export` operation [specified by HL7](https://www.hl7.org/fhir/uv/bulkdata/) for exporting FHIR data from a FHIR server. In the FHIR service implementation, calling the `$export` endpoint causes the FHIR service to export data into a pre-configured Azure storage account.

+Ensure you are granted the application role 'FHIR Data exporter role' prior to configuring export. To understand more on application roles, see [Authentication and Authorization for FHIR service](../../healthcare-apis/authentication-authorization.md).

+There are three steps in setting up the `$export` operation for the FHIR service-

+The first step in configuring your environment for FHIR data export is to enable a system-wide managed identity for the FHIR service. This managed identity is used to authenticate the FHIR service, allowing access to the ADLS Gen2 account during an `$export` operation. For more information about managed identities in Azure, see [About managed identities for Azure resources](../../active-directory/managed-identities-azure-resources/overview.md).

+In this step, browse to your FHIR service in the Azure portal and select **Identity**. Set the **Status** option to **On**, and then click **Save**. When the **Yes** and **No** buttons display, select **Yes** to enable the managed identity for the FHIR service. Once the system identity has been enabled, you'll see an **Object (principal) ID** value for your FHIR service.

+7. Select **System-assigned managed identity**, and then select the managed identity that you previously enabled for your FHIR service.

+The final step is to specify the ADLS Gen2 account the FHIR service uses when exporting data.

+2. Select **Export**.

+After you've completed this configuration step, you're ready to export data from the FHIR service. See [How to export FHIR data](./export-data.md) for details on performing `$export` operations with the FHIR service.

+For securely exporting from the FHIR service to an ADLS Gen2 account, there are two options:

+* Allowing specific IP addresses associated with the FHIR service to access the storage account. This option permits two different configurations depending on whether or not the storage account is in the same Azure region as the FHIR service.

+Go to your ADLS Gen2 account in the Azure portal and select **Networking**. Select **Enabled from selected virtual networks and IP addresses** under the **Firewalls and virtual networks** tab.

+Next, run the following PowerShell command to install the `Az.Storage` PowerShell module in your local environment. This allows you to configure your Azure storage accounts using PowerShell.

+Now, use the following PowerShell command to set the selected FHIR service instance as a trusted resource for the storage account. Make sure that all listed parameters are defined in your PowerShell environment.

+In this article, you learned about the three steps in configuring your environment to allow export of data from your FHIR service to an Azure storage account. For more information about Bulk Export capabilities in the FHIR service, see the following.

+In addition to [Microsoft Entra ID](/entra/fundamentals/whatis), you can configure up to two additional identity providers for a FHIR&reg; service, whether the service already exists or is newly created.

+If you don't need any identity providers beside Microsoft Entra ID, set the `smartIdentityProviders` array to null, or omit it from the provisioning request. Otherwise, include at least one valid identity provider configuration object in the array. You can configure up to two additional identity providers.

+You must include at least one application configuration and can add up to 25 applications in the `applications` array. Each application configuration has values that validate access token claims, and an array that defines the permissions for the application to access FHIR resources.

+The identity provider defines the application with a unique identifier called the `clientId` string (or application ID). The FHIR service validates the access token by checking the `authorized party` (azp) or `application id` (appid) claim against the `clientId` string. If the `clientId` string and the token claim don't match exactly, the FHIR service rejects the request with a `401 Unauthorized` error code.

+The `aud` claim in an access token identifies the intended recipient of the token. The `audience` string is the unique identifier for the recipient. The FHIR service validates the access token by checking the `audience` string against the `aud` claim. If the `audience` string and the `aud` claim don't match exactly, the FHIR service rejects requests with a `401 Unauthorized` error code.

+Include at least one permission string in the `allowedDataActions` array. You can include any valid permission strings. Avoid duplicates.

+This article walks you through the steps to configure settings on the FHIR&reg; service for `import` operations. To configure settings, you need to:

+1. Create an Azure storage account or use an existing storage account, and grant permissions for the FHIR service to access it.

+Use the following steps to assign permissions to access the storage account.

+For this step, you need to get the request URL and JSON body.

+Make the following changes to JSON.

+Make the following changes to JSON.

+1. In the Azure portal, go to your Data Lake Storage Gen2 account.

+In this article, you learned how the FHIR service supports the `import` operation, and how you can import data into the FHIR service from a storage account. You also learned about the steps for configuring import settings in the FHIR service. For more information about converting data to FHIR, exporting settings to set up a storage account, and moving data to Azure Synapse Analytics, see:

+Before getting started, follow these steps.

+ You can create and use one or separate ADLS Gen2 accounts and containers to:

+ - Store the HL7v2 data to be transformed (for example: the source account and container from which the pipeline reads the data to be transformed).

+ - Store the transformed FHIR R4 bundles (for example: the destination account and container to which the pipeline writes the transformed result).

+ - Store the errors encountered during the transformation (for example: the destination account and container to which the pipeline writes execution errors).

+4. Create an instance of [ADF](../../data-factory/quickstart-create-data-factory.md), which serves to orchestrate business logic. Ensure that a [system-assigned managed identity](../../data-factory/data-factory-service-identity.md) is enabled.

+In this example, an ADF [pipeline](../../data-factory/concepts-pipelines-activities.md?tabs=data-factory) is used to transform HL7v2 data, and persist a transformed FHIR R4 bundle in a JSON file within the configured destination ADLS Gen2 account and container.

+Azure Data Factory pipelines are a collection of activities that perform a task. This section details the creation of a pipeline that performs the task of transforming HL7v2 data to FHIR R4 bundles. Pipeline execution can be done manually, or regularly based on defined triggers.

+4. Select the **Parameters** tab and provide values based your configuration. Some of the values are based on the resources setup as part of the [prerequisites](#prerequisites).

+ * **acrServer** ΓÇô Provide the name of the ACR server to pull the Liquid templates to use for conversion. The default option is set to `microsofthealth`, which contains the predefined template collection published by Microsoft. To use your own template collection, replace this value with your ACR instance that hosts your templates and is registered to your FHIR service.

+ * **templateReference** ΓÇô Provide the reference to the image within the ACR that contains the Liquid templates to use for conversion. The default option is set to `hl7v2templates:default` to pull the latest published Liquid templates for HL7v2 conversion by Microsoft. To use your own template collection, replace this value with the reference to the image within your ACR that hosts your templates and is registered to your FHIR service.

+ * **inputStorageFolder** ΓÇô The configured container and folder path. For example: `**mycontainer**/**myHL7v2folder**`.

+ > This can be a static folder path, or can be left blank and dynamically configured when setting up storage account triggers for this pipeline execution (refer to the section titled [Executing a pipeline](#executing-a-pipeline)).

+ > This can be a static folder path, or can be left blank and dynamically configured when setting up storage account triggers for this pipeline execution (refer to the section titled [Executing a pipeline](#executing-a-pipeline)).

+ > This can be a static folder path, or can be left blank and dynamically configured when setting up storage account triggers for this pipeline execution (refer to the section titled [Executing a pipeline](#executing-a-pipeline)).

+ * **errorStorageFolder** - The container and folder path within the configured **outputStorageAccount** to which the errors encountered during execution are written. For example: `**mycontainer**/**myerrorfolder**`.

+You can execute (or run) a pipeline either manually, or by using a trigger. There are different types of triggers that can be created to help automate your pipeline execution. For example:

+> In a scenario with batch processing of HL7v2 messages, this template does not take sequencing into account. Post processing will be needed if sequencing is a requirement.

+In the following example, a storage event trigger is used. The storage event trigger automatically triggers the pipeline whenever a new HL7v2 data blob file is uploaded for processing to the ADLS Gen2 storage account.

+To configure the pipeline to automatically run whenever a new HL7v2 blob file in the source ADLS Gen2 storage account is available to transform, follow these steps.

+Triggered runs and their associated pipeline runs can be viewed in the **Monitor** tab. Here, users can browse when each pipeline ran, how long it took to execute, and potentially debug any problems that arose.

+Errors encountered during conversion as part of the pipeline execution result in error details captured as a JSON file in the configured error destination ADLS Gen2 storage account and container. For information on how to troubleshoot `$convert-data`, see [Troubleshoot $convert-data](convert-data-troubleshoot.md).

+This article illustrates how to configure settings for `$convert-data` using the Azure portal to convert health data into [FHIR&reg; R4](https://www.hl7.org/fhir/R4/https://docsupdatetracker.net/index.html).

+> The default templates are provided to help you get started with your data conversion workflow. These default templates are _not_ intended for production and might change when Microsoft releases updates for the FHIR service. To have consistent data conversion behavior across different versions of the FHIR service, you must do the following.

+The provided default templates can be used as a starting point if needed, on top of which your customizations can be added. When making updates to the templates, consider following these guidelines to avoid unintended conversion results.

+The template should be authored in a way such that it yields a valid structure for a FHIR bundle resource.

+The overall template follows the structure and expectations for a FHIR bundle resource, with the FHIR bundle JSON being at the root of the file. If you choose to add custom fields to the template that arenΓÇÖt part of the FHIR specification for a bundle resource, the conversion request could. However, the converted result could potentially have unexpected output, and wouldn't yield a valid FHIR bundle resource that can be persisted in the FHIR service as is.

+In the example code, two example custom fields `customfield_message` and `customfield_data` aren't FHIR properties per the specification, and the FHIR bundle resource seem to be nested under `customfield_data` (that is, the FHIR bundle JSON isn't at the root of the file). This template doesnΓÇÖt align with the expected structure around a FHIR bundle resource. The conversion request might succeed using the provided template. However, the returned converted result could potentially have unexpected output (due to certain post conversion processing steps being skipped). It wouldn't be considered a valid FHIR bundle (since it's nested and has non FHIR specification properties) and attempting to persist the result in your FHIR service fails.

+Hosting your own templates and using them for `$convert-data` operations involves the following seven steps.

+4. On the **Members** tab, select **Managed identity**, and then **Select members**.

+`<RegistryServer>/<imageName>@<imageDigest>`.

+The experience and core `$convert-data` operation functionality is similar for both Azure API for FHIR and the FHIR service in [Azure Health Data Services](../../healthcare-apis/fhir/overview.md). The only difference exists in the setup for the Azure API for FHIR version of the `$convert-data` operation, which requires assigning permissions to the right resources.

+It's possible for dates supplied within JSON data to be returned in a different format than what was supplied. During deserialization of the JSON payload, strings that are identified as dates get converted into .NET DateTime objects. These objects then get converted back to strings before going through the Liquid template engine. This conversion can cause the date value to be reformatted and represented in the local timezone of the FHIR service.

+A `$convert-data` operation call packages the health data for conversion inside JSON-formatted [parameters](http://hl7.org/fhir/parameters.html) in the body of the request. The parameters are described in the following table.

+- **JSON templates are sample templates for use in building your own conversion mappings.** They aren't default templates that adhere to any predefined health data message types. JSON itself isn't specified as a health data format, unlike HL7v2 or C-CDA. As a result, instead of providing default JSON templates, we provide some sample JSON templates as a starting point for your own customized mappings.

