diff --git a/articles/advisor/advisor-resiliency-reviews.md b/articles/advisor/advisor-resiliency-reviews.md
new file mode 100644
index 0000000000000..0e69dcba73174
--- /dev/null
+++ b/articles/advisor/advisor-resiliency-reviews.md
@@ -0,0 +1,198 @@
+---
+title: Azure Advisor resiliency reviews
+description: Optimize resource resiliency with custom recommendation reviews.
+author: mabrahms
+ms.author: v-mabrahms
+ms.service: azure
+ms.topic: article
+ms.date: 03/8/2024
+
+---
+
+# Azure Advisor Resiliency Reviews
+
+Azure Advisor Resiliency Reviews help you focus on the most important recommendations to optimize your cloud deployments and improve resiliency. Review recommendations are tailored to the needs of your workload and include custom ones curated by your account team using Azure best practices and prioritized automated recommendations.
+
+You can find resiliency reviews in [Azure Advisor](https://aka.ms/Advisor_Reviews), which serves as your single-entry point for Microsoft best practices.
+
+In this article, you learn how to enable and access resiliency reviews prepared for you, triage, manage, implement, and track recommendations' lifecycles.
+
+## Terminology
+
+* *Triage recommendations* means to accept or reject a recommendation.
+* *Manage recommendation lifecycle* means to mark a recommendation as completed, postponed or dismissed, in progress, or not started. You can only manage a recommendation is in the *Accepted* state.
+
+## How it works
+
+After you request a review, Microsoft Cloud Solution Architect engineers perform extensive analysis, curate the list of prioritized recommendations, and publish a resiliency review. You triage the recommendations and implement them. Your Microsoft account team works with you to facilitate the process.
+
+The following table defines the responsible parties for Advisor actions:
+
+| **Responsibility** | **Description** |
+|---|:---:|
+|Request a resiliency review|Customer via your Customer Success Account Manager or aligned Cloud Solution Architect.|
+|Analyze workload configuration, perform the review via the Well Architected Reliability Assessment and prepare recommendations|Microsoft account team. Team members include Account Managers, Engineers, and Cloud Solution Architects. |
+|Triage recommendations to accept or reject them.|Customer. Triage is done by team members who have authority to make decisions about workload optimization priorities.|
+|Manage recommendations' lifecycle.|Customer. Setting the status of accepted recommendation as completed, postponed or dismissed, in progress, or not started.|
+|Implement recommendations that were accepted|Customer. Implementation is done by engineers who are responsible for managing resources and their configuration.|
+|Facilitate implementation|Microsoft account team via your support contract.|
+
+## Enable reviews
+
+Resiliency reviews are available to customers with Unified or Premier Support contracts via a Well Architected Reliability Assessment. To initiate a review, reach out to your Customer Success Account Manager. You can find their contacts in [Services Hub](https://serviceshub.microsoft.com/).
+
+Your Microsoft account team works with you to collect information about the workload. They need to know which subscriptions are used for the workload, and which subscriptions they should use to publish the review and recommendations. You need to work with the owner of this subscription to configure permissions for your team.
+
+## View and triage recommendations
+
+To view or triage recommendations, or to manage recommendations' lifecycles, requires specific role permissions. For definitions, see [Terminology](#terminology).
+
+### Prerequisites to view and triage recommendations
+
+You can manage access to Advisor reviews using built-in roles. The [permissions](/azure/advisor/permissions) vary by role. These roles need to be configured for the subscription that was used to publish the review.
+
+| **Name** | **Description** | **Targeted Subscription** |
+|---|:---:|:---:|
+|Advisor Reviews Reader|View reviews for a workload and recommendations linked to them.| You need this role for the one subscription your account team used to publish review.|
+|Advisor Reviews Contributor|View reviews for a workload and triage recommendations linked to them.| You need this role for the one subscription your account team used to publish review.|
+
+You can manage access to Advisor personalized recommendations using the following roles. These roles need to be configured for the subscriptions included in the workload under a review.
+
+| **Name** | **Description** |
+|---|:---:|
+|Subscription Reader|View reviews for a workload and recommendations linked to them.|
+|Subscription Owner
Subscription Contributor|View reviews for a workload, triage recommendations linked to those reviews, manage review recommendation lifecycle.|
+|Advisor Recommendations Contributor (Assessments and Reviews)|View review recommendations, accept review recommendations, manage review recommendations' lifecycle.|
+
+You can find detailed instructions on how to assign a role using the Azure portal - [Assign Azure roles using the Azure portal - Azure RBAC](/azure/role-based-access-control/role-assignments-portal?tabs=delegate-condition). Additional information is available in [Steps to assign an Azure role - Azure RBAC](/azure/role-based-access-control/role-assignments-steps).
+
+### Access reviews
+
+You can find resiliency reviews created by your account team in the left navigation pane under the **Manage** > **Reviews (Preview)** menu in Azure Advisor.
+
+If there's a new review available to you, you see a notification banner on top of the Advisor pages. A **New** review is one with all recommendations in the *Pending* state.
+
+1. Open the Azure portal and navigate to [Advisor](https://aka.ms/Advisor_Reviews).
+Select **Manage** > **Reviews (Preview)** in the left navigation pane. A list of reviews opens. At the top of the page, you see the number of **Total Reviews** and review **Recommendations**, and a graph of **Reviews by status**.
+1. Use search, filters, and sorting to find the review you need. You can filter reviews by one of the **Status equals** states shown next, or choose *All* (the default) to see all reviews. If you don’t see a review for your subscription, make sure the review subscription is included in the global portal filter. You might need to update the filter to see the reviews for a subscription.
+
+ * *New*: No recommendations are triaged (accepted or rejected)
+ * *In progress*: Some recommendations aren't triaged
+ * *Triaged*: All recommendations are triaged
+ * *Completed*: All accepted-state recommendations are implemented, postponed, or dismissed
+
+:::image type="content" source="./media/resiliency-reviews/resiliency-reviews-main.png" alt-text="Screenshot of the Azure Advisor Resiliency Reviews opening page." lightbox="./media/resiliency-reviews/resiliency-reviews-main.png":::
+
+At the top of the reviews page, use **Feedback** to tell us about your experience. Use the **Refresh** button to refresh the page as needed.
+
+[!NOTE]
+If you have no reviews, the **Reviews** menu item in the left navigation is greyed out.
+
+### Review recommendations
+
+The triage process includes reviewing recommendations and making decisions on which to implement. Use *Accept* and *Reject* actions to capture your decision. Accepted recommendations are available to your engineering team under the Advisor **Reliability** menu item.
+
+:::image type="content" source="./media/resiliency-reviews/resiliency-reviews-main-reliability.png" alt-text="Screenshot of the Azure Advisor Reliability menu highlight." lightbox="./media/resiliency-reviews/resiliency-reviews-main-reliability.png":::
+
+1. From the **Reviews** page, select a review name to open the recommendations list page. For new reviews, recommendations are in *Pending* state.
+1. Take a note of recommendations priority. **Priority** is defined by your account team to help you decide which recommendations should be implemented first.
+:::image type="content" source="./media/resiliency-reviews/resiliency-review-recommendation-list-pending.png" alt-text="Screenshot of the Azure Advisor Resiliency Reviews recommendation list with pending recommendations." lightbox="./media/resiliency-reviews/resiliency-review-recommendation-list-pending.png":::
+1. Select a recommendation *Title* or the *Impacted subscriptions* view link to get detailed information. A pane opens with details – description, potential benefits, and notes from your account team along with the list of impacted subscriptions.
+:::image type="content" source="./media/resiliency-reviews/resiliency-review-recommendation-list-detail-pane.png" alt-text="Screenshot of the Azure Advisor Resiliency Reviews recommendation list page with the details pane of a selected recommendation." lightbox="./media/resiliency-reviews/resiliency-review-recommendation-list-detail-pane.png":::
+1. If all recommendations for that review are triaged, none appear in the **Pending** view; select the **Accepted** or **Rejected** tabs to view those recommendations.
+
+### Recommendation priority
+
+The priority of a recommendation is based on the impact and urgency of the suggested improvements. Your account team sets recommendation priority.
+
+* *Critical*: The most important recommendations that can have a significant impact on your Azure resources. They should be addressed as soon as possible to avoid potential issues such as security breaches, data loss, or service outages.
+* *High*: The recommendations that can improve the performance, reliability, or cost efficiency of your Azure resources. They should be addressed in a timely manner to optimize your Azure deployments.
+* *Medium*: The recommendations that can enhance the operational excellence or user experience of your Azure resources. They should be considered and implemented if they align with your business goals and requirements.
+* *Low*: The recommendations that can provide extra benefits or insights for your Azure resources. They should be reviewed and implemented if they're relevant and feasible for your scenario.
+* *Informational*: The recommendations that can help you learn more about the features and capabilities of Azure. They don't require any action, but they can help you discover new ways to use Azure.
+
+### Accept recommendations
+
+You must accept recommendations for your engineering team to start implementation. When a review recommendation is accepted, it becomes available under the Advisor **Reliability** page where it can be acted on.
+
+From a review recommendations details page:
+
+1. You can accept a single recommendation by clicking **Accept**.
+1. You can accept multiple recommendations at a time by selecting them using the checkbox control and clicking **Accept**.
+1. Accepted recommendations are moved to the **Accepted** tab and become visible to your engineering team under **Recommendations** > **Reliability**.
+:::image type="content" source="./media/resiliency-reviews/resiliency-review-recommendation-list-accepted.png" alt-text="Screenshot of the Azure Advisor Resiliency Reviews recommendation list page of accepted recommendations." lightbox="./media/resiliency-reviews/resiliency-review-recommendation-list-accepted.png":::
+1. If you accepted a recommendation by mistake, use **Reset** to move it back to the pending state.
+
+### Reject recommendations
+
+1. You can reject a recommendation if you disagree with it.
+1. You must select a reason when you reject a recommendation. Select one of the reasons from the list of available options.
+:::image type="content" source="./media/resiliency-reviews/resiliency-review-recommendation-reject-options-medium.png" alt-text="Screenshot of the Azure Advisor Resiliency Reviews recommendations reject options." lightbox="./media/resiliency-reviews/resiliency-review-recommendation-reject-options-medium.png":::
+1. The rejected recommendation is moved to the **Rejected** tab. Rejected recommendations aren't visible for your engineering team under **Recommendations** > **Reliability**.
+:::image type="content" source="./media/resiliency-reviews/resiliency-review-recommendation-list-rejected.png" alt-text="Screenshot of the Azure Advisor Resiliency Reviews recommendations page of rejected recommendations." lightbox="./media/resiliency-reviews/resiliency-review-recommendation-list-rejected.png":::
+1. You can reject multiple recommendations at a time using the checkbox control, and the same reason for rejection is applied to all selected recommendations. If you need to select a different reason, reject one recommendation at a time.
+1. If you reject a recommendation by mistake, select **Reset** to move it back to the pending state and tab.
+
+[!NOTE]
+The reason for the rejection is visible to your account team. It helps them understand workload context and your business priorities better. Additionally, Microsoft uses this information to improve the quality of recommendations.
+
+## Implement recommendations
+
+Once review recommendations are triaged, all recommendations with *Accepted* status become available on the Advisor **Reliability** page with links to the resources needing action. Typically, an engineer on your team implements the recommendations by going to the resource page and making the recommended change.
+
+For definitions on recommendation states, see [Terminology](#terminology).
+
+### Prerequisites to implement recommendations
+
+For details on permissions to act on recommendations, see [Permissions in Azure Advisor - Azure Advisor | Microsoft Learn](/azure/advisor/permissions).
+
+### Access accepted review recommendations
+
+To view *Accepted* review recommendations, go to **Recommendations** > **Reliability** in the left navigation to open the **Reliability** page at the **Reviews** tab, by default.
+
+The recommendations are grouped by type:
+
+* **Reviews**: These recommendations are part of a review for a selected workload.
+* **Automated**: These recommendations are the standard Advisor recommendations for the selected subscriptions.
+
+[!NOTE]
+If none of your resiliency review recommendations are in the *Accepted* state, the **Reviews** tab is hidden.
+
+:::image type="content" source="./media/resiliency-reviews/resiliency-review-recommendation-list-accepted.png" alt-text="Screenshot of the Azure Advisor Resiliency Reviews recommendations page of accepted recommendations." lightbox="./media/resiliency-reviews/resiliency-review-recommendation-list-accepted.png":::
+
+You can filter the recommendations by subscription, priority, and workload, as well as sort the recommendation list.
+
+You can sort recommendations using column headers - *Priority* (Critical, High, Medium, Low, Informational), *Description*, *Impacted resources*, *Review name*, *Potential benefits*, or *Last updated* date.
+
+### View recommendation details
+
+Select a recommendation description to open a details page. Your account team adds the *Description*, *Potential benefits*, and *Notes* when the review is prepared.
+
+:::image type="content" source="./media/resiliency-reviews/resiliency-review-reliability-page-detail.png" alt-text="Screenshot of the Azure Advisor Reliability page for a Resiliency Reviews recommendation." lightbox="./media/resiliency-reviews/resiliency-review-reliability-page-detail.png":::
+
+The options in the **Reliability** recommendations detail differ from those in the **Reviews** recommendations detail. Here, a team developer can open the *Impacted subscriptions* link and take direct action.
+
+For details on recommendation priority, see [Recommendation priority](#recommendation-priority).
+
+### Manage recommendation lifecycle
+
+Recommendation status is a valuable indicator for determining what actions need to be taken.
+
+* Once you begin to implement a recommendation, mark it as *In progress*.
+* Once the recommendation is implemented, the recommended action is taken, update the status to *Completed*. When all recommendations in a review are marked as *Completed*, the review is marked as *Completed* on the **Review** page.
+* You can also postpone the recommendation for action later.
+* You can dismiss a recommendation if you don't plan to implement it. If you dismiss the recommendation, you must give a reason, just as you must give a reason if you reject a recommendation in a review.
+
+:::image type="content" source="./media/resiliency-reviews/resiliency-review-recommendation-dismiss-options-medium.png" alt-text="Screenshot of the Azure Advisor Resiliency Reviews recommendations dismiss options." lightbox="./media/resiliency-reviews/resiliency-review-recommendation-dismiss-options-medium.png":::
+
+## Review maintenance
+
+Your Microsoft account team engineers keep track of the results of your actions on resiliency reviews and continue to refine the recommendation reviews accordingly.
+
+## Next steps
+
+To learn more about Advisor reliability recommendations, see:
+
+[Improve the reliability of your business-critical applications using Azure Advisor](/azure/advisor/advisor-how-to-improve-reliability).