+The `$convert-data` operation applies post processing logic after the template is applied to the input. This post processing logic can result in the output looking different, or unexpected errors compared to running the default Liquid template directly. Post processing ensures the output is valid JSON and removes any duplicates based on the ID properties generated for resources in the template. To see the post processing logic in more detail, see the [FHIR-Converter GitHub repository](https://github.com/microsoft/FHIR-Converter/blob/main/src/Microsoft.Health.Fhir.Liquid.Converter/OutputProcessors/PostProcessor.cs).

+There isnΓÇÖt a hard limit on the size of the messages allowed for the `$convert-data` operation. However, for content with a request size greater than 10 MB, server errors `500` are possible. If you're receiving `500` server errors, ensure your requests are under 10 MB.

+It's possible for dates supplied within JSON data to be returned in a different format than what was supplied. During deserialization of the JSON payload, strings that are identified as dates get converted into .NET DateTime objects. These objects then get converted back to strings before going through the Liquid template engine. This conversion can cause the date value to be reformatted, and represented in the local timezone of the FHIR service.

+In this article, you learn three ways to copy data from the FHIR&reg; service in Azure Health Data Services to [Azure Synapse Analytics](https://azure.microsoft.com/services/synapse-analytics/), which is a limitless analytics service that brings together data integration, enterprise data warehousing, and big data analytics.

+The **FHIR to CDM pipeline generator** is a Microsoft OSS project released under MIT License. It's a tool to generate an ADF pipeline for copying a snapshot of data from a FHIR server using $export API, transforming it to csv format, and writing to a [CDM folder](/common-data-model/data-lake) in Azure Data Lake Storage Gen 2. The tool requires a user-created configuration file containing instructions to project and flatten FHIR Resources and fields into tables. You can also follow the instructions for creating a downstream pipeline in Synapse workspace to move data from a CDM folder to a Synapse dedicated SQL pool.

+In this approach, you use the FHIR `$export` operation to copy FHIR resources into a **Azure Data Lake Gen 2 (ADL Gen 2) blob storage** in `NDJSON` format. Then, you load the data from the storage into **serverless or dedicated SQL pools** in Synapse using T-SQL. You can convert these steps into a robust data movement pipeline using [Synapse pipelines](../../synapse-analytics/get-started-pipelines.md).

+You can also use `_type` parameter in the preceding `$export` call to restrict the resources that you want to export. For example, the following call exports only `Patient`, `MedicationRequest`, and `Observation` resources:

+Before using Synapse, you'll need a Synapse workspace. Create an Azure Synapse Analytics service on Azure portal. More step-by-step guidance can be found [here](../../synapse-analytics/get-started-create-workspace.md). You need an `ADLSGEN2` account to create a workspace. Your Azure Synapse workspace will use this storage account to store your Synapse workspace data.

+Azure Synapse Analytics offers two different SQL pools: serverless SQL pool and dedicated SQL pool. Serverless SQL pool gives the flexibility of querying data directly in the blob storage using the serverless SQL endpoint without any resource provisioning. Dedicated SQL pool has the processing power for high performance and concurrency, and is recommended for enterprise-scale data warehousing capabilities. For more details on the two SQL pools, check out the [Synapse documentation page](../../synapse-analytics/sql/overview-architecture.md) on SQL architecture.

+In the preceding query, the `OPENROWSET` function accesses files in Azure Storage, and `OPENJSON` parses JSON text and returns the JSON input properties as rows and columns. Every time this query is executed, the serverless SQL pool reads the file from the blob storage, parses the JSON, and extracts the fields.

+You can also materialize the results in Parquet format in an [External Table](../../synapse-analytics/sql/develop-tables-external-tables.md) to get better query performance, as follows.

+The simplest and fastest way to load data from your storage to a dedicated SQL pool is to use the **`COPY`** command in T-SQL, which can read CSV, Parquet, and ORC files. As in the following example query, use the `COPY` command to load the `NDJSON` rows into a tabular structure.

+Once you have the JSON rows in the preceding `StagingPatient` table, you can create different tabular formats of the data using the `OPENJSON` function and storing the results into tables. Here's a sample SQL query to create a `Patient` table by extracting a few fields from the `Patient` resource:

+Customer-managed keys (CMK) are encryption keys that you create and manage in your own key store. By using CMK, you have more flexibility and control over the encryption and access of your organizationΓÇÖs data. You use [Azure Key Vault](/azure/key-vault/) to create and manage CMK, and then use the keys to encrypt the data stored by the FHIR&reg; service.

+If you change the managed identity in any way, such as moving your FHIR service to a different tenant or subscription, the FHIR service isn't able to access your keys. You must update the service manually with an ARM template deployment. For steps, see [Use an ARM template to update the encryption key](configure-customer-managed-keys.md#update-the-key-by-using-an-arm-template).

+In this tutorial, we'll walk through setting up the FHIR&reg; service in Azure Health Data Services (FHIR service) to pass the [Touchstone](https://touchstone.aegis.net/touchstone/) tests for the [Da Vinci Payer Data Exchange US Drug Formulary Implementation Guide](http://hl7.org/fhir/us/Davinci-drug-formulary/).

+The first test focuses on testing the FHIR service against the [Da Vinci Drug Formulary capability

+statement](https://touchstone.aegis.net/touchstone/testdefinitions?selectedTestGrp=/FHIRSandbox/DaVinci/FHIR4-0-1-Test/PDEX/Formulary/00-Capability&activeOnly=false&contentEntry=TEST_SCRIPTS). If you run this test without any updates, the test fails due to missing search parameters and missing profiles.

+As part of the Da Vinci Drug Formulary IG, you'll need to define three [new search parameters](how-to-do-custom-search.md) for the FormularyDrug resource. All three of these are tested in the capability statement.

+The rest of the search parameters needed for the Da Vinci Drug Formulary IG are defined by the base specification and are already available in FHIR service without updates.

+To assist with creation of these search parameters and profiles, we have the [Da Vinci Formulary](https://github.com/microsoft/fhir-server/blob/main/docs/rest/DaVinciFormulary/DaVinciFormulary.http) sample HTTP file on the open-source site that includes all the steps previously outlined in a single file. Once you've uploaded all the necessary profiles and search parameters, you can run the capability statement test in Touchstone. You should get a successful run:

+The second test is the [query capabilities](https://touchstone.aegis.net/touchstone/testdefinitions?selectedTestGrp=/FHIRSandbox/DaVinci/FHIR4-0-1-Test/PDEX/Formulary/01-Query&activeOnly=false&contentEntry=TEST_SCRIPTS). This test validates that you can search for specific Coverage Plan and Drug resources using various parameters. The best path would be to test against resources that you already have in your database, but we also have the [Da VinciFormulary_Sample_Resources](https://github.com/microsoft/fhir-server/blob/main/docs/rest/DaVinciFormulary/DaVinciFormulary_Sample_Resources.http) HTTP file available with sample resources pulled from the examples in the IG, which you can use to create the resources and test against.

+In this tutorial, we walk through setting up the FHIR&reg; service in Azure Health Data Services (FHIR service) to pass the [Touchstone](https://touchstone.aegis.net/touchstone/) tests for the [Da Vinci Payer Data Exchange Implementation Guide](http://hl7.org/fhir/us/davinci-pdex/toc.html) (PDex IG).

+The first set of tests focus on testing the FHIR service against the PDex IG capability statement. This includes three tests:

+* The first test validates the basic capability statement against the IG requirements and passes without any updates.

+* The second test validates all the profiles have been added for US Core. This test passes without updates but will include warnings. To have these warnings removed, you need to [load the US Core profiles](validation-against-profiles.md). We've created a [sample HTTP file](https://github.com/microsoft/fhir-server/blob/main/docs/rest/PayerDataExchange/USCore.http) that walks through creating all the profiles. You can also get the [profiles](http://hl7.org/fhir/us/core/STU3.1.1/profiles.html#profiles) from the HL7 site directly, which will have the most current versions.

+In this test, you need to load some sample data for the test to pass. We have a rest file [here](https://github.com/microsoft/fhir-server/blob/main/docs/rest/PayerDataExchange/membermatch.http) with the patient and coverage linked that you need for the test. Once this data is loaded, you'll be able to successfully pass this test. If the data isn't loaded, you receive a `422` response due to not finding an exact match.

+The next tests we'll review are the [patient by reference](https://touchstone.aegis.net/touchstone/testdefinitions?selectedTestGrp=/FHIRSandbox/DaVinci/FHIR4-0-1-Test/PDEX/PayerExchange/02-PatientByReference&activeOnly=false&contentEntry=TEST_SCRIPTS) tests. This set of tests validates that you can find a patient based on various search criteria. The best way to test the patient by reference will be to test against your own data, but we've uploaded a [sample resource file](https://github.com/microsoft/fhir-server/blob/main/docs/rest/PayerDataExchange/PDex_Sample_Data.http) that you can load to use as well.

+The final test we walk through is testing patient-everything. For this test, you need to load a patient, then use that patientΓÇÖs ID to test that you can use the $everything operation to pull all data related to the patient.

+Next, define [new search parameters](how-to-do-custom-search.md) for the Healthcare Service, Insurance Plan, Practitioner Role, Organization, and Organization Affiliation resources. All of these parameters are tested in the capability statement:

+The rest of the search parameters needed for the Da Vinci Plan Net Implementation Guide are defined by the base specification, and are already available in the FHIR service without other updates.

+The second test evaluates [error handling](https://touchstone.aegis.net/touchstone/testdefinitions?selectedTestGrp=/FHIRSandbox/DaVinci/FHIR4-0-1-Test/PDEX/PlanNet/01-Error-Codes&activeOnly=false&contentEntry=TEST_SCRIPTS). The only step you need to do is delete a `HealthcareService` resource from your database and use the ID of the deleted HealthcareService resource in the test. The sample [DaVinci_PlanNet.http](https://github.com/microsoft/fhir-server/blob/main/docs/rest/DaVinciPlanNet/DaVinci_PlanNet.http) file on the open-source site provides an example `HealthcareService` to post and delete for this step.

+- Within each SWUpdate file, there must be a raw image that uses the Ext2, Ext3, or Ext4 filesystem.

+- The delta generation process recompresses the target SWU update using gzip compression in order to produce an optimal delta. Import this recompressed target SWU update to the Device Update service along with the generated delta update file.

+An update handler integrates with the Device Update agent to perform the actual update install. For delta updates, start with the [`microsoft/swupdate:2` update handler](https://github.com/Azure/iot-hub-device-update/blob/main/src/extensions/step_handlers/swupdate_handler_v2/README.md) if you don't already have your own SWUpdate update handler that you want to modify.

+The delta processor re-creates the original SWU image file on your device after the delta file is downloaded, so your update handler can install the SWU file. The delta processor is available in the [Azure/iot-hub-device-update-delta](https://github.com/Azure/iot-hub-device-update-delta) GitHub repo.

+To add the delta processor component to your device image and configure it for use, you can [download ](https://github.com/Azure/iot-hub-device-update-delt instructions to use CMAKE to build the delta processor from source instead. From there, install the shared object (libadudiffapi.so) directly by copying it to the `/usr/lib` directory:

+| DiffGen | [Azure/iot-hub-device-update-delta](https://github.com/Azure/iot-hub-device-update-delta/tree/main/preview/2.0.0) GitHub repo |Download the version matching the OS/distro on the machine that will be used to generate delta updates. |

+| .NETCore Runtime, version 8.0.0 | Via Terminal / Package Managers | [Instructions for Linux](/dotnet/core/install/linux). Only the Runtime is required. |

+- The image files within [recompressed_target_archive] are compressed with gzip.

+1. In **Frontend IP configuration**, select **+ Add a frontend IP configuration**.

+1. Select **lb-vnet** in **Virtual Network**.

+1. Open Microsoft Edge browser.

+1. Open Microsoft Edge browser.

+[Version 1](inbound-nat-rules.md) is the legacy approach for assigning an Azure Load BalancerΓÇÖs frontend port to each backend instance. Rules are applied to the backend instanceΓÇÖs network interface card (NIC). For Azure Virtual Machine Scale Sets (VMSS) instances, inbound NAT rules are automatically created/deleted as new instances are scaled up/down. For VMSS instanes use the `Inbound NAT Pool` property to manage Inbound NAT rules version 1.

+## Port reuse

+- Custom functions authoring currently isn't available in the Azure portal. However, after you deploy your functions from Visual Studio Code to Azure, follow the steps in [Call your code from a workflow](#call-code-from-workflow) for the Azure portal. You can use the built-in action named **Call a local function in this logic app** to select from your deployed custom functions and run your code. Subsequent actions in your workflow can reference the outputs from these functions, as in any other workflow. You can view the built-in action's run history, inputs, and outputs.

+- Custom functions use an isolated worker to invoke the code in your logic app workflow. To avoid package references conflicts between your own function code and the worker, use the same package versions referenced by the worker. For the full package list and versions referenced by the worker, see [Worker and package dependencies](https://github.com/Azure/logicapps/blob/master/articles/worker-packages-dependencies-custom-code.pdf).

+For your workflow to run properly, some app settings are marked as "required".

+| Setting | Required | Default value | Description |

+||-||-|

+| `APP_KIND` | Yes | `workflowApp` | Required to set the app type for the Standard logic app resource. |

+| `AzureWebJobsStorage` | Yes | None | Required to set the connection string for an Azure storage account. For more information, see [AzureWebJobsStorage](../azure-functions/functions-app-settings.md#azurewebjobsstorage). |

+| `FUNCTINONS_EXTENSION_VERSION` | Yes | `~4` | Required to set the Azure Functions version. For more information, see [FUNCTIONS_EXTENSION_VERSION](/azure/azure-functions/functions-app-settings#functions_extension_version). |

+| `FUNCTIONS_WORKER_RUNTIME` | Yes | `dotnet` | Required to set the language worker runtime for your logic app resource and workflows. <br><br>**Note**: Previously, this setting's default value was **`node`**. Now, **`dotnet`** is the default value for all new and existing deployed Standard logic apps, even for apps that had a different different value. This change shouldn't affect your workflow's runtime, and everything should work the same way as before.<br><br>For more information, see [FUNCTIONS_WORKER_RUNTIME](../azure-functions/functions-app-settings.md#functions_worker_runtime). |

+| `ServiceProviders.Sftp.FileUploadBufferTimeForTrigger` | No | `00:00:20` <br>(20 seconds) | Sets the buffer time to ignore files that have a last modified timestamp that's greater than the current time. This setting is useful when large file writes take a long time and avoids fetching data for a partially written file. |

+| `ServiceProviders.Sftp.OperationTimeout` | No | `00:02:00` <br>(2 min) | Sets the time to wait before timing out on any operation. |

+| `ServiceProviders.Sftp.ServerAliveInterval` | No | `00:30:00` <br>(30 min) | Sends a "keep alive" message to keep the SSH connection active if no data exchange with the server happens during the specified period. |

+| `ServiceProviders.Sftp.SftpConnectionPoolSize` | No | `2` connections | Sets the number of connections that each processor can cache. The total number of connections that you can cache is *ProcessorCount* multiplied by the setting value. |

+| `ServiceProviders.MaximumAllowedTriggerStateSizeInKB` | No | `10` KB, which is ~1,000 files | Sets the trigger state entity size in kilobytes, which is proportional to the number of files in the monitored folder and is used to detect files. If the number of files exceeds 1,000, increase this value. |

+| `ServiceProviders.Sql.QueryTimeout` | No | `00:02:00` <br>(2 min) | Sets the request timeout value for SQL service provider operations. |

+| `WEBSITE_CONTENTSHARE` | Yes | Dynamic | Required to set the name for the file share that Azure Functions uses to store function app code and configuration files and is used with [WEBSITE_CONTENTAZUREFILECONNECTIONSTRING](/azure/azure-functions/functions-app-settings#website_contentazurefileconnectionstring). The default is a unique string generated by the runtime. For more information, see [WEBSITE_CONTENTSHARE](/azure/azure-functions/functions-app-settings#website_contentshare). |

+| `WEBSITE_LOAD_ROOT_CERTIFICATES` | No | None | Sets the thumbprints for the root certificates to be trusted. |

+| `Workflows.Connection.AuthenticationAudience` | No | None | Sets the audience for authenticating a managed (Azure-hosted) connection. |

+| `Workflows.CustomHostName` | No | None | Sets the host name to use for workflow and input-output URLs, for example, "logic.contoso.com". For information to configure a custom DNS name, see [Map an existing custom DNS name to Azure App Service](../app-service/app-service-web-tutorial-custom-domain.md) and [Secure a custom DNS name with a TLS/SSL binding in Azure App Service](../app-service/configure-ssl-bindings.md). |

+| `Workflows.<workflowName>.FlowState` | No | None | Sets the state for <*workflowName*>. |

+| `Workflows.<workflowName>.RuntimeConfiguration.RetentionInDays` | No | None | Sets the amount of time in days to keep the run history for <*workflowName*>. |

+| `Workflows.RuntimeConfiguration.RetentionInDays` | No | `90` days | Sets the amount of time in days to keep workflow run history after a run starts. |

+| `Workflows.WebhookRedirectHostUri` | No | None | Sets the host name to use for webhook callback URLs. |

+>

+> For Siemens license files validate that:

+>

+> - A `saltd` compatible file is requested; and

+> - The clause `VENDOR saltd` is included in the license file.

+1. Select **12 months** for the **Expires**.

+- Review the [Create an application in Microsoft Entra ID](./quickstart-create-portal.md#create-an-application-in-microsoft-entra-id) article and verify your application registration is set up correctly.

+1. Ensure the user has a valid email set for their Microsoft Entra profile, and that their Microsoft Entra alias matches their email alias. For example, a Microsoft Entra sign-in alias of *jane.doe* must also have an email alias of *jane.doe*. Jane Doe can't sign in to Microsoft Entra ID with *jadoe* or any other variation.

+An *all licenses are in use for the remote desktop error* means that all licenses are already being used for the remote desktop tool. Ask someone on your team to sign out of their session so that you can sign in. Or contact your Microsoft account manager to get more remote desktop licenses.

+1. Confirm you're a Workbench Owner. A Workbench Owner has a Subscription Owner or Subscription Contributor role assigned to them. It's the only role that can approve (or reject) a data export request.

+1. Confirm you didn't request the data export. The user who requests the data export isn't allowed to also approve the data export. For more information about data export, see [Export data from chamber.](./how-to-guide-download-data.md)

+For storage or computing quota issues, contact your Microsoft account manager. They'll get you more allocation for your workbench subscription, subject to regional capacity limits/constraints.

+## Chamber or connector troubleshooting

+### Excessive time starting or stopping

+When starting a connector or chamber from stopped state, if the power state is in the 'Starting' status for longer than 25 minutes, then perform a Stop, wait for Power State to show Stopped, then perform a Start again. [Learn how to start and stop a chamber, connector, or VM.](how-to-guide-start-stop-restart.md)

+Learn about [Azure Virtual Network](../../virtual-network/virtual-networks-overview.md).

+Learn more about [Microsoft's acquisition of Lumenisity](https://blogs.microsoft.com/blog/2022/12/09/microsoft-acquires-lumenisity-an-innovator-in-hollow-core-fiber-hcf-cable/).

+- [Learn more about the networking services provided in Azure](https://azure.microsoft.com/product-categories/networking/)

+* [New Pricing](/previous-versions/azure/azure-monitor/insights/network-performance-monitor-pricing-faq)

+- [Learn more about Azure network security](security/index.yml)

+- [Learn more about Azure network security](security/index.yml)

+ Title: Get started with Azure Operator Service Manager cluster registry

+description: Azure Operator Service Manager cluster registry provides a locally resilent edge registry service to host Nexus K8s container image artifacts.

+# Get started with cluster registry

+* Original

+* Original Publish Date: July 26, 2024

+## Overview

+Improve resiliency for cloud native network functions with Azure Operator Service Manager cluster registry. This feature requires the following minimum environment:

+* AOSM ARM API Version: 2023-09-01

+* AOSM CNF Arc for Kubernetes Extension Build Number: 1.0.2711-7

+## Introduction

+Azure Operator Service Manager (AOSM) cluster registry (CR) enables a local copy of container images in the Nexus K8s cluster. When the containerized network function (CNF) is installed with cluster registry enabled, the container images are pulled from the remote AOSM artifact store and saved to a local registry. With cluster register, CNF access to container images survives loss of connectivity to the remote artifact store.

+### Key use cases

+Cloud native network functions (CNF) need access to container images, not only during the initial deployment using AOSM artifact store, but also to keep the network function operational. Some of these scenarios include:

+* Pod restarts: Stopping and starting a pod can result in a cluster node pulling container images from the registry.

+* Kubernetes scheduler operations: During pod to node assignments, according to scheduler profile rules, if the new node does not have the container images locally cached, the node pulls container images from the registry.

+In the above scenarios, if there's a temporary issue with accessing the AOSM artifact store, the cluster registry provides the necessary container images to prevent disruption to the running CNF. Also, the AOSM cluster registry feature decreases the number of image pull requests on AOSM artifact store since each Nexus K8s node pulls container images from the cluster registry instead of the AOSM artifact store.

+## How cluster registry works

+AOSM cluster registry is enabled using the Network Function Operator Arc K8s extension. The following CLI shows how cluster registry is enabled on a Nexus K8s cluster.

+```

+az k8s-extension create --name networkfunction-operator --cluster-name <CLUSTER_NAME> --resource-group <RESOURCE_GROUP_NAME> --cluster-type connectedClusters --extension-type Microsoft.Azure.HybridNetwork --scope cluster --release-namespace azurehybridnetwork --config Microsoft.CustomLocation.ServiceAccount=azurehybridnetwork-networkfunctionoperator --config global.networkfunctionextension.enableClusterRegistry=true --config global.networkfunctionextension.clusterRegistry.storageSize=100Gi --version 1.0.2711-7 --auto-upgrade-minor-version false --release-train stable

+```

+When the cluster registry feature is enabled in the Network Function Operator Arc K8s extension, any container images deployed from AOSM artifact store are accessible locally in the Nexus K8s cluster. The user can choose the persistent storage size for the cluster registry.