+
+[Reliability recommendations](/azure/advisor/advisor-reference-reliability-recommendations).
diff --git a/articles/advisor/index.yml b/articles/advisor/index.yml
index ded4edfd1d557..09007c5fcb1c4 100644
--- a/articles/advisor/index.yml
+++ b/articles/advisor/index.yml
@@ -46,5 +46,5 @@ landingContent:
- text: PowerShell
url: /powershell/module/az.advisor/
- text: REST API
- url: /rest/api/advisor/
+ url: /rest/api/advisor/operation-groups
diff --git a/articles/advisor/media/resiliency-reviews/resiliency-review-recommendation-dismiss-options-medium.png b/articles/advisor/media/resiliency-reviews/resiliency-review-recommendation-dismiss-options-medium.png
new file mode 100644
index 0000000000000..9ecc5442ca643
Binary files /dev/null and b/articles/advisor/media/resiliency-reviews/resiliency-review-recommendation-dismiss-options-medium.png differ
diff --git a/articles/advisor/media/resiliency-reviews/resiliency-review-recommendation-list-accepted.png b/articles/advisor/media/resiliency-reviews/resiliency-review-recommendation-list-accepted.png
new file mode 100644
index 0000000000000..5724dce0e95a0
Binary files /dev/null and b/articles/advisor/media/resiliency-reviews/resiliency-review-recommendation-list-accepted.png differ
diff --git a/articles/advisor/media/resiliency-reviews/resiliency-review-recommendation-list-detail-pane.png b/articles/advisor/media/resiliency-reviews/resiliency-review-recommendation-list-detail-pane.png
new file mode 100644
index 0000000000000..6bdd7b6445a13
Binary files /dev/null and b/articles/advisor/media/resiliency-reviews/resiliency-review-recommendation-list-detail-pane.png differ
diff --git a/articles/advisor/media/resiliency-reviews/resiliency-review-recommendation-list-pending.png b/articles/advisor/media/resiliency-reviews/resiliency-review-recommendation-list-pending.png
new file mode 100644
index 0000000000000..3b4b3c738120b
Binary files /dev/null and b/articles/advisor/media/resiliency-reviews/resiliency-review-recommendation-list-pending.png differ
diff --git a/articles/advisor/media/resiliency-reviews/resiliency-review-recommendation-list-rejected.png b/articles/advisor/media/resiliency-reviews/resiliency-review-recommendation-list-rejected.png
new file mode 100644
index 0000000000000..681f8b1b8e133
Binary files /dev/null and b/articles/advisor/media/resiliency-reviews/resiliency-review-recommendation-list-rejected.png differ
diff --git a/articles/advisor/media/resiliency-reviews/resiliency-review-recommendation-reject-options-medium.png b/articles/advisor/media/resiliency-reviews/resiliency-review-recommendation-reject-options-medium.png
new file mode 100644
index 0000000000000..9200d237b714e
Binary files /dev/null and b/articles/advisor/media/resiliency-reviews/resiliency-review-recommendation-reject-options-medium.png differ
diff --git a/articles/advisor/media/resiliency-reviews/resiliency-review-reliability-page-detail.png b/articles/advisor/media/resiliency-reviews/resiliency-review-reliability-page-detail.png
new file mode 100644
index 0000000000000..58399553d9db1
Binary files /dev/null and b/articles/advisor/media/resiliency-reviews/resiliency-review-reliability-page-detail.png differ
diff --git a/articles/advisor/media/resiliency-reviews/resiliency-review-reliability-page.png b/articles/advisor/media/resiliency-reviews/resiliency-review-reliability-page.png
new file mode 100644
index 0000000000000..99d39a74a20ca
Binary files /dev/null and b/articles/advisor/media/resiliency-reviews/resiliency-review-reliability-page.png differ
diff --git a/articles/advisor/media/resiliency-reviews/resiliency-reviews-main-reliability.png b/articles/advisor/media/resiliency-reviews/resiliency-reviews-main-reliability.png
new file mode 100644
index 0000000000000..97d5e4dec65b1
Binary files /dev/null and b/articles/advisor/media/resiliency-reviews/resiliency-reviews-main-reliability.png differ
diff --git a/articles/advisor/media/resiliency-reviews/resiliency-reviews-main.png b/articles/advisor/media/resiliency-reviews/resiliency-reviews-main.png
new file mode 100644
index 0000000000000..dc515b46baa0b
Binary files /dev/null and b/articles/advisor/media/resiliency-reviews/resiliency-reviews-main.png differ
diff --git a/articles/advisor/toc.yml b/articles/advisor/toc.yml
index 8c279b40d6bcd..b429eb67f2140 100644
--- a/articles/advisor/toc.yml
+++ b/articles/advisor/toc.yml
@@ -44,6 +44,8 @@
items:
- name: Use Azure Well Architected Framework Assessments
href: advisor-assessments.md
+ - name: Use Azure Advisor resiliency reviews
+ href: advisor-resiliency-reviews.md
- name: Optimize virtual machine spend by resizing or shutting down underutilized instances
href: advisor-cost-recommendations.md
- name: Optimize your Azure costs using the cost optimization workbook
diff --git a/articles/ai-services/openai/includes/fine-tuning-rest.md b/articles/ai-services/openai/includes/fine-tuning-rest.md
index 7d3fd894246c5..134191569c8d1 100644
--- a/articles/ai-services/openai/includes/fine-tuning-rest.md
+++ b/articles/ai-services/openai/includes/fine-tuning-rest.md
@@ -247,7 +247,7 @@ The only limitations are that the new region must also support fine-tuning and w
Below is an example of deploying a model that was fine-tuned in one subscription/region to another.
```bash
-curl -X POST "https://management.azure.com/subscriptions//resourceGroups//providers/Microsoft.CognitiveServices/accounts//deployments/api-version=2023-05-01" \
+curl -X PUT "https://management.azure.com/subscriptions//resourceGroups//providers/Microsoft.CognitiveServices/accounts//deployments/api-version=2023-05-01" \
-H "Authorization: Bearer " \
-H "Content-Type: application/json" \
-d '{
diff --git a/articles/aks/TOC.yml b/articles/aks/TOC.yml
index ca40f37760082..343954ef96db3 100644
--- a/articles/aks/TOC.yml
+++ b/articles/aks/TOC.yml
@@ -288,8 +288,6 @@
href: artifact-streaming.md
- name: Add an Azure Spot node pool
href: spot-node-pool.md
- - name: Multi-instance GPU node pool
- href: gpu-multi-instance.md
- name: Node pool snapshot
href: node-pool-snapshot.md
- name: Use system node pools
@@ -305,7 +303,31 @@
- name: Use the Azure portal
href: virtual-nodes-portal.md
- name: Workloads
- items:
+ items:
+ - name: GPU workloads
+ items:
+ - name: Use GPUs
+ href: gpu-cluster.md
+ - name: Use Windows GPUs
+ href: use-windows-gpu.md
+ - name: Multi-instance GPU node pool
+ href: gpu-multi-instance.md
+ - name: Vertical Pod Autoscaler
+ items:
+ - name: About Vertical Pod Autoscaler
+ href: vertical-pod-autoscaler.md
+ - name: Vertical Pod Autoscaler API reference
+ href: vertical-pod-autoscaler-api-reference.md
+ - name: Configure Metrics Server VPA
+ href: use-metrics-server-vertical-pod-autoscaler.md
+ - name: Proximity placement groups
+ href: reduce-latency-ppg.md
+ - name: Cluster autoscaler
+ items:
+ - name: Cluster autoscaler overview
+ href: cluster-autoscaler-overview.md
+ - name: Use the cluster autoscaler on AKS
+ href: cluster-autoscaler.md
- name: Node autoprovision
href: node-autoprovision.md
- name: Availability zones
@@ -452,6 +474,8 @@
href: azure-cni-overlay.md
- name: Use Azure CNI for dynamic IP allocation
href: configure-azure-cni-dynamic-ip-allocation.md
+ - name: Use Azure CNI VNet - Static Block Allocation (Preview)
+ href: configure-azure-cni-static-block-allocation.md
- name: Use Azure CNI Powered by Cilium
href: azure-cni-powered-by-cilium.md
- name: Use kubenet
@@ -744,8 +768,6 @@
href: /visualstudio/bridge/bridge-to-kubernetes-vs?toc=/azure/aks/toc.json&bc=/azure/aks/breadcrumb/toc.json
- name: Use OpenFaaS
href: openfaas.md
- - name: Use GPUs
- href: gpu-cluster.md
- name: Create containerized app with Draft
href: draft.md
- name: Build Django app with PostgreSQL
diff --git a/articles/aks/azure-cni-overview.md b/articles/aks/azure-cni-overview.md
index 63127f0071417..ed8c69e736e0c 100644
--- a/articles/aks/azure-cni-overview.md
+++ b/articles/aks/azure-cni-overview.md
@@ -6,7 +6,7 @@ ms.author: allensu
ms.service: azure-kubernetes-service
ms.subservice: aks-networking
ms.topic: concept-article
-ms.date: 9/13/2023
+ms.date: 02/29/2024
#CustomerIntent: As a network administrator, I want learn about Azure CNI networking so that I can deploy Azure CNI networking in an AKS cluster.
---
@@ -19,7 +19,7 @@ With [Azure Container Networking Interface (CNI)][cni-networking], every pod get
> [!NOTE]
>
-> This article is only introducing traditional Azure CNI. For [Azure CNI Overlay][azure-cni-overlay] and [Azure CNI for dynamic IP allocation][configure-azure-cni-dynamic-ip-allocation], refer to their documentation instead.
+> This article is only introducing traditional Azure CNI. For [Azure CNI Overlay][azure-cni-overlay], [Azure CNI VNet for dynamic IP allocation][configure-azure-cni-dynamic-ip-allocation], and [Azure CNI VNet - Static Block Allocation (Preview)][configure-azure-cni-static-block-allocation]. Please refer to their documentation instead.
## Prerequisites
@@ -193,3 +193,4 @@ Learn more about networking in AKS in the following articles:
[prerequisites]: configure-azure-cni.md#prerequisites
[azure-cni-overlay]: azure-cni-overlay.md
[configure-azure-cni-dynamic-ip-allocation]: configure-azure-cni-dynamic-ip-allocation.md
+[configure-azure-cni-static-block-allocation]: configure-azure-cni-static-block-allocation.md
diff --git a/articles/aks/concepts-scale.md b/articles/aks/concepts-scale.md
index 28cefda6d71e5..28e72e0a0e27b 100644
--- a/articles/aks/concepts-scale.md
+++ b/articles/aks/concepts-scale.md
@@ -2,7 +2,7 @@
title: Concepts - Scale applications in Azure Kubernetes Services (AKS)
description: Learn about scaling in Azure Kubernetes Service (AKS), including the horizontal pod autoscaler, cluster autoscaler, and Azure Container Instances.
ms.topic: conceptual
-ms.date: 01/22/2024
+ms.date: 03/18/2024
---
# Scaling options for applications in Azure Kubernetes Service (AKS)
@@ -59,6 +59,14 @@ The cluster autoscaler also monitors the pod scheduling status for nodes that ha
Your applications may experience some disruption as pods are scheduled on different nodes when the cluster autoscaler decreases the number of nodes. To minimize disruption, avoid applications that use a single pod instance.
+## Kubernetes Event-driven Autoscaling (KEDA)
+
+[Kubernetes Event-driven Autoscaling][keda-official-documentation] (KEDA) is an open source component for event-driven autoscaling of workloads. It scales workloads dynamically based on the number of events received. KEDA extends Kubernetes with a custom resource definition (CRD), referred to as a *ScaledObject*, to describe how applications should be scaled in response to specific traffic.
+
+KEDA scaling is useful in scenarios where workloads receive bursts of traffic or handle high volumes of data. It is different from Horizontal Pod Autoscaler, as KEDA is event-driven and scales based on the number of events, while HPA is metrics-driven based on the resource utilization (for example, CPU and memory).
+
+To get started with the KEDA add-on in AKS, see [KEDA overview][keda-overview].
+
## Burst to Azure Container Instances (ACI)
To rapidly scale your AKS cluster, you can integrate with Azure Container Instances (ACI). Kubernetes has built-in components to scale the replica and node count. However, if your application needs to rapidly scale, the [horizontal pod autoscaler](#horizontal-pod-autoscaler) may schedule more pods than can be provided by the existing compute resources in the node pool. If configured, this scenario would then trigger the [cluster autoscaler](#cluster-autoscaler) to deploy more nodes in the node pool, but it may take a few minutes for those nodes to successfully provision and allow the Kubernetes scheduler to run pods on them.
@@ -78,6 +86,7 @@ To get started with scaling applications, see the following resources:
- Manually scale [pods][kubectl-scale-reference] or [nodes][aks-manually-scale-nodes]
- Use the [horizontal pod autoscaler][aks-hpa]
- Use the [cluster autoscaler][aks-cluster-autoscaler]
+- Use the [Kubernetes Event-driven Autoscaling (KEDA) add-on][keda-addon]
For more information on core Kubernetes and AKS concepts, see the following articles:
@@ -90,6 +99,7 @@ For more information on core Kubernetes and AKS concepts, see the following arti
[virtual-kubelet]: https://virtual-kubelet.io/
[kubectl-scale-reference]: https://kubernetes.io/docs/reference/kubectl/generated/kubectl_scale/
+[keda-official-documentation]: https://keda.sh/docs/2.13/concepts/
[aks-hpa]: tutorial-kubernetes-scale.md#autoscale-pods
@@ -101,4 +111,5 @@ For more information on core Kubernetes and AKS concepts, see the following arti
[aks-concepts-storage]: concepts-storage.md
[aks-concepts-identity]: concepts-identity.md
[aks-concepts-network]: concepts-network.md
-[virtual-nodes-cli]: virtual-nodes-cli.md
\ No newline at end of file
+[virtual-nodes-cli]: virtual-nodes-cli.md
+[keda-overview]: keda-about.md
\ No newline at end of file
diff --git a/articles/aks/concepts-security.md b/articles/aks/concepts-security.md
index 82fbc873ea3bb..152ebda6fd97d 100644
--- a/articles/aks/concepts-security.md
+++ b/articles/aks/concepts-security.md
@@ -4,7 +4,7 @@ description: Learn about security in Azure Kubernetes Service (AKS), including m
author: miwithro
ms.topic: conceptual
ms.custom: build-2023
-ms.date: 01/11/2024
+ms.date: 03/18/2024
ms.author: miwithro
---
@@ -56,6 +56,8 @@ When an AKS cluster is created or scaled up, the nodes are automatically deploye
For more information about the security upgrade process for Linux and Windows worker nodes, see [Security patching nodes][aks-vulnerability-management-nodes].
+AKS clusters running Azure Generation 2 VMs includes support for [Trusted Launch][trusted-launch] (preview), which protects against advanced and persistent attack techniques by combining technologies that can be independently enabled, like secure boot and virtualized version of trusted platform module (vTPM). Administrators can deploy AKS worker nodes with verified and signed bootloaders, OS kernels, and drivers to ensure integrity of the entire boot chain of the underlying VM.
+
### Node authorization
Node authorization is a special-purpose authorization mode that specifically authorizes kubelet API requests to protect against East-West attacks. Node authorization is enabled by default on AKS 1.24 + clusters.
@@ -160,3 +162,4 @@ For more information on core Kubernetes and AKS concepts, see:
[microsoft-vulnerability-management-aks]: concepts-vulnerability-management.md
[aks-vulnerability-management-nodes]: concepts-vulnerability-management.md#worker-nodes
[manage-ssh-access]: manage-ssh-node-access.md
+[trusted-launch]: use-trusted-launch.md
\ No newline at end of file
diff --git a/articles/aks/configure-azure-cni-static-block-allocation.md b/articles/aks/configure-azure-cni-static-block-allocation.md
new file mode 100644
index 0000000000000..a680a262e46c4
--- /dev/null
+++ b/articles/aks/configure-azure-cni-static-block-allocation.md
@@ -0,0 +1,219 @@
+---
+title: Configure Azure CNI for static allocation of CIDR blocks - (Preview)
+titleSuffix: Azure Kubernetes Service
+description: Learn how to configure Azure CNI Networking for static allocation of CIDR blocks in Azure Kubernetes Service (AKS)
+author: asudbring
+ms.author: allensu
+ms.service: azure-kubernetes-service
+ms.subservice: aks-networking
+ms.topic: article
+ms.date: 03/18/2024
+ms.custom: references_regions, devx-track-azurecli
+---
+
+# Configure Azure CNI Networking for static allocation of CIDR blocks and enhanced subnet support in Azure Kubernetes Service (AKS) - (Preview)
+
+A limitation of [Azure CNI Dynamic IP Allocation](configure-azure-cni-dynamic-ip-allocation.md) is the scalability of the pod subnet size beyond a /16 subnet. Even with a large subnet, large clusters may still be limited to 65k pods due to an Azure address mapping limit.
+The new static block allocation capability in Azure CNI solves this problem by assigning CIDR blocks to Nodes rather than individual IPs.
+
+It offers the following benefits:
+
+- **Better IP Scalability**: CIDR blocks are statically allocated to the cluster nodes and are present for the lifetime of the node, as opposed to the traditional dynamic allocation of individual IPs with traditional CNI. This enables routing based on CIDR blocks and helps scale the cluster limit up to 1 million pods from the traditional 65K pods per cluster. Your Azure Virtual Network must be large enough to accommodate the scale of your cluster.
+- **Flexibility**: Node and pod subnets can be scaled independently. A single pod subnet can be shared across multiple node pools of a cluster or across multiple AKS clusters deployed in the same VNet. You can also configure a separate pod subnet for a node pool.
+- **High performance**: Since pods are assigned virtual network IPs, they have direct connectivity to other cluster pods and resources in the VNet.
+- **Separate VNet policies for pods**: Since pods have a separate subnet, you can configure separate VNet policies for them that are different from node policies. This enables many useful scenarios such as allowing internet connectivity only for pods and not for nodes, fixing the source IP for pod in a node pool using an Azure NAT Gateway, and using NSGs to filter traffic between node pools.
+- **Kubernetes network policies**: Cilium, Azure NPM, and Calico work with this new solution.
+
+This article shows you how to use Azure CNI Networking for static allocation of CIDRs and enhanced subnet support in AKS.
+
+## Prerequisites
+
+> [!NOTE]
+> When using static block allocation of CIDRs, exposing an application as a Private Link Service using a Kubernetes Load Balancer Service isn't supported.
+
+- Review the [prerequisites][azure-cni-prereq] for configuring basic Azure CNI networking in AKS, as the same prerequisites apply to this article.
+- Review the [deployment parameters][azure-cni-deployment-parameters] for configuring basic Azure CNI networking in AKS, as the same parameters apply.
+- AKS Engine and DIY clusters aren't supported.
+- Azure CLI version `2.37.0` or later with extension aks-preview of version '2.0.0b2' or later
+- If you have an existing cluster, you need to enable Container Insights for monitoring IP subnet usage. You can enable Container Insights using the [`az aks enable-addons`][az-aks-enable-addons] command, as shown in the following example:
+- Register the subscription-level feature flag for your subscription: 'Microsoft.ContainerService/AzureVnetScalePreview'
+
+ ```azurecli-interactive
+ az aks enable-addons --addons monitoring --name --resource-group
+ ```
+
+## Limitations
+
+Below are some of the limitations of using Azure CNI Static Block allocation:
+- Minimum Kubernetes Version required is 1.28
+- Maximum subnet size supported is x.x.x.x/12 ~ 1 million IPs
+- Not supported for Windows node pools (Windows support coming soon)
+- Not supported for Cilium Data Plane (support coming soon)
+- Only a single mode of operation can be used per subnet. If a subnet uses Static Block allocation mode, it cannot be use Dynamic IP allocation mode in a different cluster or node pool with the same subnet and vice versa.