+> [!NOTE]

+> If the user doesn't provide any input, a default persistent volume of 100 GB is used.

+## Frequently Asked Questions

+### Can I use AOSM cluster registry with a CNF application previously deployed?

+If there's a CNF application already deployed without cluster registry, the container images are not available automatically. The cluster registry must be enabled before deploying the network function with AOSM.

+### Which Nexus K8s storage class is used?

+AOSM cluster registry feature uses nexus-volume storage class to store the container images in the Nexus Kubernetes cluster. By default, a 100-GB persistent volume is created if the user doesn't specify the size of the cluster registry.

+### Can I change the storage size after a deployment?

+Storage size can't be modified after the initial deployment. We recommend configuring the volume size by 3x to 4x of the starting size.

+| West US 3 | Switzerland North | | | *New Zealand North |

+**Detail**: Use a [network security group](../../virtual-network/manage-network-security-group.md) to protect against unsolicited traffic into Azure subnets. Network security groups (NSGs) are simple, stateful packet inspection devices. NSGs use the 5-tuple approach (source IP, source port, destination IP, destination port and protocol) to create allow/deny rules for network traffic. You allow or deny traffic to and from a single IP address, to and from multiple IP addresses, or to and from entire subnets.

+This document helps you get a more secure posture using the capabilities of Microsoft Entra ID by using a five-step checklist to improve your organization's protection against cyber-attacks.

+This checklist helps you quickly deploy critical recommended actions to protect your organization immediately by explaining how to:

+The recommendations in this document are aligned with the [Identity Secure Score](../../active-directory/fundamentals/identity-secure-score.md), an automated assessment of your Microsoft Entra tenantΓÇÖs identity security configuration. Organizations can use the Identity Secure Score page in the Microsoft Entra admin center to find gaps in their current security configuration to ensure they follow current Microsoft best practices for security. Implementing each recommendation in the Secure Score page increases your score and allow you to track your progress, plus help you compare your implementation against other similar size organizations.

+Although other types of attacks are emerging, including consent phishing and attacks on nonhuman identities, password-based attacks on user identities are still the most prevalent vector of identity compromise. Well-established spear phishing and password spray campaigns by adversaries continue to be successful against organizations that don't implement multifactor authentication (MFA) or other protections against this common tactic.

+As an organization you need to make sure that your identities are validated and secured with MFA everywhere. In 2020, the [Federal Bureau of Investigation (FBI) Internet Crime Complaint Center (IC3) Report](https://www.ic3.gov/Medi).

+To easily enable the basic level of identity security, you can use the one-select enablement with [Microsoft Entra security defaults](../../active-directory/fundamentals/concept-fundamentals-security-defaults.md). Security defaults enforce Microsoft Entra multifactor authentication for all users in a tenant and blocks sign-ins from legacy protocols tenant-wide.

+Many organizations use traditional complexity and password expiration rules. [Microsoft's research](https://www.microsoft.com/research/publication/password-guidance/) shows, and [National Institute of Standards and Technology (NIST) Special Publication 800-63B Digital Identity Guidelines](https://pages.nist.gov/800-63-3/sp800-63b.html) state, that these policies cause users to choose passwords that are easier to guess. We recommend you use [Microsoft Entra password protection](../../active-directory/authentication/concept-password-ban-bad.md) a dynamic banned password feature using current attacker behavior to prevent users from setting passwords that can easily be guessed. This capability is always on when users are created in the cloud, but is now also available for hybrid organizations when they deploy [Microsoft Entra password protection for Windows Server Active Directory](../../active-directory/authentication/concept-password-ban-bad-on-premises.md). In addition, we recommend you remove expiration policies. Password change offers no containment benefits as cyber criminals almost always use credentials as soon as they compromise them. Refer to the following article to [Set the password expiration policy for your organization](/microsoft-365/admin/manage/set-password-expiration-policy).

+- The [Users with leaked credentials report](../../active-directory/identity-protection/overview-identity-protection.md) in Microsoft Entra ID warns of publicly exposed username and password pairs. An incredible volume of passwords is leaked via phishing, malware, and password reuse on third-party sites that are later breached. Microsoft finds many of these leaked credentials and tells you, in this report, if they match credentials in your organization ΓÇô but only if you enable [password hash sync](../../active-directory/hybrid/how-to-connect-password-hash-synchronization.md) or have cloud-only identities.

+- If an on-premises outage happens, like a ransomware attack, you can [switch over to using cloud authentication using password hash sync](../../active-directory/hybrid/choose-ad-authn.md). This backup authentication method allows you to continue accessing apps configured for authentication with Microsoft Entra ID, including Microsoft 365. In this case, IT staff doesn't need to resort to shadow IT or personal email accounts to share data until the on-premises outage is resolved.

+Given the pervasiveness of password compromise, minimizing the attack surface in your organization is critical. Disable the use of older, less secure protocols, limit access entry points, moving to cloud authentication, exercise more significant control of administrative access to resources, and embrace Zero Trust security principles.

+Credentials are a primary attack vector. The practices in this blog can reduce the attack surface by using cloud authentication, deploy MFA, and use passwordless authentication methods. You can deploy passwordless methods such as Windows Hello for Business, Phone Sign-in with the Microsoft Authenticator App or FIDO.

+Apps using their own legacy methods to authenticate with Microsoft Entra ID and access company data, pose another risk for organizations. Examples of apps using legacy authentication are POP3, IMAP4, or SMTP clients. Legacy authentication apps authenticate on behalf of the user and prevent Microsoft Entra ID from doing advanced security evaluations. The alternative, modern authentication, reduces your security risk, because it supports multifactor authentication and Conditional Access.

+Using the *verify explicitly principle*, you should reduce the impact of compromised user credentials when they happen. For each app in your environment, consider the valid use cases: which groups, which networks, which devices and other elements are authorized ΓÇô then block the rest. With Microsoft Entra Conditional Access, you can control how authorized users access their apps and resources based on specific conditions you define.

+Another Zero Trust pillar is the need to minimize the likelihood a compromised account can operate with a privileged role. This control can be accomplished by assigning the least amount of privilege to an identity. If youΓÇÖre new to Microsoft Entra roles, this article helps you understand Microsoft Entra roles.

+Microsoft recommends restricting user consent to allow end-user consent only for apps from verified publishers and only for permissions you select. If end-user consent is restricted, previous consent grants will still be honored but all future consent operations that an administrator must perform. For restricted cases, users can request admin consent through an integrated admin consent request workflow or through your own support processes. Before restricting end-user consent, use our recommendations to plan this change in your organization. For applications you wish to allow all users to access, consider granting consent on behalf of all users, making sure users who didn't yet individually consent can access the app. If you donΓÇÖt want these applications to be available to all users in all scenarios, use application assignment and Conditional Access to restrict user access to specific apps.

+A sign-in risk represents the probability that a given that the identity owner didn't authorize the authentication request. A sign-in risk-based policy can be implemented through adding a sign-in risk condition to your Conditional Access policies that evaluates the risk level to a specific user or group. Based on the risk level (high/medium/low), a policy can be configured to block access or force multifactor authentication. We recommend that you force multifactor authentication on Medium or above risky sign-ins.

+User risk indicates the likelihood of user identity compromise and is calculated based on the user risk detections that are associated with a user's identity. A user risk-based policy can be implemented through adding a user risk condition to your Conditional Access policies that evaluates the risk level to a specific user. Based on Low, Medium, High risk-level, a policy can be configured to block access or require a secure password change using multifactor authentication. Microsoft's recommendation is to require a secure password change for users on high risk.

+Auditing and logging of security-related events and related alerts are essential components of an efficient protection strategy. Security logs and reports provide you with an electronic record of suspicious activities and help you detect patterns that might indicate attempted or successful external penetration of the network, and internal attacks. You can use auditing to monitor user activity, document regulatory compliance, do forensic analysis, and more. Alerts provide notifications of security events. Make sure you have a log retention policy in place for both your sign-in logs and audit logs for Microsoft Entra ID by exporting into Azure Monitor or a SIEM tool.

+1. Risky sign-in reports surface user sign-in activities you should investigate whether the legitimate owner performed the sign-in.

+1. Risky user reports surface user accounts that might be compromised, such as leaked credential that was detected or the user signed in from different locations, causing an impossible travel event.

+Users can be tricked into navigating to a compromised web site or apps that gain access to their profile information and user data, such as their email. A malicious actor can use the consented permissions it received to encrypt their mailbox content and demand a ransom to regain your mailbox data. [Administrators should review and audit](/office365/securitycompliance/detect-and-remediate-illicit-consent-grants) the permissions given by users. In addition to auditing the permissions given by users, you can [locate risky or unwanted OAuth applications](/cloud-app-security/investigate-risky-oauth) in premium environments.

+As much as possible you want to balance security with productivity. Approaching your journey with the mindset that you're setting a foundation for security, you can remove friction from your organization by empowering your users while remaining vigilant and reducing your operational overheads.

+Microsoft Entra ID's [self-service password reset (SSPR)](../../active-directory/authentication/tutorial-enable-sspr.md) offers a simple means for IT administrators to allow users to reset or unlock their passwords or accounts without helpdesk or administrator intervention. The system includes detailed reporting that tracks when users reset their passwords, along with notifications to alert you to misuse or abuse.

+Microsoft Entra ID can allow nonadministrators to manage access to resources, using security groups, Microsoft 365 groups, application roles, and access package catalogs. [Self-service group management](../../active-directory/enterprise-users/groups-self-service-management.md) enables group owners to manage their own groups, without needing to be assigned an administrative role. Users can also create and manage Microsoft 365 groups without relying on administrators to handle their requests, and unused groups expire automatically. [Microsoft Entra entitlement management](../../active-directory/governance/entitlement-management-overview.md) further enables delegation and visibility, with comprehensive access request workflows and automatic expiration. You can delegate to nonadministrators the ability to configure their own access packages for groups, Teams, applications, and SharePoint Online sites they own, with custom policies for who is required to approve access, including configuring employee's managers and business partner sponsors as approvers.

+Provisioning is the processes of creating an identity in a target system based on certain conditions. Deprovisioning is the process of removing the identity from the target system, when conditions are no longer met. Synchronization is the process of keeping the provisioned object, up to date, so that the source object and target object are similar.

+- Provisioning from an external nondirectory authoritative system of record to Microsoft Entra ID, via [HR-driven provisioning](../../active-directory/governance/what-is-provisioning.md#hr-driven-provisioning)

+There are many aspects to a secure Identity infrastructure, but this five-step checklist helps you to quickly accomplish a safer and secure identity infrastructure:

+If you're confident all these steps are complete, use MicrosoftΓÇÖs [Identity Secure Score](../../active-directory/fundamentals/identity-secure-score.md), which keeps you up to date with the [latest best practices](identity-management-best-practices.md) and security threats.

+> | North America | Europe | APAC |

+> |--||-|

+> | Central US EUAP | Italy North | Australia Central |

+> | Canada Central | Spain Central | Australia East |

+> | Canada East | Norway East | |

+* [REST API](/rest/api/servicebus/)

+> [!NOTE]

+> Service Health Alerts are only supported in public clouds within the global region. For Action Groups to properly function in response to a Service Health Alert the region of the action group must be set as "Global".

+[Rollup 75](https://support.microsoft.com/topic/update-rollup-75-for-azure-site-recovery-4884b937-8976-454a-9b80-57e0200eb2ec) | 9.62.7172.1 | 9.62.7172.1 | 9.56.6879.1 | 5.24.0814.2 | 2.0.9932.0

+## Updates (August 2024)

+### Update Rollup 75

+Update [rollup 75](https://support.microsoft.com/topic/update-rollup-75-for-azure-site-recovery-4884b937-8976-454a-9b80-57e0200eb2ec) provides the following updates:

+**Update** | **Details**

+ |

+**Providers and agents** | Updates to Site Recovery agents and providers as detailed in the rollup KB article.

+**Issue fixes/improvements** | Certificate renewal for VMware to Azure in Modernized Appliances.

+**Azure VM disaster recovery** | No improvements added. 

+**VMware VM/physical disaster recovery to Azure** | No improvements added. 

+> [!NOTE]

+> In compliance with MicrosoftΓÇÖs security standards, we perform additional security patching for underlying Azure Kubernetes Service (AKS) clusters during the second week of each month. Maintenance occurs within an 8-hour window during non-working hours. We do this work in a rolling fashion to ensure uninterrupted service.

+> ACLs apply only to security principals in the same tenant. ACLs don't apply to users who use Shared Key authorization because no identity is associated with the caller and therefore security principal permission-based authorization cannot be performed. The same is true for shared access signature (SAS) tokens except when a user delegated SAS token is used. In that case, Azure Storage performs a POSIX ACL check against the object ID before it authorizes the operation as long as the optional parameter suoid is used. To learn more, see [Construct a user delegation SAS](/rest/api/storageservices/create-user-delegation-sas#construct-a-user-delegation-sas).

+ Title: Create a service SAS for a container or blob with .NET

+description: Learn how to create a service shared access signature (SAS) for a container or blob using the Azure Blob Storage client library for .NET.

+# Create a service SAS for a container or blob with .NET

+This article shows how to use the storage account key to create a service SAS for a container or blob with the Azure Blob Storage client library for .NET.

+## Create a service SAS

+You can create a service SAS for a container or blob, based on the needs of your app.

+### [Container](#tab/container)

+The following code example shows how to create a service SAS for a container resource. First, the code verifies that the [BlobContainerClient](/dotnet/api/azure.storage.blobs.blobcontainerclient) object is authorized with a shared key credential by checking the [CanGenerateSasUri](/dotnet/api/azure.storage.blobs.blobcontainerclient.cangeneratesasuri) property. Then, it generates the service SAS via the [BlobSasBuilder](/dotnet/api/azure.storage.sas.blobsasbuilder) class, and calls [GenerateSasUri](/dotnet/api/azure.storage.blobs.blobcontainerclient.generatesasuri) to create a service SAS URI based on the client and builder objects.

+### [Blob](#tab/blob)

+You can use a service SAS to authorize a client object to perform operations on a container or blob based on the permissions granted by the SAS.

+### [Container](#tab/container)

+The following code examples show how to use the service SAS to authorize a [BlobContainerClient](/dotnet/api/azure.storage.blobs.blobcontainerclient) object. This client object can be used to perform operations on the container resource based on the permissions granted by the SAS.

+First, create a [BlobServiceClient](/dotnet/api/azure.storage.blobs.blobserviceclient) object signed with the account access key:

+Then, generate the service SAS as shown in the earlier example and use the SAS to authorize a [BlobContainerClient](/dotnet/api/azure.storage.blobs.blobcontainerclient) object:

+### [Blob](#tab/blob)

+### Code samples

+- [View code samples from this article (GitHub)](https://github.com/Azure-Samples/AzureStorageSnippets/blob/master/blobs/howto/dotnet/BlobDevGuideBlobs/CreateSAS.cs)

+ Title: Create a service SAS for a container or blob with Java

+description: Learn how to create a service shared access signature (SAS) for a container or blob using the Azure Blob Storage client library for Java.

+# Create a service SAS for a container or blob with Java

+This article shows how to use the storage account key to create a service SAS for a container or blob with the Blob Storage client library for Java.

+## Create a service SAS

+You can create a service SAS for a container or blob, based on the needs of your app.

+### [Container](#tab/container)

+You can create a service SAS to delegate limited access to a container resource using the following method:

+- [generateSas](/java/api/com.azure.storage.blob.specialized.blobclientbase#method-details)

+SAS signature values, such as expiry time and signed permissions, are passed to the method as part of a [BlobServiceSasSignatureValues](/java/api/com.azure.storage.blob.sas.blobservicesassignaturevalues) instance. Permissions are specified as a [BlobContainerSasPermission](/java/api/com.azure.storage.blob.sas.blobcontainersaspermission) instance.

+The following code example shows how to create a service SAS with read permissions for a container resource:

+### [Blob](#tab/blob)

+You can use a service SAS to authorize a client object to perform operations on a container or blob based on the permissions granted by the SAS.

+### [Container](#tab/container)

+The following code examples show how to use the service SAS to authorize a [BlobContainerClient](/java/api/com.azure.storage.blob.blobcontainerclient) object. This client object can be used to perform operations on the container resource based on the permissions granted by the SAS.

+First, create a [BlobServiceClient](/java/api/com.azure.storage.blob.blobserviceclient) object signed with the account access key:

+```java

+String accountName = "<account-name>";

+String accountKey = "<account-key>";

+StorageSharedKeyCredential credential = new StorageSharedKeyCredential(accountName, accountKey);

+

+BlobServiceClient blobServiceClient = new BlobServiceClientBuilder()

+ .endpoint(String.format("https://%s.blob.core.windows.net/", accountName))

+ .credential(credential)

+ .buildClient();

+```

+Then, generate the service SAS as shown in the earlier example and use the SAS to authorize a [BlobContainerClient](/java/api/com.azure.storage.blob.blobcontainerclient) object:

+### [Blob](#tab/blob)

+### Code samples

+- [View code samples from this article (GitHub)](https://github.com/Azure-Samples/AzureStorageSnippets/blob/master/blobs/howto/Java/blob-devguide/blob-devguide-blobs/src/main/java/com/blobs/devguide/blobs/BlobSAS.java)

+ Title: Create a service SAS for a container or blob with Python

+description: Learn how to create a service shared access signature (SAS) for a container or blob using the Azure Blob Storage client library for Python.

+# Create a service SAS for a container or blob with Python

+This article shows how to use the storage account key to create a service SAS for a container or blob with the Blob Storage client library for Python.

+## Create a service SAS

+You can create a service SAS for a container or blob, based on the needs of your app.

+### [Container](#tab/container)

+You can create a service SAS to delegate limited access to a container resource using the following method:

+- [generate_container_sas](/python/api/azure-storage-blob/azure.storage.blob#azure-storage-blob-generate-blob-sas)

+The storage account access key used to sign the SAS is passed to the method as the `account_key` argument. Allowed permissions are passed to the method as the `permission` argument, and are defined in the [ContainerSasPermissions](/python/api/azure-storage-blob/azure.storage.blob.containersaspermissions) class.

+The following code example shows how to create a service SAS with read permissions for a container resource:

+### [Blob](#tab/blob)

+You can use a service SAS to authorize a client object to perform operations on a container or blob based on the permissions granted by the SAS.

+### [Container](#tab/container)

+The following code example shows how to use the service SAS created in the earlier example to authorize a [ContainerClient](/python/api/azure-storage-blob/azure.storage.blob.containerclient) object. This client object can be used to perform operations on the container resource based on the permissions granted by the SAS.

+### [Blob](#tab/blob)

+description: Learn how to create a user delegation SAS for a container or blob with Microsoft Entra credentials by using the .NET client library for Blob Storage.

+# Create a user delegation SAS for a container or blob with .NET

+This article shows how to use Microsoft Entra credentials to create a user delegation SAS for a container or blob using the [Azure Storage client library for .NET](/dotnet/api/overview/azure/storage).

+When a Microsoft Entra security principal attempts to access data, that security principal must have permissions to the resource. Whether the security principal is a managed identity in Azure or a Microsoft Entra user account running code in the development environment, the security principal must be assigned an Azure role that grants access to data. For information about assigning permissions via Azure RBAC, see [Assign an Azure role for access to blob data](assign-azure-role-data-access.md).

+## Create a user delegation SAS

+You can create a user delegation SAS for a container or blob, based on the needs of your app.

+### [Container](#tab/container)

+Once you've obtained the user delegation key, you can create a user delegation SAS to delegate limited access to a container. The following code example shows how to create a user delegation SAS for a container:

+### [Blob](#tab/blob)

+Once you've obtained the user delegation key, you can create a user delegation SAS to delegate limited access to a blob. The following code example shows how to create a user delegation SAS for a blob:

+You can use a user delegation SAS to authorize a client object to perform operations on a container or blob based on the permissions granted by the SAS.

+### [Container](#tab/container)

+The following code example shows how to use the user delegation SAS to authorize a [BlobContainerClient](/dotnet/api/azure.storage.blobs.blobcontainerclient) object. This client object can be used to perform operations on the container resource based on the permissions granted by the SAS.

+### [Blob](#tab/blob)

+### Code samples

+- [View code samples from this article (GitHub)](https://github.com/Azure-Samples/AzureStorageSnippets/blob/master/blobs/howto/dotnet/BlobDevGuideBlobs/CreateSAS.cs)

+The Azure SDK for .NET contains libraries that build on top of the Azure REST API, allowing you to interact with REST API operations through familiar .NET paradigms. The client library method for getting a user delegation key uses the following REST API operation:

+description: Learn how to create a user delegation SAS for a container or blob with Microsoft Entra credentials by using the Azure Storage client library for Java.

+# Create a user delegation SAS for a container or blob with Java

+This article shows how to use Microsoft Entra credentials to create a user delegation SAS for a container or blob using the [Azure Storage client library for Java](/java/api/overview/azure/storage-blob-readme).

+When a Microsoft Entra security principal attempts to access data, that security principal must have permissions to the resource. Whether the security principal is a managed identity in Azure or a Microsoft Entra user account running code in the development environment, the security principal must be assigned an Azure role that grants access to data. For information about assigning permissions via Azure RBAC, see [Assign an Azure role for access to blob data](assign-azure-role-data-access.md).

+## Create a user delegation SAS

+You can create a user delegation SAS for a container or blob, based on the needs of your app.