+- Only supported in new clusters or when adding node pools with a different subnet to existing clusters. Migrating or updating existing clusters or node pools is not supported.
+- Across all the CIDR blocks assigned to a node in the node pool, one IP will be selected as the primary IP of the node. Thus, for network administrators selecting the `--max-pods` value try to use the calculation below to best serve your needs and have optimal usage of IPs in the subnet:
+`max_pods` = (N * 16) - 1`
+where N is any positive integer and N > 0
+
+### Region availability
+
+This feature is **_not_** available in the following regions:
+
+- US South
+- East US 2
+- West US
+- West US 2
+
+## Plan IP addressing
+
+Planning your IP addressing is more flexible and granular. Since the nodes and pods scale independently, their address spaces can also be planned separately. Since pod subnets can be configured to the granularity of a node pool, you can always add a new subnet when you add a node pool. The system pods in a cluster/node pool also receive IPs from the pod subnet, so this behavior needs to be accounted for.
+
+In this scenario, CIDR blocks of /28 (16 IPs) are allocated to nodes based on your '--max-pod' configuration for your node pool which defines the maximum number of pods per node. 1 IP is reserved on each node from all the available IPs on that node for internal purposes.
+
+Thus while determining and planning your IPs it is essential to define your '--max-pods' configuration and it can be calculated best as below:
+`max_pods_per_node = (16 * N) - 1`
+where N is any positive integer greater than 0
+
+Ideal values with no IP wastage would require the max pods value to conform to the above expression.
+
+**Example 1:** max_pods = 30, CIDR Blocks allocated per node = 2, Total IPs available for pods = (16 * 2) - 1 = 32 - 1 = 31, IP wastage per node = 31 - 30 = 1 **[Low wastage - Acceptable Case]**
+**Example 2:** max_pods = 31, CIDR Blocks allocated per node = 2, Total IPs available for pods = (16 * 2) - 1 = 32 - 1 = 31, IP wastage per node = 31 - 31 = 0 **[Ideal Case]**
+**Example 3:** max_pods = 32, CIDR Blocks allocated per node = 3, Total IPs available for pods = (16 * 3) - 1 = 48 - 1 = 47, IP wastage per node = 47 - 32 = 15 **[High Wastage - Not Recommended Case]**
+
+The planning of IPs for Kubernetes services remain unchanged.
+
+> [!NOTE]
+> Ensure your VNet has a sufficiently large and contiguous address space to support your cluster's scale.
+
+## Deployment parameters
+
+The [deployment parameters][azure-cni-deployment-parameters]for configuring basic Azure CNI networking in AKS are all valid, with two exceptions:
+
+- The **vnet subnet id** parameter now refers to the subnet related to the cluster's nodes.
+- The parameter **pod subnet id** is used to specify the subnet whose IP addresses will be statically or dynamically allocated to pods in the node pool.
+- The **pod ip allocation mode** parameter specifies whether to use dynamic individual or static block allocation.
+
+## Before you begin
+
+- If using the Azure CLI, you need the `aks-preview` extension. See [Install the `aks-preview` Azure CLI extension](#install-the-aks-preview-azure-cli-extension).
+- If using ARM or the REST API, the AKS API version must be _2024-01-02-preview or later_.
+
+### Install the `aks-preview` Azure CLI extension
+
+1. Install the `aks-preview` extension using the [`az extension add`][az-extension-add] command.
+
+ ```azurecli-interactive
+ az extension add --name aks-preview
+ ```
+
+2. Update to the latest version of the extension using the [`az extension update`][az-extension-update] command. The extension should have a version of '2.0..0b2' or later
+
+ ```azurecli-interactive
+ az extension update --name aks-preview
+ ```
+
+### Register the `AzureVnetScalePreview` feature flag
+
+1. Register the `AzureVnetScalePreview` feature flag using the [`az feature register`][az-feature-register] command.
+
+ ```azurecli-interactive
+ az feature register --namespace "Microsoft.ContainerService" --name "AzureVnetScalePreview"
+ ```
+
+ It takes a few minutes for the status to show _Registered_.
+
+2. Verify the registration status using the [`az feature show`][az-feature-show] command.
+
+ ```azurecli-interactive
+ az feature show --namespace "Microsoft.ContainerService" --name "AzureVnetScalePreview"
+ ```
+
+3. When the status reflects *Registered*, refresh the registration of the _Microsoft.ContainerService_ resource provider using the [`az provider register`][az-provider-register] command.
+
+ ```azurecli-interactive
+ az provider register --namespace Microsoft.ContainerService
+ ```
+
+## Configure networking with static allocation of CIDR blocks and enhanced subnet support - Azure CLI
+
+Using static allocation of CIDR blocks in your cluster is similar to the default method for configuring a cluster Azure CNI for dynamic IP allocation. The following example walks through creating a new virtual network with a subnet for nodes and a subnet for pods and creating a cluster that uses Azure CNI with static allocation of CIDR blocks. Be sure to replace variables such as `$subscription` with your values.
+
+Create the virtual network with two subnets.
+
+```azurecli-interactive
+resourceGroup="myResourceGroup"
+vnet="myVirtualNetwork"
+location="myRegion"
+
+# Create the resource group
+az group create --name $resourceGroup --location $location
+
+# Create our two subnet network
+az network vnet create -resource-group $resourceGroup --location $location --name $vnet --address-prefixes 10.0.0.0/8 -o none
+az network vnet subnet create --resource-group $resourceGroup --vnet-name $vnet --name nodesubnet --address-prefixes 10.240.0.0/16 -o none
+az network vnet subnet create --resource-group $resourceGroup --vnet-name $vnet --name podsubnet --address-prefixes 10.40.0.0/13 -o none
+```
+
+Create the cluster, referencing the node subnet using `--vnet-subnet-id`, the pod subnet using `--pod-subnet-id`, the `--pod-ip-allocation-mode` to define the ip allocation mode, and enable the monitoring add-on.
+
+```azurecli-interactive
+clusterName="myAKSCluster"
+subscription="aaaaaaa-aaaaa-aaaaaa-aaaa"
+
+az aks create --name $clusterName --resource-group $resourceGroup --location $location \
+ --max-pods 250 \
+ --node-count 2 \
+ --network-plugin azure \
+ --pod-ip-allocation-mode StaticBlock \
+ --vnet-subnet-id /subscriptions/$subscription/resourceGroups/$resourceGroup/providers/Microsoft.Network/virtualNetworks/$vnet/subnets/nodesubnet \
+ --pod-subnet-id /subscriptions/$subscription/resourceGroups/$resourceGroup/providers/Microsoft.Network/virtualNetworks/$vnet/subnets/podsubnet \
+ --enable-addons monitoring \
+ --kubernetes-version 1.28
+```
+
+### Adding node pool
+
+When adding node pool, reference the node subnet using `--vnet-subnet-id`, the pod subnet using `--pod-subnet-id` and allocation mode using '--pod-ip-allocation-mode'. The following example creates two new subnets that are then referenced in the creation of a new node pool:
+
+```azurecli-interactive
+az network vnet subnet create -g $resourceGroup --vnet-name $vnet --name node2subnet --address-prefixes 10.242.0.0/16 -o none
+az network vnet subnet create -g $resourceGroup --vnet-name $vnet --name pod2subnet --address-prefixes 10.243.0.0/16 -o none
+
+az aks nodepool add --cluster-name $clusterName -g $resourceGroup -n newnodepool \
+ --max-pods 250 \
+ --node-count 2 \
+ --vnet-subnet-id /subscriptions/$subscription/resourceGroups/$resourceGroup/providers/Microsoft.Network/virtualNetworks/$vnet/subnets/node2subnet \
+ --pod-subnet-id /subscriptions/$subscription/resourceGroups/$resourceGroup/providers/Microsoft.Network/virtualNetworks/$vnet/subnets/pod2subnet \
+ --pod-ip-allocation-mode StaticBlock \
+ --no-wait
+```
+
+## Static allocation of CIDR blocks and enhanced subnet support FAQs
+
+- **Can I assign multiple pod subnets to a cluster?**
+
+ Multiple subnets can be assigned to a cluster but only one subnet can be assigned to each node pool. Different node pools across the same/different cluster can share the same subnet.
+
+- **Can I assign Pod subnets from a different VNet altogether?**
+
+ No, the pod subnet should be from the same VNet as the cluster.
+
+- **Can some node pools in a cluster use Dynamic IP allocation while others use the new Static Block allocation?**
+
+Yes, different node pools can use different allocation modes. However, once a subnet is used in one allocation mode it can only be used in the same allocation mode across all the node pools it is associated.
+
+## Next steps
+
+Learn more about networking in AKS in the following articles:
+
+- [Use a static IP address with the Azure Kubernetes Service (AKS) load balancer](static-ip.md)
+- [Use an internal load balancer with Azure Kubernetes Service (AKS)](internal-lb.md)
+- [Use the application routing addon in Azure Kubernetes Service (AKS)](app-routing.md)
+
+
+[github]: https://raw.githubusercontent.com/microsoft/Docker-Provider/ci_prod/kubernetes/container-azm-ms-agentconfig.yaml
+
+
+[azure-cni-prereq]: ./configure-azure-cni.md#prerequisites
+[azure-cni-deployment-parameters]: ./azure-cni-overview.md#deployment-parameters
+[az-aks-enable-addons]: /cli/azure/aks#az_aks_enable_addons
diff --git a/articles/aks/use-windows-gpu.md b/articles/aks/use-windows-gpu.md
new file mode 100644
index 0000000000000..8a2eaa5bc5c9b
--- /dev/null
+++ b/articles/aks/use-windows-gpu.md
@@ -0,0 +1,320 @@
+---
+title: Use GPUs for Windows node pools on Azure Kubernetes Service (AKS)
+description: Learn how to use Windows GPUs for high performance compute or graphics-intensive workloads on Azure Kubernetes Service (AKS).
+ms.topic: article
+ms.date: 03/18/2024
+#Customer intent: As a cluster administrator or developer, I want to create an AKS cluster that can use high-performance GPU-based VMs for compute-intensive workloads using a Windows os.
+---
+
+# Use Windows GPUs for compute-intensive workloads on Azure Kubernetes Service (AKS)
+
+Graphical processing units (GPUs) are often used for compute-intensive workloads, such as graphics and visualization workloads. AKS supports GPU-enabled Windows and [Linux](./gpu-cluster.md) node pools to run compute-intensive Kubernetes workloads.
+
+This article helps you provision Windows nodes with schedulable GPUs on new and existing AKS clusters.
+
+## Supported GPU-enabled virtual machines (VMs)
+
+To view supported GPU-enabled VMs, see [GPU-optimized VM sizes in Azure][gpu-skus]. For AKS node pools, we recommend a minimum size of *Standard_NC6s_v3*. The NVv4 series (based on AMD GPUs) aren't supported on AKS.
+
+> [!NOTE]
+> GPU-enabled VMs contain specialized hardware subject to higher pricing and region availability. For more information, see the [pricing][azure-pricing] tool and [region availability][azure-availability].
+
+## Limitations
+
+* Updating an existing Windows node pool to add GPU isn't supported.
+* Not supported on Kubernetes version 1.28 and below.
+
+## Before you begin
+
+* This article assumes you have an existing AKS cluster. If you don't have a cluster, create one using the [Azure CLI][aks-quickstart-cli], [Azure PowerShell][aks-quickstart-powershell], or the [Azure portal][aks-quickstart-portal].
+* You need the Azure CLI version 1.0.0b2 or later installed and configured to use the `--skip-gpu-driver-install` field with the `az aks nodepool add` command. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][install-azure-cli].
+
+## Get the credentials for your cluster
+
+* Get the credentials for your AKS cluster using the [`az aks get-credentials`][az-aks-get-credentials] command. The following example command gets the credentials for the *myAKSCluster* in the *myResourceGroup* resource group:
+
+ ```azurecli-interactive
+ az aks get-credentials --resource-group myResourceGroup --name myAKSCluster
+ ```
+
+## Using Windows GPU with automatic driver installation
+
+Using NVIDIA GPUs involves the installation of various NVIDIA software components such as the [DirectX device plugin for Kubernetes](https://github.com/aarnaud/k8s-directx-device-plugin), GPU driver installation, and more. When you create a Windows node pool with a supported GPU-enabled VM, these components and the appropriate NVIDIA CUDA or GRID drivers are installed. For NC and ND series VM sizes, the CUDA driver is installed. For NV series VM sizes, the GRID driver is installed.
+
+[!INCLUDE [preview features callout](includes/preview/preview-callout.md)]
+
+### Install the `aks-preview` Azure CLI extension
+
+* Register or update the aks-preview extension using the [`az extension add`][az-extension-add] or [`az extension update`][az-extension-update] command.
+
+ ```azurecli-interactive
+ # Register the aks-preview extension
+ az extension add --name aks-preview
+
+ # Update the aks-preview extension
+ az extension update --name aks-preview
+ ```
+
+### Register the `WindowsGPUPreview` feature flag
+
+1. Register the `WindowsGPUPreview` feature flag using the [`az feature register`][az-feature-register] command.
+
+ ```azurecli-interactive
+ az feature register --namespace "Microsoft.ContainerService" --name "WindowsGPUPreview"
+ ```
+
+ It takes a few minutes for the status to show *Registered*.
+
+2. Verify the registration status using the [`az feature show`][az-feature-show] command.
+
+ ```azurecli-interactive
+ az feature show --namespace "Microsoft.ContainerService" --name "WindowsGPUPreview"
+ ```
+
+3. When the status reflects *Registered*, refresh the registration of the *Microsoft.ContainerService* resource provider using the [`az provider register`][az-provider-register] command.
+
+ ```azurecli-interactive
+ az provider register --namespace Microsoft.ContainerService
+ ```
+
+### Create a Windows GPU-enabled node pool (preview)
+
+To create a Windows GPU-enabled node pool, you need to use a supported GPU-enabled VM size and specify the `os-type` as `Windows`. The default Windows `os-sku` is `Windows2022`, but all Windows `os-sku` options are supported.
+
+1. Create a Windows GPU-enabled node pool using the [`az aks nodepool add`][az-aks-nodepool-add] command.
+
+ ```azurecli-interactive
+ az aks nodepool add \
+ --resource-group myResourceGroup \
+ --cluster-name myAKSCluster \
+ --name gpunp \
+ --node-count 1 \
+ --os-type Windows \
+ --kubernetes-version 1.29.0 \
+ --node-vm-size Standard_NC6s_v3
+ ```
+
+2. Check that your [GPUs are schedulable](#confirm-that-gpus-are-schedulable).
+3. Once you confirm that your GPUs are schedulable, you can run your GPU workload.
+
+## Using Windows GPU with manual driver installation
+
+When creating a Windows node pool with N-series (NVIDIA GPU) VM sizes in AKS, the GPU driver and Kubernetes DirectX device plugin are installed automatically. To bypass this automatic installation, use the following steps:
+
+1. [Skip GPU driver installation (preview)](#skip-gpu-driver-installation-preview) using `--skip-gpu-driver-install`.
+2. [Manual installation of the Kubernetes DirectX device plugin](#manually-install-the-kubernetes-directx-device-plugin).
+
+### Skip GPU driver installation (preview)
+
+AKS has automatic GPU driver installation enabled by default. In some cases, such as installing your own drivers, you may want to skip GPU driver installation.
+
+[!INCLUDE [preview features callout](includes/preview/preview-callout.md)]
+
+1. Register or update the aks-preview extension using the [`az extension add`][az-extension-add] or [`az extension update`][az-extension-update] command.
+
+ ```azurecli-interactive
+ # Register the aks-preview extension
+ az extension add --name aks-preview
+
+ # Update the aks-preview extension
+ az extension update --name aks-preview
+ ```
+
+2. Create a node pool using the [`az aks nodepool add`][az-aks-nodepool-add] command with the `--skip-gpu-driver-install` flag to skip automatic GPU driver installation.
+
+ ```azurecli-interactive
+ az aks nodepool add \
+ --resource-group myResourceGroup \
+ --cluster-name myAKSCluster \
+ --name gpunp \
+ --node-count 1 \
+ --os-type windows \
+ --os-sku windows2022 \
+ --skip-gpu-driver-install
+ ```
+
+ > [!NOTE]
+ > If the `--node-vm-size` that you're using isn't yet onboarded on AKS, you can't use GPUs and `--skip-gpu-driver-install` doesn't work.
+
+### Manually install the Kubernetes DirectX device plugin
+
+You can deploy a DaemonSet for the Kubernetes DirectX device plugin, which runs a pod on each node to provide the required drivers for the GPUs.
+
+* Add a node pool to your cluster using the [`az aks nodepool add`][az-aks-nodepool-add] command.
+
+ ```azurecli-interactive
+ az aks nodepool add \
+ --resource-group myResourceGroup \
+ --cluster-name myAKSCluster \
+ --name gpunp \
+ --node-count 1 \
+ --os-type windows \
+ --os-sku windows2022
+ ```
+
+## Create a namespace and deploy the Kubernetes DirectX device plugin
+
+1. Create a namespace using the [`kubectl create namespace`][kubectl-create] command.
+
+ ```bash
+ kubectl create namespace gpu-resources
+ ```
+
+2. Create a file named *k8s-directx-device-plugin.yaml* and paste the following YAML manifest provided as part of the [NVIDIA device plugin for Kubernetes project][nvidia-github]:
+
+ ```yaml
+ apiVersion: apps/v1
+ kind: DaemonSet
+ metadata:
+ name: nvidia-device-plugin-daemonset
+ namespace: gpu-resources
+ spec:
+ selector:
+ matchLabels:
+ name: nvidia-device-plugin-ds
+ updateStrategy:
+ type: RollingUpdate
+ template:
+ metadata:
+ # Mark this pod as a critical add-on; when enabled, the critical add-on scheduler
+ # reserves resources for critical add-on pods so that they can be rescheduled after
+ # a failure. This annotation works in tandem with the toleration below.
+ annotations:
+ scheduler.alpha.kubernetes.io/critical-pod: ""
+ labels:
+ name: nvidia-device-plugin-ds
+ spec:
+ tolerations:
+ # Allow this pod to be rescheduled while the node is in "critical add-ons only" mode.
+ # This, along with the annotation above marks this pod as a critical add-on.
+ - key: CriticalAddonsOnly
+ operator: Exists
+ - key: nvidia.com/gpu
+ operator: Exists
+ effect: NoSchedule
+ - key: "sku"
+ operator: "Equal"
+ value: "gpu"
+ effect: "NoSchedule"
+ containers:
+ - image: mcr.microsoft.com/oss/nvidia/k8s-device-plugin:v0.14.1
+ name: nvidia-device-plugin-ctr
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop: ["ALL"]
+ volumeMounts:
+ - name: device-plugin
+ mountPath: /var/lib/kubelet/device-plugins
+ volumes:
+ - name: device-plugin
+ hostPath:
+ path: /var/lib/kubelet/device-plugins
+ ```
+
+3. Create the DaemonSet and confirm the NVIDIA device plugin is created successfully using the [`kubectl apply`][kubectl-apply] command.
+
+ ```bash
+ kubectl apply -f nvidia-device-plugin-ds.yaml
+ ```
+
+4. Now that you successfully installed the NVIDIA device plugin, you can check that your [GPUs are schedulable](#confirm-that-gpus-are-schedulable).
+
+## Confirm that GPUs are schedulable
+
+After creating your cluster, confirm that GPUs are schedulable in Kubernetes.
+
+1. List the nodes in your cluster using the [`kubectl get nodes`][kubectl-get] command.
+
+ ```console
+ kubectl get nodes
+ ```
+
+ Your output should look similar to the following example output:
+
+ ```console
+ NAME STATUS ROLES AGE VERSION
+ aks-gpunp-28993262-0 Ready agent 13m v1.20.7
+ ```
+
+2. Confirm the GPUs are schedulable using the [`kubectl describe node`][kubectl-describe] command.
+
+ ```console
+ kubectl describe node aks-gpunp-28993262-0
+ ```
+
+ Under the *Capacity* section, the GPU should list as `microsoft.com/directx: 1`. Your output should look similar to the following condensed example output:
+
+ ```output
+ Capacity:
+ [...]
+ microsoft.com.directx/gpu: 1
+ [...]
+ ```
+
+## Use Container Insights to monitor GPU usage
+
+[Container Insights with AKS][aks-container-insights] monitors the following GPU usage metrics:
+
+| Metric name | Metric dimension (tags) | Description |
+|-------------|-------------------------|-------------|
+| containerGpuDutyCycle | `container.azm.ms/clusterId`, `container.azm.ms/clusterName`, `containerName`, `gpuId`, `gpuModel`, `gpuVendor`| Percentage of time over the past sample period (60 seconds) during which GPU was busy/actively processing for a container. Duty cycle is a number between 1 and 100. |
+| containerGpuLimits | `container.azm.ms/clusterId`, `container.azm.ms/clusterName`, `containerName` | Each container can specify limits as one or more GPUs. It's not possible to request or limit a fraction of a GPU. |
+| containerGpuRequests | `container.azm.ms/clusterId`, `container.azm.ms/clusterName`, `containerName` | Each container can request one or more GPUs. It's not possible to request or limit a fraction of a GPU. |
+| containerGpumemoryTotalBytes | `container.azm.ms/clusterId`, `container.azm.ms/clusterName`, `containerName`, `gpuId`, `gpuModel`, `gpuVendor` | Amount of GPU Memory in bytes available to use for a specific container. |
+| containerGpumemoryUsedBytes | `container.azm.ms/clusterId`, `container.azm.ms/clusterName`, `containerName`, `gpuId`, `gpuModel`, `gpuVendor` | Amount of GPU Memory in bytes used by a specific container. |
+| nodeGpuAllocatable | `container.azm.ms/clusterId`, `container.azm.ms/clusterName`, `gpuVendor` | Number of GPUs in a node that Kubernetes can use.|
+| nodeGpuCapacity | `container.azm.ms/clusterId`, `container.azm.ms/clusterName`, `gpuVendor` | Total Number of GPUs in a node. |
+
+## Clean up resources
+
+* Remove the associated Kubernetes objects you created in this article using the [`kubectl delete job`][kubectl delete] command.
+
+ ```console
+ kubectl delete jobs windows-gpu-workload
+ ```
+
+## Next steps
+
+* To run Apache Spark jobs, see [Run Apache Spark jobs on AKS][aks-spark].
+* For more information on features of the Kubernetes scheduler, see [Best practices for advanced scheduler features in AKS][advanced-scheduler-aks].
+* For more information on Azure Kubernetes Service and Azure Machine Learning, see:
+ * [Configure a Kubernetes cluster for ML model training or deployment][azureml-aks].
+ * [Deploy a model with an online endpoint][azureml-deploy].
+ * [High-performance serving with Triton Inference Server][azureml-triton].
+ * [Labs for Kubernetes and Kubeflow][kubeflow].
+
+
+[kubectl-apply]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#apply
+[kubectl-get]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#get
+[kubeflow]: https://github.com/Azure/kubeflow-labs
+[kubectl-describe]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#describe
+[kubectl-logs]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#logs
+[kubectl delete]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#delete
+[kubectl-create]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#create
+[azure-pricing]: https://azure.microsoft.com/pricing/
+[azure-availability]: https://azure.microsoft.com/global-infrastructure/services/
+[nvidia-github]: https://github.com/NVIDIA/k8s-device-plugin
+
+
+[az-aks-create]: /cli/azure/aks#az_aks_create
+[az-aks-nodepool-update]: /cli/azure/aks/nodepool#az_aks_nodepool_update
+[az-aks-nodepool-add]: /cli/azure/aks/nodepool#az_aks_nodepool_add
+[az-aks-get-credentials]: /cli/azure/aks#az_aks_get_credentials
+[aks-quickstart-cli]: ./learn/quick-windows-container-deploy-cli.md
+[aks-quickstart-portal]: ./learn/quick-windows-container-deploy-portal.md
+[aks-quickstart-powershell]: ./learn/quick-windows-container-deploy-powershell.md
+[aks-spark]: spark-job.md
+[gpu-skus]: ../virtual-machines/sizes-gpu.md
+[install-azure-cli]: /cli/azure/install-azure-cli
+[azureml-aks]: ../machine-learning/how-to-attach-kubernetes-anywhere.md
+[azureml-deploy]: ../machine-learning/how-to-deploy-managed-online-endpoints.md
+[azureml-triton]: ../machine-learning/how-to-deploy-with-triton.md
+[aks-container-insights]: monitor-aks.md#integrations
+[advanced-scheduler-aks]: operator-best-practices-advanced-scheduler.md
+[az-provider-register]: /cli/azure/provider#az-provider-register
+[az-feature-register]: /cli/azure/feature#az-feature-register
+[az-feature-show]: /cli/azure/feature#az-feature-show
+[az-extension-add]: /cli/azure/extension#az-extension-add
+[az-extension-update]: /cli/azure/extension#az-extension-update
+[NVadsA10]: /azure/virtual-machines/nva10v5-series
diff --git a/articles/analysis-services/analysis-services-scale-out.md b/articles/analysis-services/analysis-services-scale-out.md
index b82364031b812..e1e50b7794a0e 100644
--- a/articles/analysis-services/analysis-services-scale-out.md
+++ b/articles/analysis-services/analysis-services-scale-out.md
@@ -4,9 +4,9 @@ description: Replicate Azure Analysis Services servers with scale-out. Client qu
author: kfollis
ms.service: analysis-services
ms.topic: conceptual
-ms.date: 04/27/2021
+ms.date: 03/18/2024
ms.author: kfollis
-ms.reviewer: minewiskan
+ms.reviewer: chwade
ms.custom:
---
# Azure Analysis Services scale-out
@@ -86,7 +86,7 @@ Another good metric to watch is average QPU by ServerResourceType. This metric c
### Detailed diagnostic logging
-Use Azure Monitor Logs for more detailed diagnostics of scaled out server resources. With logs, you can use Log Analytics queries to break out QPU and memory by server and replica. For more information, see [Analyze logs in Log Analytics workspace](monitor-analysis-services.md#analyze-logs-in-log-analytics-workspace). For example queries, see [Sample Kusto queries]((monitor-analysis-services.md#sample-kusto-queries).
+Use Azure Monitor Logs for more detailed diagnostics of scaled out server resources. With logs, you can use Log Analytics queries to break out QPU and memory by server and replica. For more information, see [Analyze logs in Log Analytics workspace](monitor-analysis-services.md#analyze-logs-in-log-analytics-workspace). For example queries, see [Sample Kusto queries](monitor-analysis-services.md#sample-kusto-queries).
## Configure scale-out
diff --git a/articles/api-center/enable-api-center-portal.md b/articles/api-center/enable-api-center-portal.md
index 1ef643c5b8b7f..51555ba5d14ed 100644
--- a/articles/api-center/enable-api-center-portal.md
+++ b/articles/api-center/enable-api-center-portal.md
@@ -4,7 +4,7 @@ description: Enable the API Center portal, an automatically generated website th
author: dlepow
ms.service: api-center
ms.topic: how-to
-ms.date: 01/26/2024
+ms.date: 03/18/2024
ms.author: danlep
ms.custom:
# Customer intent: As an API program manager, I want to enable a portal for developers and other API stakeholders in my organization to discover the APIs in my organization's API center.
@@ -14,7 +14,8 @@ ms.custom:
This article shows how to enable your *API Center portal*, an automatically generated website that developers and other stakeholders in your organization can use to discover the APIs in your [API center](overview.md). The portal is hosted by Azure at a unique URL and restricts user access based on Azure role-based access control.
-> [!VIDEO https://www.youtube.com/embed/7Z45FdCLFbA]
+> [!IMPORTANT]
+> The Azure-hosted API Center portal is experimental and will be removed from API Center in an upcoming release. You will have an option to self-host an API Center portal for API discovery in an upcoming release.
[!INCLUDE [api-center-preview-feedback](includes/api-center-preview-feedback.md)]
diff --git a/articles/api-center/index.yml b/articles/api-center/index.yml
index fa412bffaebb2..bec5f5cab7909 100644
--- a/articles/api-center/index.yml
+++ b/articles/api-center/index.yml
@@ -59,8 +59,6 @@ landingContent:
linkLists:
- linkListType: how-to-guide
links:
- - text: Enable your API Center portal
- url: enable-api-center-portal.md
- text: Use VS Code extension
url: use-vscode-extension.md
- text: Discover APIs with GitHub Copilot Chat
diff --git a/articles/api-management/api-management-in-workspace.md b/articles/api-management/api-management-in-workspace.md
index 7ef89f1c3e10c..b47ac9fa3b19c 100644
--- a/articles/api-management/api-management-in-workspace.md
+++ b/articles/api-management/api-management-in-workspace.md
@@ -12,7 +12,7 @@ ms.date: 03/10/2023
This article is an introduction to managing APIs, products, subscriptions, and other API Management resources in a *workspace*. A workspace is a place where a development team can own, manage, update, and productize their own APIs, while a central API platform team manages the API Management infrastructure. Learn about the [workspace features](workspaces-overview.md)
-[!INCLUDE [api-management-availability-premium-dev-standard](../../includes/api-management-availability-premium-dev-standard.md)]
+[!INCLUDE [api-management-availability-premium](../../includes/api-management-availability-premium.md)]
> [!NOTE]
> * Workspaces are a preview feature of API Management and subject to certain [limitations](workspaces-overview.md#preview-limitations).
diff --git a/articles/api-management/how-to-create-workspace.md b/articles/api-management/how-to-create-workspace.md
index c61b06217d7c5..2604a117b8112 100644
--- a/articles/api-management/how-to-create-workspace.md
+++ b/articles/api-management/how-to-create-workspace.md
@@ -13,7 +13,7 @@ ms.custom:
Set up a [workspace](workspaces-overview.md) (preview) to enable a decentralized API development team to manage and productize their own APIs, while a central API platform team maintains the API Management infrastructure. After you create a workspace and assign permissions, workspace collaborators can create and manage their own APIs, products, subscriptions, and related resources.
-[!INCLUDE [api-management-availability-premium-dev-standard](../../includes/api-management-availability-premium-dev-standard.md)]
+[!INCLUDE [api-management-availability-premium](../../includes/api-management-availability-premium.md)]
> [!NOTE]
> * Workspaces are a preview feature of API Management and subject to certain [limitations](workspaces-overview.md#preview-limitations).
diff --git a/articles/app-service/configure-ssl-certificate.md b/articles/app-service/configure-ssl-certificate.md
index 0148bcc7bb51f..3f28a33a87127 100644
--- a/articles/app-service/configure-ssl-certificate.md
+++ b/articles/app-service/configure-ssl-certificate.md
@@ -134,7 +134,7 @@ If you use Azure Key Vault to manage your certificates, you can import a PKCS12
By default, the App Service resource provider doesn't have access to your key vault. To use a key vault for a certificate deployment, you must [authorize read access for the resource provider to the key vault](../key-vault/general/assign-access-policy-cli.md).
> [!NOTE]
-> Currently, a Key Vault certificate supports only the Key Vault access policy, not RBAC model.
+> Currently, the Azure portal does not allow you to configure an App Service certificate in Key Vault to use the RBAC model. You can, however, use Azure CLI, Azure PowerShell, or an ARM template deployment to perform this configuration. For more information, see [Provide access to Key Vault keys, certificates, and secrets with an Azure role-based access control](../key-vault/general/rbac-guide.md?tabs=azure-cli).
| Resource provider | Service principal AppId | Key vault secret permissions | Key vault certificate permissions |
|--|--|--|--|
diff --git a/articles/app-service/environment/media/migration/migration-error-2.png b/articles/app-service/environment/media/migration/migration-error-2.png
index 952e50aa067be..f3125ea62fc1d 100644
Binary files a/articles/app-service/environment/media/migration/migration-error-2.png and b/articles/app-service/environment/media/migration/migration-error-2.png differ
diff --git a/articles/azure-monitor/agents/data-collection-text-log.md b/articles/azure-monitor/agents/data-collection-text-log.md
index 2b33366644501..d80c80f88e036 100644
--- a/articles/azure-monitor/agents/data-collection-text-log.md
+++ b/articles/azure-monitor/agents/data-collection-text-log.md
@@ -2,7 +2,7 @@
title: Collect logs from a text or JSON file with Azure Monitor Agent
description: Configure a data collection rule to collect log data from a text or JSON file on a virtual machine using Azure Monitor Agent.
ms.topic: conceptual
-ms.date: 03/01/2024
+ms.date: 10/31/2023
author: guywi-ms
ms.author: guywild
ms.reviewer: jeffwo
@@ -25,8 +25,6 @@ To complete this procedure, you need:
- [Permissions to create Data Collection Rule objects](../essentials/data-collection-rule-create-edit.md#permissions) in the workspace.
-- JSON text must be contained in a single row for proper ingestion. The JSON body (file) format is not supported.
-
- A Virtual Machine, Virtual Machine Scale Set, Arc-enabled server on-premises or Azure Monitoring Agent on a Windows on-premises client that writes logs to a text or JSON file.
Text and JSON file requirements and best practices:
@@ -45,14 +43,10 @@ To complete this procedure, you need:
The table created in the script has two columns:
-- `TimeGenerated` (datetime) [Required]
-- `RawData` (string) [Optional if table schema provided]
-- 'FilePath' (string) [Optional]
-- `YourOptionalColumn` (string) [Optional]
-
-The default table schema for log data collected from text files is 'TimeGenerated' and 'RawData'. Adding the 'FilePath' to either team is optional. If you know your final schema or your source is a JSON log, you can add the final columns in the script before creating the table. You can always [add columns using the Log Analytics table UI](../logs/create-custom-table.md#add-or-delete-a-custom-column) later.