+### [Container](#tab/container)

+Once you've obtained the user delegation key, you can create a user delegation SAS. You can create a user delegation SAS to delegate limited access to a container resource using the following method from a [BlobContainerClient](/java/api/com.azure.storage.blob.blobcontainerclient) instance:

+- [generateUserDelegationSas](/java/api/com.azure.storage.blob.specialized.blobclientbase#method-details)

+The user delegation key to sign the SAS is passed to this method along with specified values for [BlobServiceSasSignatureValues](/java/api/com.azure.storage.blob.sas.blobservicesassignaturevalues). Permissions are specified as a [BlobContainerSasPermission](/java/api/com.azure.storage.blob.sas.blobcontainersaspermission) instance.

+The following code example shows how to create a user delegation SAS for a container:

+### [Blob](#tab/blob)

+Once you've obtained the user delegation key, you can create a user delegation SAS. You can create a user delegation SAS to delegate limited access to a blob using the following method from a [BlobClient](/java/api/com.azure.storage.blob.blobclient) instance:

+You can use a user delegation SAS to authorize a client object to perform operations on a container or blob based on the permissions granted by the SAS.

+### [Container](#tab/container)

+The following code example shows how to use the user delegation SAS created in the earlier example to authorize a [BlobContainerClient](/java/api/com.azure.storage.blob.blobcontainerclient) object. This client object can be used to perform operations on the container resource based on the permissions granted by the SAS.

+### [Blob](#tab/blob)

+ Title: Create a user delegation SAS for a container or blob with Python

+description: Learn how to create a user delegation SAS for a container or blob with Microsoft Entra credentials by using the Python client library for Blob Storage.

+# Create a user delegation SAS for a container or blob with Python

+This article shows how to use Microsoft Entra credentials to create a user delegation SAS for a container or blob using the [Azure Storage client library for Python](/python/api/overview/azure/storage).

+When a Microsoft Entra security principal attempts to access data, that security principal must have permissions to the resource. Whether the security principal is a managed identity in Azure or a Microsoft Entra user account running code in the development environment, the security principal must be assigned an Azure role that grants access to data. For information about assigning permissions via Azure RBAC, see [Assign an Azure role for access to blob data](assign-azure-role-data-access.md).

+## Create a user delegation SAS

+You can create a user delegation SAS for a container or blob, based on the needs of your app.

+### [Container](#tab/container)

+Once you've obtained the user delegation key, you can create a user delegation SAS. You can create a user delegation SAS to delegate limited access to a container resource using the following method:

+- [generate_container_sas](/python/api/azure-storage-blob/azure.storage.blob#azure-storage-blob-generate-container-sas)

+The user delegation key to sign the SAS is passed to the method as the `user_delegation_key` argument. Allowed permissions are passed to the method as the `permission` argument, and are defined in the [ContainerSasPermissions](/python/api/azure-storage-blob/azure.storage.blob.containersaspermissions) class.

+The following code example shows how to create a user delegation SAS for a container:

+### [Blob](#tab/blob)

+You can use a user delegation SAS to authorize a client object to perform operations on a container or blob based on the permissions granted by the SAS.

+### [Container](#tab/container)

+The following code example shows how to use the user delegation SAS created in the earlier example to authorize a [ContainerClient](/python/api/azure-storage-blob/azure.storage.blob.containerclient) object. This client object can be used to perform operations on the container resource based on the permissions granted by the SAS.

+### [Blob](#tab/blob)

+ mbpsReadWrite: 200

+description: Learn how to configure a site-to-site (S2S) VPN for use with Azure Files so you can mount your Azure file shares from on premises. Use the Azure portal, PowerShell, or CLI.

+You can use a site-to-site (S2S) VPN connection to mount your Azure file shares from your on-premises network, without sending data over the open internet. You can set up a S2S VPN using [Azure VPN Gateway](../../vpn-gateway/vpn-gateway-about-vpngateways.md), which is an Azure resource offering VPN services. You deploy VPN Gateway in a resource group alongside storage accounts or other Azure resources.

+# [Portal](#tab/azure-portal)

+1. In the service menu, under **Security + networking**, select **Networking**. Unless you added a virtual network to your storage account when you created it, the resulting pane should have the radio button for **Enabled from all networks** selected under **Public network access**.

+ If you haven't enabled public network access to the virtual network previously, the `Microsoft.Storage` service endpoint will need to be added to the virtual network subnet. This can take up to 15 minutes to complete, although in most cases it will complete much faster. Until this operation has completed, you won't be able to access the Azure file shares within that storage account, including via the VPN connection. The service endpoint routes traffic from the virtual network through an optimal path to the Azure Storage service. The identities of the subnet and the virtual network are also transmitted with each request.

+# [Azure PowerShell](#tab/azure-powershell)

+1. Sign in to the Azure portal.

+ ```azurepowershell-interactive

+ Connect-AzAccount

+ ```

+1. If you want to add a new virtual network and gateway subnet, run the following script. If you have an existing virtual network that you want to use, then skip this step and proceed to step 3. Be sure to replace `<your-subscription-id>`, `<resource-group>`, and `<storage-account-name>` with your own values. If desired, provide your own values for `$location` and `$vnetName`. The `-AddressPrefix` parameter defines the IP address blocks for the virtual network and the subnet, so replace those with your respective values.

+ ```azurepowershell-interactive

+ # Select subscription

+ $subscriptionId = "<your-subscription-id>"

+ Select-AzSubscription -SubscriptionId $subscriptionId

+ # Define parameters

+ $storageAccount = "<storage-account-name>"

+ $resourceGroup = "<resource-group>"

+ $location = "East US" # Change to desired Azure region

+ $vnetName = "myVNet"

+ # Virtual network gateway can only be created in subnet with name 'GatewaySubnet'.

+ $subnetName = "GatewaySubnet"

+ $vnetAddressPrefix = "10.0.0.0/16" # Update this address as per your requirements

+ $subnetAddressPrefix = "10.0.0.0/24" # Update this address as per your requirements

+

+ # Set current storage account

+ Set-AzCurrentStorageAccount -ResourceGroupName $resourceGroup -Name $storageAccount

+ # Define subnet configuration

+ $subnetConfig = New-AzVirtualNetworkSubnetConfig -Name $subnetName -AddressPrefix $subnetAddressPrefix

+

+ # Create a virtual network

+ New-AzVirtualNetwork -Name $vnetName -ResourceGroupName $resourceGroup -Location $location -AddressPrefix $vnetAddressPrefix -Subnet $subnetConfig

+ ```

+1. If you created a new virtual network and subnet in the previous step, then skip this step. If you have an existing virtual network you want to use, you must first create a [gateway subnet](../../vpn-gateway/vpn-gateway-about-vpn-gateway-settings.md#gwsub) on the virtual network before you can deploy a virtual network gateway.

+ To add a gateway subnet to an existing virtual network, run the following script. Be sure to replace `<your-subscription-id>`, `<resource-group>`, and `<virtual-network-name>` with your own values. The `$subnetAddressPrefix` parameter defines the IP address block for the subnet, so replace the IP address per your requirements.

+ ```azurepowershell-interactive

+ # Select subscription

+ $subscriptionId = "<your-subscription-id>"

+ Select-AzSubscription -SubscriptionId $subscriptionId

+ # Define parameters

+ $storageAccount = "<storage-account-name>"

+ $resourceGroup = "<resource-group>"

+ $vnetName = "<virtual-network-name>"

+ # Virtual network gateway can only be created in subnet with name 'GatewaySubnet'.

+ $subnetName = "GatewaySubnet"

+ $subnetAddressPrefix = "10.0.0.0/24" # Update this address as per your requirements

+ # Set current storage account

+ Set-AzCurrentStorageAccount -ResourceGroupName $resourceGroup -Name $storageAccount

+ # Get the virtual network

+ $vnet = Get-AzVirtualNetwork -Name $vnetName -ResourceGroupName $resourceGroup

+

+ # Add the gateway subnet

+ Add-AzVirtualNetworkSubnetConfig -Name $subnetName -VirtualNetwork $vnet -AddressPrefix $subnetAddressPrefix

+

+ # Apply the configuration to the virtual network

+ Set-AzVirtualNetwork -VirtualNetwork $vnet

+ ```

+1. To allow traffic only from specific virtual networks, use the `Update-AzStorageAccountNetworkRuleSet` command and set the `-DefaultAction` parameter to Deny.

+ ```azurepowershell-interactive

+ Update-AzStorageAccountNetworkRuleSet -ResourceGroupName $resourceGroup -Name $storageAccount -DefaultAction Deny

+ ```

+

+1. Enable a `Microsoft.Storage` service endpoint on the virtual network and subnet. This can take up to 15 minutes to complete, although in most cases it will complete much faster. Until this operation has completed, you won't be able to access the Azure file shares within that storage account, including via the VPN connection. The service endpoint routes traffic from the virtual network through an optimal path to the Azure Storage service. The identities of the subnet and the virtual network are also transmitted with each request.

+ ```azurepowershell-interactive

+ Get-AzVirtualNetwork -ResourceGroupName $resourceGroup -Name $vnetName | Set-AzVirtualNetworkSubnetConfig -Name $subnetName -AddressPrefix $subnetAddressPrefix -ServiceEndpoint "Microsoft.Storage.Global" | Set-AzVirtualNetwork

+ ```

+

+1. Add a network rule for the virtual network and subnet.

+ ```azurepowershell-interactive

+ $subnet = Get-AzVirtualNetwork -ResourceGroupName $resourceGroup -Name $vnetName | Get-AzVirtualNetworkSubnetConfig -Name $subnetName

+ Add-AzStorageAccountNetworkRule -ResourceGroupName $resourceGroup -Name $storageAccount -VirtualNetworkResourceId $subnet.Id

+ ```

+# [Azure CLI](#tab/azure-cli)

+1. Sign in to the Azure portal.

+ ```azurecli-interactive

+ az login

+ ```

+1. If you want to add a new virtual network and gateway subnet, run the following script. If you have an existing virtual network that you want to use, then skip this step and proceed to step 3. Be sure to replace `<your-subscription-id>`, `<storage-account-name>`, and `<resource-group>` with your own values. Replace `<virtual-network-name>` with the name of the new virtual network you want to create. The `--address-prefix` and `--subnet-prefixes` parameters define the IP address blocks for the virtual network and the subnet, so replace those with your respective values. The virtual network will be created in the same region as the resource group.

+ ```azurecli-interactive

+ # Set your subscription

+ az account set --subscription "<your-subscription-id>"

+

+ # Define parameters

+ storageAccount="<storage-account-name>"

+ resourceGroup="<resource-group>"

+ vnetName="<virtual-network-name>"

+ # Virtual network gateway can only be created in subnet with name 'GatewaySubnet'.

+ subnetName="GatewaySubnet"

+ vnetAddressPrefix="10.0.0.0/16" # Update this address per your requirements

+ subnetAddressPrefix="10.0.0.0/24" # Update this address per your requirements

+ # Create a virtual network and subnet

+ az network vnet create \

+ --resource-group $resourceGroup \

+ --name $vnetName \

+ --address-prefix $vnetAddressPrefix \

+ --subnet-name $subnetName \

+ --subnet-prefixes $subnetAddressPrefix

+ ```

+1. If you created a new virtual network and subnet in the previous step, then skip this step. If you have an existing virtual network you want to use, you must first create a [gateway subnet](../../vpn-gateway/vpn-gateway-about-vpn-gateway-settings.md#gwsub) on the virtual network before you can deploy a virtual network gateway.