+- `TimeGenerated` (datetime)
+- `RawData` (string
-Your columns names and JSON attributes must exactly match to automatically parse into the table. Both columns and JSON attributes are case sensitive. For example `Rawdata` will not collect the event data. It must be `RawData`. Ingestion will drop JSON attributes that do not have a corresponding column.
+This is the default table schema for log data collected from text and JSON files. If you know your final schema, you can add columns in the script before creating the table. If you don't, you can [add columns using the Log Analytics table UI](../logs/create-custom-table.md#add-or-delete-a-custom-column).
The easiest way to make the REST call is from an Azure Cloud PowerShell command line (CLI). To open the shell, go to the Azure portal, press the Cloud Shell button, and select PowerShell. If this is your first time using Azure Cloud PowerShell, you'll need to walk through the one-time configuration wizard.
@@ -72,15 +66,7 @@ $tableParams = @'
{
"name": "RawData",
"type": "String"
- },
- {
- "name": "FilePath",
- "type": "String"
- },
- {
- "name": `"YourOptionalColumn",
- "type": "String"
- }
+ }
]
}
}
@@ -92,7 +78,10 @@ Invoke-AzRestMethod -Path "/subscriptions/{subscription}/resourcegroups/{resourc
You should receive a 200 response and details about the table you just created.
-## Create a data collection rule for a text or JSON file
+> [!Note]
+> The column names are case sensitive. For example `Rawdata` will not correctly collect the event data. It must be `RawData`.
+
+## Create a data collection rule to collect data from a text or JSON file
The data collection rule defines:
@@ -102,12 +91,8 @@ The data collection rule defines:
You can define a data collection rule to send data from multiple machines to multiple Log Analytics workspaces, including workspaces in a different region or tenant. Create the data collection rule in the *same region* as your Log Analytics workspace.
-
> [!NOTE]
> To send data across tenants, you must first enable [Azure Lighthouse](../../lighthouse/overview.md).
->
-> To automatically parse your JSON log file into a custom table follow the Resource Manager template steps. Text data can be transformed into columns using [ingestion-time transformation](../essentials/data-collection-transformations.md)
-
### [Portal](#tab/portal)
@@ -133,7 +118,7 @@ To create the data collection rule in the Azure portal:
> The portal enables system-assigned managed identity on the target resources, along with existing user-assigned identities, if there are any. For existing applications, unless you specify the user-assigned identity in the request, the machine defaults to using system-assigned identity instead.
1. Select **Enable Data Collection Endpoints**.
- 1. Optionally, you can select a data collection endpoint for each of the virtual machines associate to the data collection rule. Most of the time you should just use the defaults.
+ 1. Select a data collection endpoint for each of the virtual machines associate to the data collection rule.
This data collection endpoint sends configuration files to the virtual machine and must be in the same region as the virtual machine. For more information, see [How to set up data collection endpoints based on your deployment](../essentials/data-collection-endpoint-overview.md#how-to-set-up-data-collection-endpoints-based-on-your-deployment).
@@ -167,6 +152,9 @@ To create the data collection rule in the Azure portal:
### [Resource Manager template](#tab/arm)
+1. The data collection rule requires the resource ID of your workspace. Navigate to your workspace in the **Log Analytics workspaces** menu in the Azure portal. From the **Properties** page, copy the **Resource ID** and save it for later use.
+
+ :::image type="content" source="../logs/media/tutorial-logs-ingestion-api/workspace-resource-id.png" lightbox="../logs/media/tutorial-logs-ingestion-api/workspace-resource-id.png" alt-text="Screenshot showing workspace resource ID.":::
1. In the Azure portal's search box, type in *template* and then select **Deploy a custom template**.
@@ -185,14 +173,46 @@ To create the data collection rule in the Azure portal:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
+ "parameters": {
+ "dataCollectionRuleName": {
+ "type": "string",
+ "metadata": {
+ "description": "Specifies the name of the Data Collection Rule to create."
+ }
+ },
+ "location": {
+ "type": "string",
+ "metadata": {
+ "description": "Specifies the location in which to create the Data Collection Rule."
+ }
+ },
+ "workspaceName": {
+ "type": "string",
+ "metadata": {
+ "description": "Name of the Log Analytics workspace to use."
+ }
+ },
+ "workspaceResourceId": {
+ "type": "string",
+ "metadata": {
+ "description": "Specifies the Azure resource ID of the Log Analytics workspace to use."
+ }
+ },
+ "endpointResourceId": {
+ "type": "string",
+ "metadata": {
+ "description": "Specifies the Azure resource ID of the Data Collection Endpoint to use."
+ }
+ }
+ },
"resources": [
{
"type": "Microsoft.Insights/dataCollectionRules",
- "name": "dataCollectionRuleName",
- "location": "location",
- "apiVersion": "2022-06-01",
+ "name": "[parameters('dataCollectionRuleName')]",
+ "location": "[parameters('location')]",
+ "apiVersion": "2021-09-01-preview",
"properties": {
- "dataCollectionEndpointId": "endpointResourceId",
+ "dataCollectionEndpointId": "[parameters('endpointResourceId')]",
"streamDeclarations": {
"Custom-MyLogFileFormat": {
"columns": [
@@ -203,14 +223,6 @@ To create the data collection rule in the Azure portal:
{
"name": "RawData",
"type": "string"
- },
- {
- "name": "FilePath",
- "type": "String"
- },
- {
- "name": "YourOptionalColumn" ,
- "type": "string"
}
]
}
@@ -222,7 +234,7 @@ To create the data collection rule in the Azure portal:
"Custom-MyLogFileFormat"
],
"filePatterns": [
- "filePatterns"
+ "C:\\JavaLogs\\*.log"
],
"format": "text",
"settings": {
@@ -231,14 +243,29 @@ To create the data collection rule in the Azure portal:
}
},
"name": "myLogFileFormat-Windows"
+ },
+ {
+ "streams": [
+ "Custom-MyLogFileFormat"
+ ],
+ "filePatterns": [
+ "//var//*.log"
+ ],
+ "format": "text",
+ "settings": {
+ "text": {
+ "recordStartTimestampFormat": "ISO 8601"
+ }
+ },
+ "name": "myLogFileFormat-Linux"
}
]
},
"destinations": {
"logAnalytics": [
{
- "workspaceResourceId": "workspaceResourceId",
- "name": "workspaceName"
+ "workspaceResourceId": "[parameters('workspaceResourceId')]",
+ "name": "[parameters('workspaceName')]"
}
]
},
@@ -248,10 +275,10 @@ To create the data collection rule in the Azure portal:
"Custom-MyLogFileFormat"
],
"destinations": [
- "workspaceName"
+ "[parameters('workspaceName')]"
],
"transformKql": "source",
- "outputStream": "tableName"
+ "outputStream": "Custom-MyTable_CL"
}
]
}
@@ -275,11 +302,11 @@ To create the data collection rule in the Azure portal:
"resources": [
{
"type": "Microsoft.Insights/dataCollectionRules",
- "name": "dataCollectionRuleName",
+ "name": `DataCollectionRuleName`,
"location": `location` ,
- "apiVersion": "2022-06-01",
+ "apiVersion": "2021-09-01-preview",
"properties": {
- "dataCollectionEndpointId": "endpointResourceId" ,
+ "dataCollectionEndpointId": `endpointResourceId` ,
"streamDeclarations": {
"Custom-JSONLog": {
"columns": [
@@ -288,15 +315,7 @@ To create the data collection rule in the Azure portal:
"type": "datetime"
},
{
- "name": "FilePath",
- "type": "String"
- },
- {
- "name": "YourFirstAttribute",
- "type": "string"
- },
- {
- "name": "YourSecondAttribute",
+ "name": "RawData",
"type": "string"
}
]
@@ -309,20 +328,20 @@ To create the data collection rule in the Azure portal:
"Custom-JSONLog"
],
"filePatterns": [
- "filePatterns"
+ "C:\\JavaLogs\\*.log"
],
"format": "json",
"settings": {
},
- "name": "myLogFileFormat"
+ "name": "myLogFileFormat "
}
]
},
"destinations": {
"logAnalytics": [
{
- "workspaceResourceId": "workspaceResourceId" ,
- "name": "workspaceName"
+ "workspaceResourceId": `workspaceResourceId` ,
+ "name": "`workspaceName`"
}
]
},
@@ -332,10 +351,10 @@ To create the data collection rule in the Azure portal:
"Custom-JSONLog"
],
"destinations": [
- "workspaceName"
+ "`workspaceName`"
],
"transformKql": "source",
- "outputStream": "tableName"
+ "outputStream": "`Table-Name_CL`"
}
]
}
@@ -352,44 +371,23 @@ To create the data collection rule in the Azure portal:
1. Update the following values in the Resource Manager template:
- - `workspaceResorceId`: The data collection rule requires the resource ID of your workspace. Navigate to your workspace in the **Log Analytics workspaces** menu in the Azure portal. From the **Properties** page, copy the **Resource ID**.
-
- :::image type="content" source="../logs/media/tutorial-logs-ingestion-api/workspace-resource-id.png" lightbox="../logs/media/tutorial-logs-ingestion-api/workspace-resource-id.png" alt-text="Screenshot showing workspace resource ID.":::
-
- - `dataCollectionRuleName`: The name that you define for the data collection rule. Example "AwesomeDCR"
-
- - `location`: The data center that the rule will be located in. Must be the same data center as the Log Analytics Workspace. Example "WestUS2"
-
- - `endpointResourceId`: This is the ID of the DCRE. Example "/subscriptions/63b9abf1-7648-4bb2-996b-023d7aa492ce/resourceGroups/Awesome/providers/Microsoft.Insights/dataCollectionEndpoints/AwesomeDCE"
-
- - `workspaceName`: This is the name of your workspace. Example `AwesomeWorkspace`
-
- - `tableName`: The name of the destination table you created in your Log Analytics Workspace. For more information, see [Create a custom table](#create-a-custom-table).Example `AwesomeLogFile_CL`
-
- - `streamDeclarations`: Defines the columns of the incoming data. This must match the structure of the log file. Your columns names and JSON attributes must exactly match to automatically parse into the table. Both column names and JSON attribute are case sensitive. For example, `Rawdata` will not collect the event data. It must be `RawData`. Ingestion will drop JSON attributes that do not have a corresponding column.
-
- > [!NOTE]
- > A custom stream names in the stream declaration must have a prefix of *Custom-*; for example, *Custom-JSON*.
-
- - `filePatterns`: Identifies where the log files are located on the local disk. You can enter multiple file patterns separated by commas (on Linux, AMA version 1.26 or higher is required to collect from a comma-separated list of file patterns). Examples of valid inputs: 20220122-MyLog.txt, ProcessA_MyLog.txt, ErrorsOnly_MyLog.txt, WarningOnly_MyLog.txt
-
- > [!NOTE]
- > Multiple log files of the same type commonly exist in the same directory. For example, a machine might create a new file every day to prevent the log file from growing too large. To collect log data in this scenario, you can use a file wildcard. Use the format `C:\directoryA\directoryB\*MyLog.txt` for Windows and `/var/*.log` for Linux. There is no support for directory wildcards.
-
- - `transformKql`: Specifies a [transformation](../logs/../essentials//data-collection-transformations.md) to apply to the incoming data before it's sent to the workspace or or leave as **source** if you don't need to transform the collected data.
-
- > [!NOTE]
- > JSON text must be contained on a single line. For example {"Element":"Gold","Symbol":"Au","NobleMetal":true,"AtomicNumber":79,"MeltingPointC":1064.18}. To transfom the data into a table with columns TimeGenerated, Element, Symbol, NobleMetal, AtomicNumber and Melting point use this transform: "transformKql": "source|extend d=todynamic(RawData)|project TimeGenerated, Element=tostring(d.Element), Symbol=tostring(d.Symbol), NobleMetal=tostring(d.NobleMetal), AtomicNumber=tostring(d.AtommicNumber), MeltingPointC=tostring(d.MeltingPointC)
-
+ - `streamDeclarations`: Defines the columns of the incoming data. This must match the structure of the log file.
+ - `filePatterns`: Specifies the location and file pattern of the log files to collect. This defines a separate pattern for Windows and Linux agents.
+ - `transformKql`: Specifies a [transformation](../logs/../essentials//data-collection-transformations.md) to apply to the incoming data before it's sent to the workspace.
- See [Structure of a data collection rule in Azure Monitor](../essentials/data-collection-rule-structure.md) if you want to modify the data collection rule.
+ See [Structure of a data collection rule in Azure Monitor](../essentials/data-collection-rule-structure.md) if you want to modify the data collection rule.
+ > [!IMPORTANT]
+ > Custom data collection rules have a prefix of *Custom-*; for example, *Custom-rulename*. The *Custom-rulename* in the stream declaration must match the *Custom-rulename* name in the Log Analytics workspace.
1. Select **Save**.
:::image type="content" source="../logs/media/tutorial-workspace-transformations-api/edit-template.png" lightbox="../logs/media/tutorial-workspace-transformations-api/edit-template.png" alt-text="Screenshot that shows portal screen to edit Resource Manager template.":::
+1. On the **Custom deployment** screen, specify a **Subscription** and **Resource group** to store the data collection rule and then provide values defined in the template. This includes a **Name** for the data collection rule and the **Workspace Resource ID** and **Endpoint Resource ID**. The **Location** should be the same location as the workspace. The **Region** will already be populated and is used for the location of the data collection rule.
+
+ :::image type="content" source="media/data-collection-text-log/custom-deployment-values.png" lightbox="media/data-collection-text-log/custom-deployment-values.png" alt-text="Screenshot that shows the Custom Deployment screen in the portal to edit custom deployment values for data collection rule.":::
1. Select **Review + create** and then **Create** when you review the details.
@@ -397,10 +395,12 @@ To create the data collection rule in the Azure portal:
:::image type="content" source="media/data-collection-text-log/data-collection-rule-details.png" lightbox="media/data-collection-text-log/data-collection-rule-details.png" alt-text="Screenshot that shows the Overview pane in the portal with data collection rule details.":::
-1. Change the API version to **2022-06-01**.
+1. Change the API version to **2021-09-01-preview**.
:::image type="content" source="media/data-collection-text-log/data-collection-rule-json-view.png" lightbox="media/data-collection-text-log/data-collection-rule-json-view.png" alt-text="Screenshot that shows JSON view for data collection rule.":::
+1. Copy the **Resource ID** for the data collection rule. You'll use this in the next step.
+
1. Associate the data collection rule to the virtual machine you want to collect data from. You can associate the same data collection rule with multiple machines:
1. From the **Monitor** menu in the Azure portal, select **Data Collection Rules** and select the rule that you created.
@@ -418,7 +418,7 @@ To create the data collection rule in the Azure portal:
---
> [!NOTE]
-> It can take up to 10 minutes for data to be sent to the destinations after you create the data collection rule.
+> It can take up to 5 minutes for data to be sent to the destinations after you create the data collection rule.
### Sample log queries
The column names used here are for example only. The column names for your log will most likely be different.
@@ -444,6 +444,9 @@ The column names used here are for example only. The column names for your log w
## Troubleshoot
Use the following steps to troubleshoot collection of logs from text and JSON files.
+## Use the Azure Monitor Agent Troubleshooter
+Use the [Azure Monitor Agent Troubleshooter](use-azure-monitor-agent-troubleshooter.md) to look for common issues and share results with Microsoft.
+
### Check if you've ingested data to your custom table
Start by checking if any records have been ingested into your custom log table by running the following query in Log Analytics:
@@ -500,8 +503,6 @@ This file pattern should correspond to the logs on the agent machine.
:::image type="content" source="media/data-collection-text-log/text-log-files.png" lightbox="media/data-collection-text-log/text-log-files.png" alt-text="Screenshot of text log files on agent machine." border="false":::
-### Use the Azure Monitor Agent Troubleshooter
-Use the [Azure Monitor Agent Troubleshooter](use-azure-monitor-agent-troubleshooter.md) to look for common issues and share results with Microsoft.
### Verify that logs are being populated
The agent will only collect new content written to the log file being collected. If you're experimenting with the collection logs from a text or JSON file, you can use the following script to generate sample logs.
diff --git a/articles/azure-monitor/app/opentelemetry-add-modify.md b/articles/azure-monitor/app/opentelemetry-add-modify.md
index 9f188b7b13453..c3a9295b20d01 100644
--- a/articles/azure-monitor/app/opentelemetry-add-modify.md
+++ b/articles/azure-monitor/app/opentelemetry-add-modify.md
@@ -1725,17 +1725,9 @@ Adding one or more span attributes populates the `customDimensions` field in the
```typescript
// Import the necessary packages.
const { useAzureMonitor } = require("@azure/monitor-opentelemetry");
-const { trace, ProxyTracerProvider } = require("@opentelemetry/api");
const { ReadableSpan, Span, SpanProcessor } = require("@opentelemetry/sdk-trace-base");
-const { NodeTracerProvider } = require("@opentelemetry/sdk-trace-node");
const { SemanticAttributes } = require("@opentelemetry/semantic-conventions");
-// Enable Azure Monitor integration.
-useAzureMonitor();
-
-// Get the NodeTracerProvider instance.