+ To add a gateway subnet to an existing virtual network, run the following script. Be sure to replace `<your-subscription-id>`, `<resource-group>`, and `<virtual-network-name>` with your own values. The `--address-prefixes` parameter defines the IP address block for the subnet, so replace the IP address block as needed.

+ ```azurecli-interactive

+ # Set your subscription

+ az account set --subscription "<your-subscription-id>"

+ # Define parameters

+ storageAccount="<storage-account-name>"

+ resourceGroup="<resource-group>"

+ vnetName="<virtual-network-name>"

+ # Virtual network gateway can only be created in subnet with name 'GatewaySubnet'.

+ subnetName="GatewaySubnet"

+ subnetAddressPrefix="10.0.0.0/24" # Update this address per your requirements

+

+ # Create the gateway subnet

+ az network vnet subnet create \

+ --resource-group $resourceGroup \

+ --vnet-name $vnetName \

+ --name $subnetName \

+ --address-prefixes $subnetAddressPrefix

+ ```

+1. To allow traffic only from specific virtual networks, use the `az storage account update` command and set the `--default-action` parameter to Deny.

+ ```azurecli-interactive

+ az storage account update --resource-group $resourceGroup --name $storageAccount --default-action Deny

+ ```

+

+1. Enable a `Microsoft.Storage` service endpoint on the virtual network and subnet. This can take up to 15 minutes to complete, although in most cases it will complete much faster. Until this operation has completed, you won't be able to access the Azure file shares within that storage account, including via the VPN connection. The service endpoint routes traffic from the virtual network through an optimal path to the Azure Storage service. The identities of the subnet and the virtual network are also transmitted with each request.

+ ```azurecli-interactive

+ az network vnet subnet update --resource-group $resourceGroup --vnet-name $vnetName --name $subnetName --service-endpoints "Microsoft.Storage.Global"

+ ```

+

+1. Add a network rule for the virtual network and subnet.

+ ```azurecli-interactive

+ subnetid=$(az network vnet subnet show --resource-group $resourceGroup --vnet-name $vnetName --name $subnetName --query id --output tsv)

+ az storage account network-rule add --resource-group $resourceGroup --account-name $storageAccount --subnet $subnetid

+ ```

+# [Portal](#tab/azure-portal)

+# [Azure PowerShell](#tab/azure-powershell)

+1. First, request a public IP address. If you have an existing unused IP address that you want to use, you can skip this step. Replace `<resource-group>` with your resource group name, and specify the same Azure region that you used for your virtual network.

+ ```azurepowershell-interactive

+ $gwpip = New-AzPublicIpAddress -Name "mypublicip" -ResourceGroupName "<resource-group>" -Location "East US" -AllocationMethod Static -Sku Standard

+ ```

+1. Next, create the gateway IP address configuration by defining the subnet and the public IP address to use. The public IP address of the VPN gateway will be exposed to the internet. Replace `<virtual-network-name>` and `<resource-group>` with your own values.

+ ```azurepowershell-interactive

+ $vnet = Get-AzVirtualNetwork -Name <virtual-network-name> -ResourceGroupName <resource-group>

+ $subnet = Get-AzVirtualNetworkSubnetConfig -Name "GatewaySubnet" -VirtualNetwork $vnet

+ $gwipconfig = New-AzVirtualNetworkGatewayIpConfig -Name gwipconfig -SubnetId $subnet.Id -PublicIpAddressId $gwpip.Id

+ ```

+1. Run the following script to create the VPN gateway.

+ Replace `<resource-group>` with the same resource group as your virtual network. Specify the [gateway SKU](../../vpn-gateway/vpn-gateway-about-vpn-gateway-settings.md#gwsku) that supports the features you want to use. The gateway SKU controls the number of allowed Site-to-Site tunnels and desired performance of the VPN. We recommend using a Generation 2 SKU. Don't use the Basic SKU if you want to use IKEv2 authentication (route-based VPN).

+ ```azurepowershell-interactive

+ New-AzVirtualNetworkGateway -Name MyVnetGateway -ResourceGroupName <resource-group> -Location "East US" -IpConfigurations $gwipconfig -GatewayType "Vpn" -VpnType RouteBased -GatewaySku VpnGw2 -VpnGatewayGeneration Generation2

+ ```

+ You can also choose to include other features like [Border Gateway Protocol (BGP)](../../vpn-gateway/vpn-gateway-bgp-overview.md) and [Active-Active](../../vpn-gateway/vpn-gateway-highlyavailable.md). See the documentation for the [New-AzVirtualNetworkGateway](/powershell/module/az.network/new-azvirtualnetworkgateway) cmdlet. If you do require BGP, the default ASN is 65515, although this value can be changed.

+1. Creating a gateway can take 45 minutes or more, depending on the gateway SKU you specified. You can view the VPN gateway using the [Get-AzVirtualNetworkGateway](/powershell/module/az.network/Get-azVirtualNetworkGateway) cmdlet.

+ ```azurepowershell-interactive

+ Get-AzVirtualNetworkGateway -Name MyVnetGateway -ResourceGroup <resource-group>

+ ```

+# [Azure CLI](#tab/azure-cli)

+1. First, request a public IP address. If you have an existing unused IP address that you want to use, you can skip this step. Replace `<resource-group>` with your resource group name.

+ ```azurecli-interactive

+ az network public-ip create -n mypublicip -g <resource-group>

+ ```

+1. Run the following script to create the VPN gateway. Creating a gateway can take 45 minutes or more, depending on the gateway SKU you specify.

+ Replace `<resource-group>` with the same resource group as your virtual network. Specify the [gateway SKU](../../vpn-gateway/vpn-gateway-about-vpn-gateway-settings.md#gwsku) that supports the features you want to use. The gateway SKU controls the number of allowed Site-to-Site tunnels and desired performance of the VPN. We recommend using a Generation 2 SKU. Don't use the Basic SKU if you want to use IKEv2 authentication (route-based VPN).

+ ```azurecli-interactive

+ az network vnet-gateway create -n MyVnetGateway -l eastus --public-ip-address mypublicip -g <resource-group> --vnet <virtual-network-name> --gateway-type Vpn --sku VpnGw2 --vpn-gateway-generation Generation2 --no-wait

+ ```

+

+ The `--no-wait` parameter allows the gateway to be created in the background. It doesn't mean that the VPN gateway is created immediately.

+1. You can view the VPN gateway using the following command. If the VPN gateway isn't fully deployed, you'll receive an error message.

+

+ ```azurecli-interactive

+ az network vnet-gateway show -n MyVnetGateway -g <resource-group>

+ ```

+# [Portal](#tab/azure-portal)

+# [Azure PowerShell](#tab/azure-powershell)

+Run the following command to create a new local network gateway. Replace `<resource-group>` with your own value.

+The `-AddressPrefix` parameter specifies the address range or ranges for the network this local network gateway represents. If you add multiple address space ranges, make sure that the ranges you specify don't overlap with ranges of other networks that you want to connect to.

+```azurepowershell-interactive

+New-AzLocalNetworkGateway -Name MyLocalGateway -Location "East US" -AddressPrefix @('10.101.0.0/24','10.101.1.0/24') -GatewayIpAddress "5.4.3.2" -ResourceGroupName <resource-group>

+```

+# [Azure CLI](#tab/azure-cli)

+Run the following command to create a new local network gateway. Replace `<resource-group>` with your own value.

+The `--local-address-prefixes` parameter specifies the address range or ranges for the network this local network gateway represents. If you add multiple address space ranges, make sure that the ranges you specify don't overlap with ranges of other networks that you want to connect to.

+```azurecli-interactive

+az network local-gateway create --gateway-ip-address 5.4.3.2 --name MyLocalGateway -g <resource-group> --local-address-prefixes 10.101.0.0/24 10.101.1.0/24

+```

+The specific steps to configure your on-premises network appliance depend on the network appliance your organization has selected.

+When configuring your network appliance, you'll need the following items:

+* **A shared key.** This is the same shared key that you specify when creating your site-to-site VPN connection. In our examples, we use a basic shared key such as 'abc123'. We recommend that you generate a more complex key to use that complies with your organization's security requirements.

+* **The public IP address of your virtual network gateway.** To find the public IP address of your virtual network gateway using PowerShell, run the following command. In this example, `mypublicip` is the name of the public IP address resource that you created in an earlier step.

+ ```azurepowershell-interactive

+ Get-AzPublicIpAddress -Name mypublicip -ResourceGroupName <resource-group>

+ ```

+# [Portal](#tab/azure-portal)

+# [Azure PowerShell](#tab/azure-powershell)

+Run the following commands to create the site-to-site VPN connection between your virtual network gateway and your on-premises device. Be sure to replace the values with your own. The shared key must match the value you used for your VPN device configuration. The `-ConnectionType` for site-to-site VPN is **IPsec**.

+For more options, see the documentation for the [New-AzVirtualNetworkGatewayConnection](/powershell/module/az.network/new-azvirtualnetworkgatewayconnection) cmdlet.

+1. Set the variables.

+ ```azurepowershell-interactive

+ $gateway1 = Get-AzVirtualNetworkGateway -Name MyVnetGateway -ResourceGroupName <resource-group>

+ $local = Get-AzLocalNetworkGateway -Name MyLocalGateway -ResourceGroupName <resource-group>

+ ```

+1. Create the VPN connection.

+ ```azurepowershell-interactive

+ New-AzVirtualNetworkGatewayConnection -Name VNet1toSite1 -ResourceGroupName <resource-group> `

+ -Location 'East US' -VirtualNetworkGateway1 $gateway1 -LocalNetworkGateway2 $local `

+ -ConnectionType IPsec -SharedKey 'abc123'

+ ```

+1. After a short while, the connection will be established. You can verify your VPN connection by running the following command. If prompted, select 'A' in order to run 'All'.

+ ```azurepowershell-interactive

+ Get-AzVirtualNetworkGatewayConnection -Name VNet1toSite1 -ResourceGroupName <resource-group>

+ ```

+

+ The connection status should show as "Connected."

+# [Azure CLI](#tab/azure-cli)

+Run the following commands to create the site-to-site VPN connection between your virtual network gateway and your on-premises device. Be sure to replace the values with your own. The shared key must match the value you used for your VPN device configuration.

+For more options, see the documentation for the [az network vnet create](/cli/azure/network/vnet#az-network-vnet-create) command.

+```azurecli-interactive

+az network vpn-connection create --name VNet1toSite1 --resource-group <resource-group> --vnet-gateway1 MyVnetGateway -l eastus --shared-key abc123 --local-gateway MyLocalGateway

+```

+After a short while, the connection will be established. You can verify your VPN connection by running the following command. When the connection is in the process of being established, its connection status shows 'Connecting'. Once the connection is established, the status changes to 'Connected'.

+```azurecli-interactive

+az network vpn-connection show --name VNet1toSite1 --resource-group <resource-group>

+```

+ Title: Change the account SKU

+description: Learn how to change your SKU or pricing tier for a Trusted Signing account.

+# Change a Trusted Signing account SKU (pricing tier)

+Trusted Signing gives you a choice between two pricing tiers: Basic and Premium. Both tiers are tailored to offer the service at an optimal cost and to be suitable for any signing scenario.

+For more information, see [Trusted Signing pricing](https://azure.microsoft.com/pricing/details/trusted-signing/).

+## SKU (pricing tier) overview

+The following table describes key account details for the Basic SKU and the Premium SKU:

+| Account detail | Basic | Premium |

+| Price (monthly) | **$9.99 per account** | **$99.99 per account** |

+| Quota (signatures per month) | 5,000 | 100,000 |

+| Price after quota is reached | $0.005 per signature | $0.005 per signature |

+| Certificate profiles | 1 of each available type | 10 of each available type |

+| Public Trust signing | Yes | Yes |

+| Private Trust signing | Yes | Yes |

+> [!NOTE]

+> The pricing tier is also called the *account SKU*.

+## Change the SKU

+You can change the SKU for a Trusted Signing account at any time by upgrading to Premium or by downgrading to Basic. You can change the SKU by using either the Azure portal or the Azure CLI.

+Considerations:

+- SKU updates are effective beginning in the next billing cycle.

+- SKU limitations for an updated SKU are enforced after the update is successful.

+- After you change the SKU, you must manually refresh the account overview to see the updated SKU under **SKU (Pricing tier)**. (We are actively working to resolve this known limitation.)

+- To upgrade to Premium:

+ - No limitations are applied when you upgrade from the Basic SKU to the Premium SKU.

+- To downgrade to Basic:

+ - The Basic SKU allows only one certificate profile of each type. For example, if you have two certificate profiles of the Public Trust type, you must delete any single profile to be eligible to downgrade. The same limitation applies for other certificate profile types.

+ - In the Azure portal, on the **Certificate Profiles** pane, make sure that you select **Status: All** to view all certificate profiles. Viewing all certificate profiles can help you delete all relevant certificate profiles to meet the criteria to downgrade.

+ :::image type="content" source="media/trusted-signing-certificate-profile-deletion-changesku.png" alt-text="Screenshot that shows selecting all certificate profile statuses to view all certificate profiles." lightbox="media/trusted-signing-certificate-profile-deletion-changesku.png":::

+To change the SKU (pricing tier) by using the Azure portal:

+1. In the Azure portal, go to your Trusting Signing account.

+1. On the account **Overview** pane, find the current value for **SKU (Pricing tier)**.

+1. Select the link for the current SKU. Your current SKU selection is highlighted in the **Choose pricing tier** pane.

+1. Select the SKU to update to (for example, downgrade to Basic or upgrade to Premium), and then select **Update**.

+To change the SKU by using the Azure CLI, run this command:

+```azurecli

+## Cost management and billing

+View details about cost management and billing for your Trusted Signing resource by viewing your Azure subscription.

+### Cost management

+To view and estimate the cost of your Trusted Signing resource usage:

+1. In the Azure portal, search for **Subscriptions**.

+1. Select the subscription you used to create your Trusted Signing resource.

+1. On the left menu, select **Cost Management**. Learn more about [cost management](../cost-management-billing/costs/overview-cost-management.md).

+1. Under **Trusted Signing**, verify that you can see the costs that are associated with your Trusted Signing account.

+### Billing

+To view invoices for your Trusted Signing account:

+1. In the Azure portal, search for **Subscriptions**.

+1. Select the subscription you used to create your Trusted Signing resource.

+1. On the left menu, select **Billing**. Learn more about [billing](../cost-management-billing/cost-management-billing-overview.md).

+- Configure [Teams optimizations](teams-on-avd.md). Optimizations include WebRTC redirector service and Visual C++ Redistributable.

+The Azure Virtual Desktop agent links your session hosts with the Azure Virtual Desktop service. It acts as the intermediate communicator between the service and the virtual machines, enabling connectivity.

+The Azure Virtual Desktop Agent is updated regularly. New versions of the Azure Virtual Desktop Agent are installed automatically. When new versions are released, they're rolled out progressively to session hosts. This process is called *flighting* and it enables Microsoft to monitor the rollout in [validation environments](create-validation-host-pool.md) first.

+A rollout might take several weeks before the agent is available in all environments. Some agent versions might not reach nonvalidation environments, so you might see multiple versions of the agent deployed across your environments.

+Here's information about the Azure Virtual Desktop Agent.

+ Title: What's new in the Azure Virtual Desktop SxS Network Stack? - Azure

+description: New features and product updates for the Azure Virtual Desktop SxS Network Stack.

+# What's new in the Azure Virtual Desktop SxS Network Stack?

+The Azure Virtual Desktop agent links your session hosts with the Azure Virtual Desktop service. It also includes a component called the SxS Network Stack. The Azure Virtual Desktop agent acts as the intermediate communicator between the service and the virtual machines, enabling connectivity. The SxS Network Stack component is required for users to securely establish reverse server-to-client connections.

+The Azure Virtual Desktop SxS Network Stack is updated regularly. New versions of the Azure Virtual Desktop SxS Network Stack are installed automatically. When new versions are released, they're rolled out progressively to session hosts. This process is called *flighting* and it enables Microsoft to monitor the rollout in [validation environments](create-validation-host-pool.md) first.

+A rollout might take several weeks before the agent is available in all environments. Some agent versions might not reach nonvalidation environments, so you might see multiple versions of the agent deployed across your environments.

+This article is where you'll find out about:

+- The latest updates

+- New features

+- Improvements to existing features

+- Bug fixes

+Make sure to check back here often to keep up with new updates.

+## Latest available versions

+Here's information about the SxS Network Stack.

+| Release | Latest version |

+|--|--|

+| Production | 1.0.2404.16760 |

+| Validation | 1.0.2404.16760 |

+## Version 1.0.2404.16760

+*Published: July 2024*

+In this release, we've made the following changes:

+- General improvements and bug fixes mainly around `rdpshell` and RemoteApp.

+## Version 1.0.2402.09880

+*Published: July 2024*

+In this release, we've made the following changes:

+- General improvements and bug fixes mainly around `rdpshell` and RemoteApp.

+- The default chroma value has been changed from 4:4:4 to 4:2:0.

+- Reduce chance of progressive update blocking real updates from driver.

+- Improve user experience when bad credentials are saved.

+- Improve session switching to avoid hangs.

+- Update Intune version numbers for the granular clipboard feature.

+- Bug fixes for RemoteApp V2 decoder.

+- Bug fixes for RemoteApp.

+- Fix issue with caps lock state when using the on-screen keyboard.

+- **Lower latency and higher packets per second**. Removing the virtual switch from the data path eliminates the time that packets spend in the host for policy processing. It also increases the number of packets that the VM can process.

+- VMs with NVAs such as gateway, proxy, firewall can handle 250k ***active connections*** with 500k ***active flows in each direction*** due to the forwarding and more new flow creation on new connection setup to the next hop as shown in the above diagram.

+>Testing by using a virtual IP is possible, but is beyond the scope of this article.

+ Title: Troubleshoot Azure VPN Client

+description: Learn how to troubleshoot VPN Gateway point-to-site connections that use the Azure VPN Client.

+# Troubleshoot Azure VPN Client

+This article helps you troubleshoot Azure VPN Client connection and configuration issues.

+## <a name="status"></a>View Status Logs

+View the status log for error messages.

+1. Click the arrows icon at the bottom-right corner of the Azure VPN Client window to show the **Status Logs**.

+1. Check the logs for errors that might indicate the problem.

+1. Error messages are displayed in red.

+ :::image type="content" source="./media/troubleshoot-azure-vpn-client/status-logs.png" alt-text="Screenshot shows status logs." lightbox="./media/troubleshoot-azure-vpn-client/status-logs.png":::

+## <a name="clear"></a>Clear sign-in information

+This step applies to Microsoft Entra ID authentication. If you're using certificate authentication, this step isn't applicable.

+Clear the sign-in information.

+1. Select the … next to the profile that you want to troubleshoot. Select **Configure**.

+1. Select **Clear Saved Account**.

+1. Select **Save**.

+1. Try to connect.

+1. If the connection still fails, continue to the next section.

+ :::image type="content" source="./media/troubleshoot-azure-vpn-client/clear-sign-in.png" alt-text="Screenshot shows how to clear the saved account." lightbox="./media/troubleshoot-azure-vpn-client/clear-sign-in.png":::

+## <a name="diagnostics"></a>Run diagnostics

+Run diagnostics on the VPN client.

+1. Click the **…** next to the profile on which you want to run diagnostics.

+1. Select **Diagnose -> Run Diagnosis**.

+1. The client runs a series of tests and displays the results of the tests. The tests include:

+ * Internet Access ΓÇô Checks to see if the client has Internet connectivity.

+ * Client Credentials ΓÇô Check to see if the Microsoft Entra ID authentication endpoint is reachable.

+ * Server Resolvable ΓÇô Contacts the DNS server to resolve the IP address of the configured VPN server.

+ * Server Reachable ΓÇô Checks to see if the VPN server is responding or not

+1. If any of the tests fail, contact your network administrator to resolve the issue. To collect logs, see [Collect client log files](#logfiles).

+ :::image type="content" source="./media/troubleshoot-azure-vpn-client/diagnostics.png" alt-text="Screenshot shows how to run diagnostics." lightbox="./media/troubleshoot-azure-vpn-client/diagnostics.png":::

+## <a name="logfiles"></a>Collect client log files

+Collect the VPN client log files. The log files can be sent to support/administrator via a method of your choosing. For example, e-mail.

+1. Click the "…" next to the profile that you want to run diagnostics on. Select **Diagnose -> Show Logs Directory**

+1. Windows Explorer opens to the folder that contains the log files.

+ :::image type="content" source="./media/troubleshoot-azure-vpn-client/show-logs-directory.png" alt-text="Screenshot shows how to show log directory." lightbox="./media/troubleshoot-azure-vpn-client/show-logs-directory.png":::

+## Next steps

+To report an Azure VPN Client problem, see [Use Feedback Hub - Azure VPN Client](feedback-hub-azure-vpn-client.md).

+See [How to configure BGP for Azure VPN Gateway](bgp-howto.md) for steps to configure BGP for your cross-premises and VNet-to-VNet connections.

+> CRS 2.2.9 is no longer supported for new WAF policies. We recommend you upgrade to the latest CRS 3.2/DRS 2.1 and greater versions.

+|942130|SQL Injection Attack: SQL Tautology Detected.|

+For more information about the Bot Manager rule set, see [Web Application Firewall CRS rule groups and rules](application-gateway-crs-rulegroups-rules.md?tabs=bot).

+[Back-end health, resource logs, and metrics for Application Gateway](../../application-gateway/application-gateway-diagnostics.md)