-const tracerProvider = ((trace.getTracerProvider() as ProxyTracerProvider).getDelegate() as NodeTracerProvider);
-
// Create a new SpanEnrichingProcessor class.
class SpanEnrichingProcessor implements SpanProcessor {
forceFlush(): Promise {
@@ -1755,8 +1747,13 @@ class SpanEnrichingProcessor implements SpanProcessor {
}
}
-// Add the SpanEnrichingProcessor instance to the NodeTracerProvider instance.
-tracerProvider.addSpanProcessor(new SpanEnrichingProcessor());
+// Enable Azure Monitor integration.
+const options: AzureMonitorOpenTelemetryOptions = {
+ // Add the SpanEnrichingProcessor
+ spanProcessors: [new SpanEnrichingProcessor()]
+}
+useAzureMonitor(options);
+
```
##### [Python](#tab/python)
@@ -1960,29 +1957,27 @@ Logback, Log4j, and java.util.logging are [autoinstrumented](#logs). Attaching c
#### [Node.js](#tab/nodejs)
```typescript
- // Import the useAzureMonitor function and the logs module from the @azure/monitor-opentelemetry and @opentelemetry/api-logs packages, respectively.
const { useAzureMonitor } = require("@azure/monitor-opentelemetry");
- const { logs } = require("@opentelemetry/api-logs");
- import { Logger } from "@opentelemetry/sdk-logs";
+ const bunyan = require('bunyan');
- // Enable Azure Monitor integration.
- useAzureMonitor();
+ // Instrumentations configuration
+ const options: AzureMonitorOpenTelemetryOptions = {
+ instrumentationOptions: {
+ // Instrumentations generating logs
+ bunyan: { enabled: true },
+ }
+ };
- // Get the logger for the "testLogger" logger name.
- const logger = (logs.getLogger("testLogger") as Logger);
+ // Enable Azure Monitor integration
+ useAzureMonitor(options);
- // Create a new log record.
- const logRecord = {
- body: "testEvent",
- attributes: {
+ var log = bunyan.createLogger({ name: 'testApp' });
+ log.info({
"testAttribute1": "testValue1",
"testAttribute2": "testValue2",
"testAttribute3": "testValue3"
- }
- };
+ }, 'testEvent');
- // Emit the log record.
- logger.emit(logRecord);
```
#### [Python](#tab/python)
@@ -2147,18 +2142,28 @@ See [sampling overrides](java-standalone-config.md#sampling-overrides-preview) a
Use the add [custom property example](#add-a-custom-property-to-a-span), but replace the following lines of code:
```typescript
- // Import the SpanKind and TraceFlags classes from the @opentelemetry/api package.
+ // Import the necessary packages.
const { SpanKind, TraceFlags } = require("@opentelemetry/api");
+ const { ReadableSpan, Span, SpanProcessor } = require("@opentelemetry/sdk-trace-base");
// Create a new SpanEnrichingProcessor class.
- class SpanEnrichingProcessor {
+ class SpanEnrichingProcessor implements SpanProcessor {
+ forceFlush(): Promise {
+ return Promise.resolve();
+ }
- onEnd(span) {
- // If the span is an internal span, set the trace flags to NONE.
- if(span.kind == SpanKind.INTERNAL){
- span.spanContext().traceFlags = TraceFlags.NONE;
+ shutdown(): Promise {
+ return Promise.resolve();
+ }
+
+ onStart(_span: Span): void {}
+
+ onEnd(span) {
+ // If the span is an internal span, set the trace flags to NONE.
+ if(span.kind == SpanKind.INTERNAL){
+ span.spanContext().traceFlags = TraceFlags.NONE;
+ }
}
- }
}
```
diff --git a/articles/azure-monitor/app/opentelemetry-configuration.md b/articles/azure-monitor/app/opentelemetry-configuration.md
index a31485058e46e..209ffc835599e 100644
--- a/articles/azure-monitor/app/opentelemetry-configuration.md
+++ b/articles/azure-monitor/app/opentelemetry-configuration.md
@@ -783,22 +783,18 @@ For more information about Java, see the [Java supplemental documentation](java-
```typescript
// Import the useAzureMonitor function, the AzureMonitorOpenTelemetryOptions class, the trace module, the ProxyTracerProvider class, the BatchSpanProcessor class, the NodeTracerProvider class, and the OTLPTraceExporter class from the @azure/monitor-opentelemetry, @opentelemetry/api, @opentelemetry/sdk-trace-base, @opentelemetry/sdk-trace-node, and @opentelemetry/exporter-trace-otlp-http packages, respectively.
const { useAzureMonitor, AzureMonitorOpenTelemetryOptions } = require("@azure/monitor-opentelemetry");
- const { trace, ProxyTracerProvider } = require("@opentelemetry/api");
const { BatchSpanProcessor } = require('@opentelemetry/sdk-trace-base');
- const { NodeTracerProvider } = require('@opentelemetry/sdk-trace-node');
const { OTLPTraceExporter } = require('@opentelemetry/exporter-trace-otlp-http');
- // Enable Azure Monitor integration.
- useAzureMonitor();
-
// Create a new OTLPTraceExporter object.
const otlpExporter = new OTLPTraceExporter();
- // Get the NodeTracerProvider instance.
- const tracerProvider = ((trace.getTracerProvider() as ProxyTracerProvider).getDelegate() as NodeTracerProvider);
-
- // Add a BatchSpanProcessor to the NodeTracerProvider instance.
- tracerProvider.addSpanProcessor(new BatchSpanProcessor(otlpExporter));
+ // Enable Azure Monitor integration.
+ const options: AzureMonitorOpenTelemetryOptions = {
+ // Add the SpanEnrichingProcessor
+ spanProcessors: [new BatchSpanProcessor(otlpExporter)]
+ }
+ useAzureMonitor(options);
```
#### [Python](#tab/python)
diff --git a/articles/azure-monitor/essentials/prometheus-metrics-overview.md b/articles/azure-monitor/essentials/prometheus-metrics-overview.md
index 8cea23247f1f1..6039e0528b683 100644
--- a/articles/azure-monitor/essentials/prometheus-metrics-overview.md
+++ b/articles/azure-monitor/essentials/prometheus-metrics-overview.md
@@ -38,9 +38,9 @@ Azure Monitor managed service for Prometheus supports recording rules and alert
Alerts fired by alert rules can trigger actions or notifications, as defined in the [action groups](../alerts/action-groups.md) configured for the alert rule. You can also view fired and resolved Prometheus alerts in the Azure portal along with other alert types.
-## Service limits & quotas
+## Service limits and quotas
-See [Azure Monitor service limits](../service-limits.md#prometheus-metrics) for service limits & quotas for Azure Monitor Managed service for Prometheus.
+Azure Monitor Managed service for Prometheus has default limits and quotas for ingestion. When you reach the ingestion limits throttling can occur. You can request an increase in these limits. For more information on throttling and requesting increased limits, see [Metrics throttling](../containers/prometheus-metrics-troubleshoot.md#metrics-throttling). For information on Prometheus metrics limits, see [Azure Monitor service limits](../service-limits.md#prometheus-metrics).
## Limitations/Known issues - Azure Monitor managed Service for Prometheus
diff --git a/articles/azure-vmware/azure-vmware-solution-known-issues.md b/articles/azure-vmware/azure-vmware-solution-known-issues.md
index 511ba4a024a05..fa72821c18279 100644
--- a/articles/azure-vmware/azure-vmware-solution-known-issues.md
+++ b/articles/azure-vmware/azure-vmware-solution-known-issues.md
@@ -4,7 +4,7 @@ description: This article provides details about the known issues of Azure VMwar
ms.topic: reference
ms.custom: "engagement-fy23"
ms.service: azure-vmware
-ms.date: 3/07/2024
+ms.date: 3/18/2024
---
# Known issues: Azure VMware Solution
@@ -24,7 +24,7 @@ Refer to the table to find details about resolution dates or possible workaround
| [VMSA-2023-023](https://www.vmware.com/security/advisories/VMSA-2023-0023.html) VMware vCenter Server Out-of-Bounds Write Vulnerability (CVE-2023-34048) publicized in October 2023 | October 2023 | A risk assessment of CVE-2023-03048 was conducted and it was determined that sufficient controls are in place within Azure VMware Solution to reduce the risk of CVE-2023-03048 from a CVSS Base Score of 9.8 to an adjusted Environmental Score of [6.8](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/MAC:L/MPR:H/MUI:R) or lower. Adjustments from the base score were possible due to the network isolation of the Azure VMware Solution vCenter Server (ports 2012, 2014, and 2020 are not exposed via any interactive network path) and multiple levels of authentication and authorization necessary to gain interactive access to the vCenter Server network segment. AVS is currently rolling out [7.0U3o](https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-vcenter-server-70u3o-release-notes/index.html) to address this issue. | March 2024 - Resolved in [ESXi 7.0U3o](https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-vcenter-server-70u3o-release-notes/index.html) |
| The AV64 SKU currently supports RAID-1 FTT1, RAID-5 FTT1, and RAID-1 FTT2 vSAN storage policies. For more information, see [AV64 supported RAID configuration](introduction.md#av64-supported-raid-configuration) | Nov 2023 | Use AV36, AV36P, or AV52 SKUs when RAID-6 FTT2 or RAID-1 FTT3 storage policies are needed. | N/A |
| VMware HCX version 4.8.0 Network Extension (NE) Appliance VMs running in High Availability (HA) mode may experience intermittent Standby to Active failover. For more information, see [HCX - NE appliances in HA mode experience intermittent failover (96352)](https://kb.vmware.com/s/article/96352) | Jan 2024 | Avoid upgrading to VMware HCX 4.8.0 if you are using NE appliances in a HA configuration. | Feb 2024 - Resolved in [VMware HCX 4.8.2](https://docs.vmware.com/en/VMware-HCX/4.8.2/rn/vmware-hcx-482-release-notes/index.html) |
-| [VMSA-2024-0006](https://www.vmware.com/security/advisories/VMSA-2024-0006.html) ESXi Use-after-free and Out-of-bounds write vulnerability | March 2024 | AVS has confirmed the applicability of the vulnerabilities and are actively working on a rollout of the provided VMware updates. | March 2024 |
+| [VMSA-2024-0006](https://www.vmware.com/security/advisories/VMSA-2024-0006.html) ESXi Use-after-free and Out-of-bounds write vulnerability | March 2024 | Microsoft has confirmed the applicability of the vulnerabilities and is actively working on a rollout of the provided VMware updates. | March 2024 |
In this article, you learned about the current known issues with the Azure VMware Solution.
diff --git a/articles/azure-vmware/index.yml b/articles/azure-vmware/index.yml
index 1a7a42f7578e5..30b560bb4a3a7 100644
--- a/articles/azure-vmware/index.yml
+++ b/articles/azure-vmware/index.yml
@@ -11,7 +11,7 @@ metadata:
ms.topic: hub-page
author: jjaygbay1
ms.author: jjaygbay1
- ms.date: 01/03/2024
+ ms.date: 3/18/2024
highlightedContent:
@@ -88,7 +88,7 @@ additionalContent:
url: tutorial-configure-networking.md
- text: 4 - Access a private cloud
url: tutorial-access-private-cloud.md
- - text: 5 - Create an NSX-T Data Center network segment
+ - text: 5 - Create an NSX network segment
url: tutorial-nsx-t-network-segment.md
- text: 6 - Peer on-premises to private cloud
url: tutorial-expressroute-global-reach-private-cloud.md
@@ -131,7 +131,7 @@ additionalContent:
url: configure-dns-azure-vmware-solution.md
- text: Configure port mirroring
url: configure-port-mirroring-azure-vmware-solution.md
- - text: Enable Public IP to the NSX-T Data Center Microsoft Edge for Azure VMware Solution
+ - text: Enable Public IP to the NSX Edge for Azure VMware Solution
url: enable-public-ip-nsx-edge.md
- text: Configure a site-to-site VPN in vWAN
url: configure-site-to-site-vpn-gateway.md
@@ -209,7 +209,7 @@ additionalContent:
url: configure-hcx-network-extension.md
- text: Configure HCX network extension high availability
url: configure-hcx-network-extension-high-availability.md
- - text: Configure VMware vRealize Operations
+ - text: Configure VMware Aria Operations
url: vrealize-operations-for-azure-vmware-solution.md
- text: Deploy VMware Horizon
url: azure-vmware-solution-horizon.md
diff --git a/articles/azure-vmware/media/vrealize-operations-manager/aria-operations-deployment-option-1.png b/articles/azure-vmware/media/vrealize-operations-manager/aria-operations-deployment-option-1.png
new file mode 100644
index 0000000000000..81e73efafb200
Binary files /dev/null and b/articles/azure-vmware/media/vrealize-operations-manager/aria-operations-deployment-option-1.png differ
diff --git a/articles/azure-vmware/media/vrealize-operations-manager/vrealize-operations-deployment-option-1.png b/articles/azure-vmware/media/vrealize-operations-manager/vrealize-operations-deployment-option-1.png
deleted file mode 100644
index 152c0680a6547..0000000000000
Binary files a/articles/azure-vmware/media/vrealize-operations-manager/vrealize-operations-deployment-option-1.png and /dev/null differ
diff --git a/articles/azure-vmware/toc.yml b/articles/azure-vmware/toc.yml
index 27a8010028f35..f55085cc02683 100644
--- a/articles/azure-vmware/toc.yml
+++ b/articles/azure-vmware/toc.yml
@@ -33,7 +33,7 @@ items:
href: tutorial-configure-networking.md
- name: 4 - Access a private cloud
href: tutorial-access-private-cloud.md
- - name: 5 - Create an NSX-T Data Center network segment
+ - name: 5 - Create an NSX network segment
href: tutorial-nsx-t-network-segment.md
- name: 6 - Peer on-premises to private cloud
href: tutorial-expressroute-global-reach-private-cloud.md
@@ -129,13 +129,13 @@ items:
items:
- name: Set an external identity source for vCenter Server
href: configure-identity-source-vcenter.md
- - name: Set an external identity source for NSX-T Data Center
+ - name: Set an external identity source for NSX
href: configure-external-identity-source-nsx-t.md
- name: Configure internet connectivity
items:
- name: Enable Managed SNAT for Azure VMware Solution workloads
href: enable-managed-snat-for-workloads.md
- - name: Enable public IP on the NSX-T Data Center Edge for Azure VMware Solution
+ - name: Enable public IP on the NSX Edge for Azure VMware Solution
href: enable-public-ip-nsx-edge.md
- name: Disable internet access or enable a default route
href: disable-internet-access.md
@@ -151,7 +151,7 @@ items:
href: configure-hcx-network-extension.md
- name: VMware HCX Mobility Optimized Networking (MON) guidance
href: vmware-hcx-mon-guidance.md
- - name: Configure NSX-T Data Center network components
+ - name: Configure NSX network components
href: configure-nsx-network-components-azure-portal.md
- name: Configure port mirroring
href: configure-port-mirroring-azure-vmware-solution.md
@@ -247,7 +247,7 @@ items:
href: configure-hcx-network-extension.md
- name: Configure VMware HCX network extension high availability
href: configure-hcx-network-extension-high-availability.md
- - name: Configure VMware vRealize Operations
+ - name: Configure VMware Aria Operations
href: vrealize-operations-for-azure-vmware-solution.md
- name: Deploy VMware Horizon
href: azure-vmware-solution-horizon.md
@@ -257,7 +257,7 @@ items:
href: enable-hcx-access-over-internet.md
- name: Configure VMware Cloud Director Service in Azure VMware Solution
href: configure-vmware-cloud-director-service-azure-vmware-solution.md
- - name: Enable VMware Cloud director service with Azure VMware solution (Preview)
+ - name: Enable VMware Cloud Director Service with Azure VMware solution
href: enable-vmware-cds-with-azure.md
- name: Deploy VMware Cloud Director Availability in Azure VMware Solution
href: deploy-vmware-cloud-director-availability-in-azure-vmware-solution.md
diff --git a/articles/azure-vmware/vrealize-operations-for-azure-vmware-solution.md b/articles/azure-vmware/vrealize-operations-for-azure-vmware-solution.md
index 386b29338dec8..0cfe4b7040b6a 100644
--- a/articles/azure-vmware/vrealize-operations-for-azure-vmware-solution.md
+++ b/articles/azure-vmware/vrealize-operations-for-azure-vmware-solution.md
@@ -1,57 +1,53 @@
---
-title: Configure vRealize Operations for Azure VMware Solution
-description: Learn how to set up vRealize Operations for your Azure VMware Solution private cloud.
+title: Configure VMware Aria Operations for Azure VMware Solution
+description: Learn how to set up VMware Aria Operations for your Azure VMware Solution private cloud.
ms.topic: how-to
ms.service: azure-vmware
-ms.date: 12/20/2023
+ms.date: 3/18/2024
ms.custom: engagement-fy23
---
-# Configure vRealize Operations for Azure VMware Solution
+# Configure Aria Operations for Azure VMware Solution
-vRealize Operations is an operations management platform that allows VMware infrastructure administrators to monitor system resources. These system resources could be application-level or infrastructure level (both physical and virtual) objects. Most VMware administrators use vRealize Operations to monitor and manage the VMware private cloud components – vCenter Server, ESXi, NSX-T Data Center, vSAN, and VMware HCX. Each provisioned Azure VMware Solution private cloud includes a dedicated vCenter Server, NSX-T Data Center, vSAN, and HCX deployment.
+Aria Operations is an operations management platform that allows VMware infrastructure administrators to monitor system resources. These system resources could be application-level or infrastructure level (both physical and virtual) objects. Most VMware administrators use Aria Operations to monitor and manage their VMware private cloud components – vCenter Server, ESXi, NSX, vSAN, and VMware HCX. Each provisioned Azure VMware Solution private cloud includes a dedicated vCenter Server, NSX Manager, vSAN, and HCX deployment.
-Thoroughly review [Before you begin](#before-you-begin) and [Prerequisites](#prerequisites) first. Then, we walk you through the two typical deployment topologies:
-
-> [!div class="checklist"]
-> * [On-premises vRealize Operations managing Azure VMware Solution deployment](#on-premises-vrealize-operations-managing-azure-vmware-solution-deployment)
-> * [vRealize Operations Cloud managing Azure VMware Solution deployment](#vrealize-operations-cloud-managing-azure-vmware-solution-deployment)
+Thoroughly review [Before you begin](#before-you-begin) and [Prerequisites](#prerequisites) first.
## Before you begin
-* Review the [vRealize Operations Manager product documentation](https://docs.vmware.com/en/vRealize-Operations-Manager/8.1/com.vmware.vcom.vapp.doc/GUID-7FFC61A0-7562-465C-A0DC-46D092533984.html) to learn more about deploying vRealize Operations.
+* Review the [Aria Operations product documentation](https://docs.vmware.com/en/VMware-Aria-Operations/index.html) to learn more about deploying Aria Operations.
* Review the basic Azure VMware Solution Software-Defined Datacenter (SDDC) [tutorial series](tutorial-network-checklist.md).
-* Optionally, review the [vRealize Operations Remote Controller](https://docs.vmware.com/en/vRealize-Operations-Manager/8.1/com.vmware.vcom.vapp.doc/GUID-263F9219-E801-4383-8A59-E84F3D01ED6B.html) product documentation for the on-premises vRealize Operations managing Azure VMware Solution deployment option.
+* Optionally, review the [Aria Operations Remote Collector Nodes](https://docs.vmware.com/en/VMware-Aria-Operations/8.14/Getting-Started-Operations/GUID-263F9219-E801-4383-8A59-E84F3D01ED6B.html) product documentation for the on-premises Aria Operations managing Azure VMware Solution deployment option.
## Prerequisites
-* [vRealize Operations Manager](https://docs.vmware.com/en/vRealize-Operations-Manager/8.1/com.vmware.vcom.vapp.doc/GUID-7FFC61A0-7562-465C-A0DC-46D092533984.html) installed.
-* A VPN or an Azure ExpressRoute configured between on-premises and Azure VMware Solution SDDC.
+* [Aria Operations](https://docs.vmware.com/en/VMware-Aria-Operations/8.14/Getting-Started-Operations/GUID-69F7FAD8-3152-4376-9171-2208D6C9FA3A.html) is installed.
* An Azure VMware Solution private cloud is deployed in Azure.
+* A VPN or an Azure ExpressRoute configured between on-premises and Azure VMware Solution private cloud.
-## On-premises vRealize Operations managing Azure VMware Solution deployment
-Most customers have an existing on-premises deployment of vRealize Operations to manage one or more on-premises vCenter Server domains. When they provision an Azure VMware Solution private cloud, they connect their on-premises environment with their private cloud using an Azure ExpressRoute or a Layer 3 VPN solution.
+## On-premises Aria Operations managing Azure VMware Solution deployment
+Most customers have an existing on-premises deployment of Aria Operations to manage one or more on-premises vCenter Server SSO domains. When they provision an Azure VMware Solution private cloud, they connect their on-premises environment with their private cloud using an Azure ExpressRoute or a Layer 3 VPN solution.
-:::image type="content" source="media/vrealize-operations-manager/vrealize-operations-deployment-option-1.png" alt-text="Diagram showing the on-premises vRealize Operations managing Azure VMware Solution deployment." border="false":::
+:::image type="content" source="media/vrealize-operations-manager/aria-operations-deployment-option-1.png" alt-text="Diagram showing the on-premises Aria Operations managing the Azure VMware Solution deployment." border="false" lightbox="media/vrealize-operations-manager/aria-operations-deployment-option-1.png":::
-To extend the vRealize Operations capabilities to the Azure VMware Solution private cloud, you create an adapter [instance for the private cloud resources](https://docs.vmware.com/en/vRealize-Operations-Manager/8.1/com.vmware.vcom.config.doc/GUID-640AD750-301E-4D36-8293-1BFEB67E2600.html). It collects data from the Azure VMware Solution private cloud and brings it into on-premises vRealize Operations. The on-premises vRealize Operations Manager instance can directly connect to the vCenter Server and NSX-T Manager on Azure VMware Solution. Optionally, you can deploy a vRealize Operations Remote Collector on the Azure VMware Solution private cloud. The collector compresses and encrypts the data collected from the private cloud before it's sent over the ExpressRoute or VPN network to the vRealize Operations Manager running on-premises.
+To extend the Aria Operations capabilities to the Azure VMware Solution private cloud, you create an adapter [instance for the private cloud resources](https://docs.vmware.com/en/VMware-Aria-Operations/8.16/Configuring-Operations/GUID-6CDFEDDC-A72C-4AB4-B8E8-84542CC6CE27.html). It collects data from the Azure VMware Solution private cloud and brings it into the on-premises Aria Operations. The on-premises Aria Operations instance can directly connect to the vCenter Server and NSX Manager of the Azure VMware Solution. Optionally, you can deploy an Aria Operations Remote Collector in the Azure VMware Solution private cloud. The collector compresses and encrypts the data collected from the private cloud before it's sent over the ExpressRoute or VPN network to the Aria Operations running on-premises.
> [!TIP]
-> Refer to the [VMware documentation](https://docs.vmware.com/en/vRealize-Operations-Manager/8.1/com.vmware.vcom.vapp.doc/GUID-7FFC61A0-7562-465C-A0DC-46D092533984.html) for step-by-step guide for installing vRealize Operations Manager.
+> Refer to the [VMware documentation](https://docs.vmware.com/en/VMware-Aria-Operations/8.14/Getting-Started-Operations/GUID-69F7FAD8-3152-4376-9171-2208D6C9FA3A.html) for step-by-step guide for installing Aria Operations.
-## vRealize Operations Cloud managing Azure VMware Solution deployment
-VMware vRealize Operations Cloud supports the Azure VMware Solution, including the vCenter Server, vSAN and NSX-T Data Center adapters.
+## Aria Operations Cloud managing Azure VMware Solution deployment
+VMware Aria Operations Cloud supports the Azure VMware Solution, including the vCenter Server, vSAN and NSX adapters.
> [!IMPORTANT]
-> Refer to the [VMware documentation](https://docs.vmware.com/en/vRealize-Operations/Cloud/com.vmware.vcom.config.doc/GUID-6CDFEDDC-A72C-4AB4-B8E8-84542CC6CE27.html) for step-by-step guide for connecting vRealize Operations Cloud to Azure VMware Solution.
+> Refer to the [VMware documentation](https://docs.vmware.com/en/VMware-Aria-Operations/index.html) for the step-by-step guide for connecting Aria Operations Cloud to Azure VMware Solution.
## Known limitations
-- The **cloudadmin@vsphere.local** user in Azure VMware Solution has [limited privileges](concepts-identity.md). Virtual machines (VMs) on Azure VMware Solution doesn't support in-guest memory collection using VMware tools. Active and consumed memory utilization continues to work in this case.
+- The **cloudadmin@vsphere.local** user in Azure VMware Solution has [limited privileges](concepts-identity.md). Virtual machines (VMs) on Azure VMware Solution doesn't support in-guest memory collection using VMware tools. Active and consumed memory utilization continues to work in this case.
- Workload optimization for host-based business intent doesn't work because Azure VMware Solutions manage cluster configurations, including DRS settings.
-- Workload optimization for the cross-cluster placement within the SDDC using the cluster-based business intent is fully supported with vRealize Operations Manager 8.0 and onwards. However, workload optimization isn't aware of resource pools and places the VMs at the cluster level. A user can manually correct it in the Azure VMware Solution vCenter Server interface.
-- You can't sign in to vRealize Operations Manager using your Azure VMware Solution vCenter Server credentials.
-- Azure VMware Solution doesn't support the vRealize Operations Manager plugin.
+- Workload optimization for the cross-cluster placement within the private cloud using the cluster-based business intent is fully supported with Aria Operations. However, workload optimization isn't aware of resource pools and places the VMs at the cluster level. A user can manually correct it in the Azure VMware Solution vCenter Server interface.
+- You can't sign into Aria Operations using your Azure VMware Solution vCenter Server credentials.
+- Azure VMware Solution doesn't support the Aria Operations plugin.
-When you connect the Azure VMware Solution vCenter Server to vRealize Operations Manager using a vCenter Server Cloud Account, you see a warning:
+When you connect the Azure VMware Solution vCenter Server to Aria Operations using a vCenter Server CloudAdmin Account, you see a warning:
:::image type="content" source="./media/vrealize-operations-manager/warning-adapter-instance-creation-succeeded.png" alt-text="Screenshot shows a Warning message that states the adapter instance was created successfully.":::
@@ -59,10 +55,10 @@ The warning occurs because the **cloudadmin@vsphere.local** user in Azure VMware
:::image type="content" source="./media/vrealize-operations-manager/adapter-instance-to-perform-data-collection.png" alt-text="Screenshot shows the adapter instance to collect data.":::
-For more information, see [Privileges Required for Configuring a vCenter Server Adapter Instance](https://docs.vmware.com/en/vRealize-Operations-Manager/8.1/com.vmware.vcom.core.doc/GUID-3BFFC92A-9902-4CF2-945E-EA453733B426.html).
+For more information, see [Privileges Required for Configuring a vCenter Server Adapter Instance](https://docs.vmware.com/en/VMware-Aria-Operations/8.16/Configuring-Operations/GUID-3BFFC92A-9902-4CF2-945E-EA453733B426.html).
> [!NOTE]
-> VMware vRealize Automation(vRA) integration with the NSX-T Data Center component of the Azure VMware Solution requires the “auditor” role to be added to the user with the NSX-T Manager cloudadmin role.
+> VMware Aria Operations integration with the NSX Manager component of the Azure VMware Solution requires the “auditor” role to be added to the user with the NSX Manager cloudadmin role.
diff --git a/articles/container-instances/availability-zones.md b/articles/container-instances/availability-zones.md
index 2b90c8a644ab7..522be20691e14 100644
--- a/articles/container-instances/availability-zones.md
+++ b/articles/container-instances/availability-zones.md
@@ -6,33 +6,23 @@ author: tomvcassidy
ms.service: container-instances
services: container-instances
ms.topic: how-to
-ms.date: 06/17/2022
+ms.date: 03/18/2024
ms.custom: devx-track-arm-template
---
-# Deploy an Azure Container Instances (ACI) container group in an availability zone (preview)
+# Deploy an Azure Container Instances (ACI) container group in an availability zone
An [availability zone][availability-zone-overview] is a physically separate zone in an Azure region. You can use availability zones to protect your containerized applications from an unlikely failure or loss of an entire data center. Three types of Azure services support availability zones: *zonal*, *zone-redundant*, and *always-available* services. You can learn more about these types of services and how they promote resiliency in the [Highly available services section of Azure services that support availability zones](../availability-zones/az-region.md#highly-available-services).
Azure Container Instances (ACI) supports *zonal* container group deployments, meaning the instance is pinned to a specific, self-selected availability zone. The availability zone is specified at the container group level. Containers within a container group can't have unique availability zones. To change your container group's availability zone, you must delete the container group and create another container group with the new availability zone.
-> [!IMPORTANT]
-> This feature is currently in preview. Previews are made available to you on the condition that you agree to the supplemental terms of use.
-
-> [!IMPORTANT]
-> Zonal container group deployments are supported in most regions where ACI is available for Linux and Windows Server 2019 container groups. For details, see [Regions and resource availability][container-regions].
-
> [!NOTE]
> Examples in this article are formatted for the Bash shell. If you prefer another shell, adjust the line continuation characters accordingly.
## Limitations
> [!IMPORTANT]
-> This feature is currently not available for Azure portal.
-
* Container groups with GPU resources don't support availability zones at this time.
-* Virtual Network injected container groups don't support availability zones at this time.
-* Windows Server 2016 container groups don't support availability zones at this time.
### Version requirements
diff --git a/articles/container-instances/container-instances-liveness-probe.md b/articles/container-instances/container-instances-liveness-probe.md
index 6be335ae9a4eb..19cc6bab845e5 100644
--- a/articles/container-instances/container-instances-liveness-probe.md
+++ b/articles/container-instances/container-instances-liveness-probe.md
@@ -16,9 +16,6 @@ This article explains how to deploy a container group that includes a liveness p
Azure Container Instances also supports [readiness probes](container-instances-readiness-probe.md), which you can configure to ensure that traffic reaches a container only when it's ready for it.
-> [!NOTE]
-> Currently you cannot use a liveness probe in a container group deployed to a virtual network.
-
## YAML deployment
Create a `liveness-probe.yaml` file with the following snippet. This file defines a container group that consists of an NGINX container that eventually becomes unhealthy.
diff --git a/articles/cosmos-db/mongodb/vcore/TOC.yml b/articles/cosmos-db/mongodb/vcore/TOC.yml
index 384cccb37d8b2..3c79d75957b38 100644
--- a/articles/cosmos-db/mongodb/vcore/TOC.yml
+++ b/articles/cosmos-db/mongodb/vcore/TOC.yml
@@ -12,6 +12,8 @@
href: quickstart-portal.md
- name: Create resources - Bicep template
href: quickstart-bicep.md
+ - name: Create resources - Terraform
+ href: quickstart-terraform.md
- name: Tutorials
items:
- name: Build web applications
diff --git a/articles/cosmos-db/mongodb/vcore/quickstart-terraform.md b/articles/cosmos-db/mongodb/vcore/quickstart-terraform.md
new file mode 100644
index 0000000000000..18403681e50e3
--- /dev/null
+++ b/articles/cosmos-db/mongodb/vcore/quickstart-terraform.md
@@ -0,0 +1,136 @@
+---
+title: |
+ Quickstart: Create a cluster with Terraform
+titleSuffix: Azure Cosmos DB for MongoDB vCore
+description: In this quickstart, create a new Azure Cosmos DB for MongoDB vCore cluster to store databases, collections, and documents by using Terraform.
+author: gahl-levy
+ms.author: gahllevy
+ms.service: cosmos-db
+ms.subservice: mongodb-vcore
+ms.topic: quickstart
+ms.date: 03/18/2024
+---
+
+# Azure Cosmos DB for MongoDB (vCore) with Terraform
+This document provides instructions on using Terraform to deploy Azure Cosmos DB for MongoDB vCore resources. This involves directly calling the ARM API through Terraform.
+
+## Prerequisites
+- Terraform installed on your machine.
+- An Azure subscription.
+
+## Terraform Configuration
+Create a main.tf file and include the following configuration. Replace the resource group placeholder values (and region if needed) with your own:
+
+```hcl
+terraform {
+ required_providers {
+ azurerm = { # <--- Note that it is azurerm
+ source = "hashicorp/azurerm"
+ version = "3.94.0"
+ }
+ }
+}
+provider "azurerm" {
+ features {}
+}
+resource "azurerm_resource_group" "example" { # replace if needed
+ name = "RESOURCE_GROUP" # replace
+ location = "West Europe" # replace if needed
+}
+resource "azurerm_resource_group_template_deployment" "terraform-arm" {
+ name = "terraform-arm-01"
+ resource_group_name = azurerm_resource_group.example.name
+ deployment_mode = "Incremental"
+ template_content = file("template.json")
+}
+```
+
+Create a template.json file and populate it with the following JSON content, making sure to replace placeholder values (CLUSTER_NAME, TEMPLATE_NAME, region, node specs, administratorLogin, administratorLoginPassword), with your specific configurations:
+
+```json
+{
+ "$schema": https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#,
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "CLUSTER_NAME": { // replace
+ "defaultValue": "TEMPLATE_NAME", // replace
+ "type": "String"
+ }
+ },
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.DocumentDB/mongoClusters",
+ "apiVersion": "2023-11-15-preview",
+ "name": "[parameters('CLUSTER_NAME')]", // replace
+ "location": "westeurope", // replace if needed
+ "properties": {
+ "clusterStatus": "Ready",
+ "administratorLogin": "", // replace
+ "administratorLoginPassword" : "", // replace
+ "serverVersion": "6.0",
+ "nodeGroupSpecs": [
+ {
+ "kind": "Shard",
+ "sku": "M40", // replace if needed
+ "diskSizeGB": 128,
+ "enableHa": false, // replace if needed
+ "nodeCount": 1
+ }
+ ]
+ }
+ },
+ {
+ "type": "Microsoft.DocumentDB/mongoClusters/firewallRules",
+ "apiVersion": "2023-11-15-preview",
+ "name": "[concat(parameters('CLUSTER_NAME'), '/allowAll')]", // replace
+ "dependsOn": [
+ "[resourceId('Microsoft.DocumentDB/mongoClusters', parameters('CLUSTER_NAME'))]" // replace
+ ],
+ "properties": {
+ "startIpAddress": "0.0.0.0",
+ "endIpAddress": "255.255.255.255"
+ }
+ },
+ {
+ "type": "Microsoft.DocumentDB/mongoClusters/firewallRules",
+ "apiVersion": "2023-11-15-preview",
+ "name": "[concat(parameters('CLUSTER_NAME'), '/AllowAllAzureServicesAndResourcesWithinAzureIps_2023-12-6_17-3-22')]", // replace
+ "dependsOn": [
+ "[resourceId('Microsoft.DocumentDB/mongoClusters', parameters('CLUSTER_NAME'))]" // replace
+ ],
+ "properties": {
+ "startIpAddress": "0.0.0.0",
+ "endIpAddress": "0.0.0.0"
+ }
+ },
+ {
+ "type": "Microsoft.DocumentDB/mongoClusters/firewallRules",
+ "apiVersion": "2023-11-15-preview",
+ "name": "[concat(parameters('CLUSTER_NAME'), '/allowAzure')]", // replace
+ "dependsOn": [
+ "[resourceId('Microsoft.DocumentDB/mongoClusters', parameters('CLUSTER_NAME'))]" // replace
+ ],
+ "properties": {
+ "startIpAddress": "0.0.0.0",
+ "endIpAddress": "0.0.0.0"
+ }
+ }
+ ]
+}
+```
+
+## Deployment
+Execute the following commands to initialize your Terraform workspace, create an execution plan, and apply the plan to deploy your resources:
+
+```bash
+terraform init -upgrade
+terraform plan -out main.tfplan
+terraform apply "main.tfplan"
+```
+
+
+## Next steps
+
+> [!div class="nextstepaction"]
+> [Migration options for Azure Cosmos DB for MongoDB vCore](migration-options.md)
diff --git a/articles/cost-management-billing/automate/understand-usage-details-fields.md b/articles/cost-management-billing/automate/understand-usage-details-fields.md
index 39d7150fe3ea9..4d9db0760a897 100644
--- a/articles/cost-management-billing/automate/understand-usage-details-fields.md
+++ b/articles/cost-management-billing/automate/understand-usage-details-fields.md
@@ -115,7 +115,7 @@ MPA accounts have all MCA terms, in addition to the MPA terms, as described in t
| Tags¹ | All | Tags assigned to the resource. Doesn't include resource group tags. Can be used to group or distribute costs for internal chargeback. For more information, see [Organize your Azure resources with tags](https://azure.microsoft.com/updates/organize-your-azure-resources-with-tags/). |
| Term | All | Displays the term for the validity of the offer. For example: For reserved instances, it displays 12 months as the Term. For one-time purchases or recurring purchases, Term is one month (SaaS, Marketplace Support). Not applicable for Azure consumption. |
| UnitOfMeasure | All | The unit of measure for billing for the service. For example, compute services are billed per hour. |
-| UnitPrice² ³| EA, pay-as-you-go | The price for a given product or service inclusive of any negotiated discount that you might have on top of the market price (pay-as-you-go price) for your contract. |
+| UnitPrice² ³| All | The price for a given product or service inclusive of any negotiated discount that you might have on top of the market price (pay-as-you-go price) for your contract. |
¹ Fields used to build a unique ID for a single cost record. Every record in your cost details file should be considered unique.
diff --git a/articles/cost-management-billing/manage/ea-pricing-overview.md b/articles/cost-management-billing/manage/ea-pricing-overview.md
index 61f61dc77936d..523e43b39f296 100644
--- a/articles/cost-management-billing/manage/ea-pricing-overview.md
+++ b/articles/cost-management-billing/manage/ea-pricing-overview.md
@@ -24,13 +24,18 @@ As a customer or a channel partner, you're guaranteed to receive prices at or be
The price is referred to as the baseline price. Here are more details about the coverage start date:
- The coverage start date is based on the usage date for the purchase order. If the usage date is the first day of the month, the coverage start date is the first day of that month. If the usage date is the second day of the month or later, the coverage start date is the first day of the *following month*. If you need to backdate the coverage date, contact your partner or Software Advisor.
+
+ - The price guarantee start date is set in the month of the coverage start date if you purchased Azure Prepayment more than 30 days from the agreement start date.
+
+ For example, assume you purchased prepayment with a coverage start date of April 1, 2023. Your agreement start date is March 1, 2023. The gap between the coverage start date and the agreement start date is **more than 30 days**. So, your price guarantee start date is set to April 1, 2023.
+
- The price guarantee start date is set in the month before the coverage start date if you purchased Monetary commitment within the first 30 days of the agreement start date.
For example, assume you purchased prepayment with a coverage start date of April 1, 2023. Your agreement start date is March 27, 2023. The gap between the coverage start date and the agreement start date is less than 30 days. So, your price guarantee start date is set to March 1, 2023.
If you have questions about price protection, contact your partner or Software Advisor.
-For services introduced after your Azure purchase, you're charged the price that's in effect at the applicable level discount when the service is first introduced. The price protection applies during your Prepayment term - one or three years depending upon your Enterprise Agreement.
+For services introduced after your Azure purchase, you're charged the price that's in effect at the applicable level discount when the service is first introduced. The price protection applies during your Prepayment term - one or three years depending upon your Enterprise Agreement. For more information about prepayment provisioning, [Azure EA agreements and amendments](ea-portal-agreements.md#enrollment-provisioning-status).
## Price changes
@@ -63,7 +68,7 @@ Enterprise administrators can create subscriptions. They can also enable account
## Credit process
- EA customers are eligible to receive service credit when they experience an SLA breach or a system issue that affects their Azure services.
-- Service credit isn’t refund issued as cash. Instead, service credit is issued in the form of a credit that can be applied to future Azure usage.
+- Service credit isn’t a refund issued as cash. Instead, service credit is issued in the form of a credit that can be applied to future Azure usage.
- To request a service credit, indirect EA customers must contact their partner administrator, who is the authorized representative of the EA enrollment.
diff --git a/articles/ddos-protection/manage-ddos-ip-protection-cli.md b/articles/ddos-protection/manage-ddos-ip-protection-cli.md
index 2975320ad35d7..86b26b9561724 100644
--- a/articles/ddos-protection/manage-ddos-ip-protection-cli.md
+++ b/articles/ddos-protection/manage-ddos-ip-protection-cli.md
@@ -5,7 +5,7 @@ author: AbdullahBell
ms.author: abell
ms.service: ddos-protection
ms.topic: quickstart
-ms.date: 04/04/2023
+ms.date: 03/18/2024
ms.custom: template-quickstart, devx-track-azurecli
---
diff --git a/articles/ddos-protection/manage-ddos-ip-protection-portal.md b/articles/ddos-protection/manage-ddos-ip-protection-portal.md
index b884f9203de0f..6fc0d313bcaaf 100644
--- a/articles/ddos-protection/manage-ddos-ip-protection-portal.md
+++ b/articles/ddos-protection/manage-ddos-ip-protection-portal.md
@@ -5,7 +5,7 @@ author: AbdullahBell
ms.author: abell
ms.service: ddos-protection
ms.topic: quickstart
-ms.date: 06/22/2023
+ms.date: 03/01/2024
ms.custom: template-quickstart
---
diff --git a/articles/ddos-protection/manage-ddos-ip-protection-template.md b/articles/ddos-protection/manage-ddos-ip-protection-template.md
index 414b5589fe602..ff91361629d59 100644
--- a/articles/ddos-protection/manage-ddos-ip-protection-template.md
+++ b/articles/ddos-protection/manage-ddos-ip-protection-template.md
@@ -7,7 +7,7 @@ ms.service: ddos-protection
ms.topic: quickstart
ms.custom: mode-arm, devx-track-arm-template
ms.author: abell
-ms.date: 03/08/2023
+ms.date: 03/18/2024
---
# Quickstart: Create and configure Azure DDoS IP Protection using ARM template
diff --git a/articles/ddos-protection/manage-ddos-protection-powershell-ip.md b/articles/ddos-protection/manage-ddos-protection-powershell-ip.md
index cd47e7f53199b..bc63c24d8d89c 100644
--- a/articles/ddos-protection/manage-ddos-protection-powershell-ip.md
+++ b/articles/ddos-protection/manage-ddos-protection-powershell-ip.md
@@ -1,11 +1,11 @@
---
-title: 'Quickstart: Create and configure Azure DDoS IP Protection Preview - PowerShell'
-description: Learn how to create Azure DDoS IP Protection Preview using PowerShell
+title: 'Quickstart: Create and configure Azure DDoS IP Protection - PowerShell'
+description: Learn how to create Azure DDoS IP Protection using PowerShell
author: AbdullahBell
ms.author: abell
ms.service: ddos-protection
ms.topic: quickstart
-ms.date: 04/04/2023
+ms.date: 03/18/2024
ms.custom: template-quickstart, devx-track-azurepowershell
---
diff --git a/articles/ddos-protection/manage-ddos-protection-terraform.md b/articles/ddos-protection/manage-ddos-protection-terraform.md
index a537b662de10c..5004eba9adad2 100644
--- a/articles/ddos-protection/manage-ddos-protection-terraform.md
+++ b/articles/ddos-protection/manage-ddos-protection-terraform.md
@@ -6,7 +6,7 @@ ms.service: ddos-protection
ms.topic: quickstart
ms.custom: devx-track-terraform
ms.author: tarcher
-ms.date: 4/14/2023
+ms.date: 3/18/2024
content_well_notification:
- AI-contribution
ai-usage: ai-assisted
diff --git a/articles/ddos-protection/media/manage-ddos-ip-protection-portal/ddos-protection-protected-status.png b/articles/ddos-protection/media/manage-ddos-ip-protection-portal/ddos-protection-protected-status.png
index d9f2dfa538d25..27cd463ad86f4 100644
Binary files a/articles/ddos-protection/media/manage-ddos-ip-protection-portal/ddos-protection-protected-status.png and b/articles/ddos-protection/media/manage-ddos-ip-protection-portal/ddos-protection-protected-status.png differ
diff --git a/articles/ddos-protection/media/manage-ddos-ip-protection-portal/ddos-protection-select-status.png b/articles/ddos-protection/media/manage-ddos-ip-protection-portal/ddos-protection-select-status.png
index 9925c32166fc2..568b174d65881 100644
Binary files a/articles/ddos-protection/media/manage-ddos-ip-protection-portal/ddos-protection-select-status.png and b/articles/ddos-protection/media/manage-ddos-ip-protection-portal/ddos-protection-select-status.png differ
diff --git a/articles/ddos-protection/media/manage-ddos-ip-protection-portal/ddos-protection-view-status.png b/articles/ddos-protection/media/manage-ddos-ip-protection-portal/ddos-protection-view-status.png
index 880046694cafc..65ec6da60cbf4 100644
Binary files a/articles/ddos-protection/media/manage-ddos-ip-protection-portal/ddos-protection-view-status.png and b/articles/ddos-protection/media/manage-ddos-ip-protection-portal/ddos-protection-view-status.png differ
diff --git a/articles/defender-for-cloud/exempt-resource.md b/articles/defender-for-cloud/exempt-resource.md
index c7d0566d981a2..5a6416b2a30d6 100644
--- a/articles/defender-for-cloud/exempt-resource.md
+++ b/articles/defender-for-cloud/exempt-resource.md
@@ -32,6 +32,10 @@ This feature is in preview. [!INCLUDE [Legalese](../../includes/defender-for-clo
- To create a rule, you need permissions to edit policies in Azure Policy. [Learn more](../governance/policy/overview.md#azure-rbac-permissions-in-azure-policy).
- You can create exemptions for recommendations included in Defender for Cloud's default [Microsoft cloud security benchmark](/security/benchmark/azure/introduction) standard, or any of the supplied regulatory standards.
+>
+> [!NOTE]
+> The Defender for Cloud exemption relies on Microsoft Cloud Security Benchmark (MCSB) initiative to evaluate and retrieve resources compliance state on the Defender for Cloud portal. If the MCSB is missing, the portal will partially work and some resources may not appear.
+
- Some recommendations included in Microsoft cloud security benchmark do not support exemptions, a list of those recommendations can be found [here](faq-general.yml)
- Recommendations included in multiple policy initiatives must [all be exempted](faq-general.yml)
diff --git a/articles/expressroute/expressroute-about-virtual-network-gateways.md b/articles/expressroute/expressroute-about-virtual-network-gateways.md
index d7e55b7229982..f4d76a73cf688 100644
--- a/articles/expressroute/expressroute-about-virtual-network-gateways.md
+++ b/articles/expressroute/expressroute-about-virtual-network-gateways.md
@@ -5,7 +5,7 @@ services: expressroute
author: duongau
ms.service: expressroute
ms.topic: conceptual
-ms.date: 01/25/2024
+ms.date: 03/18/2024
ms.author: duau
ms.custom: ignite-2023
---
@@ -193,15 +193,18 @@ ErGwScale is free of charge during public preview. For information about Express
| Scale unit | Bandwidth (Gbps) | Packets per second | Connections per second | Maximum VM connections | Maximum number of flows |
|--|--|--|--|--|--|
-| 1 | 1 | 100,000 | 7,000 | 2,000 | 100,000 |
+| 1-10 | 1 | 100,000 | 7,000 | 2,000 | 100,000 |
+| 11-40 | 1 | 100,000 | 7,000 | 1,000 | 100,000 |
#### Sample performance with scale unit
-| Scale unit | Bandwidth (Gbps) | Packets per second | Connections per second | Maximum VM connections | Maximum number of flows |
+| Scale unit | Bandwidth (Gbps) | Packets per second | Connections per second | Maximum VM connections 1 | Maximum number of flows |
|--|--|--|--|--|--|
| 10 | 10 | 1,000,000 | 70,000 | 20,000 | 1,000,000 |
-| 20 | 20 | 2,000,000 | 140,000 | 40,000 | 2,000,000 |
-| 40 | 40 | 4,000,000 | 280,000 | 80,000 | 4,000,000 |
+| 20 | 20 | 2,000,000 | 140,000 | 30,000 | 2,000,000 |
+| 40 | 40 | 4,000,000 | 280,000 | 50,000 | 4,000,000 |
+
+1 Maximum VM connections scales differently beyond 10 scale units. The first 10 scale units will provide capacity for 2,000 VMs per scale unit. Scale units 11 and above will provide 1,000 additional VM capacity per scale unit.
## Next steps
diff --git a/articles/expressroute/expressroute-locations.md b/articles/expressroute/expressroute-locations.md
index 75f6429c27865..d316171f6c06a 100644
--- a/articles/expressroute/expressroute-locations.md
+++ b/articles/expressroute/expressroute-locations.md
@@ -185,7 +185,7 @@ The following table shows locations by service provider. If you want to view ava
| **[Viasat](https://news.viasat.com/newsroom/press-releases/viasat-introduces-direct-cloud-connect-a-new-service-providing-fast-secure-private-connections-to-business-critical-cloud-services)** | Supported | Supported | Washington DC2 |
| **[Vocus Group NZ](https://www.vocus.co.nz/business/cloud-data-centres)** | Supported | Supported | Auckland
Sydney |
| **Vodacom** | Supported | Supported | Cape Town
Johannesburg|
-| **[Vodafone](https://www.vodafone.com/business/global-enterprise/global-connectivity/vodafone-ip-vpn-cloud-connect)** | Supported | Supported | Amsterdam2
Chicago
Dallas
Hong Kong2
London
London2
Milan
Silicon Valley
Singapore |
+| **[Vodafone](https://www.vodafone.com/business/solutions/fixed-connectivity/global-LAN-WLAN-services/APM)** | Supported | Supported | Amsterdam2
Chicago
Dallas
Hong Kong2
London
London2
Milan
Silicon Valley
Singapore |
| **[Vi (Vodafone Idea)](https://www.myvi.in/business/enterprise-solutions/connectivity/vpn-extended-connect)** | Supported | Supported | Chennai
Mumbai2 |
| **Vodafone Qatar** | Supported | Supported | Doha |
| **XL Axiata** | Supported | Supported | Jakarta |
diff --git a/articles/governance/policy/samples/built-in-initiatives.md b/articles/governance/policy/samples/built-in-initiatives.md
index adbb0d6e707f4..181d67d127b00 100644
--- a/articles/governance/policy/samples/built-in-initiatives.md
+++ b/articles/governance/policy/samples/built-in-initiatives.md
@@ -1,7 +1,7 @@
---
title: List of built-in policy initiatives
description: List built-in policy initiatives for Azure Policy. Categories include Regulatory Compliance, Guest Configuration, and more.
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.topic: sample
ms.custom: generated
---
diff --git a/articles/governance/policy/samples/built-in-policies.md b/articles/governance/policy/samples/built-in-policies.md
index 07e10f7374259..324a67900f3ba 100644
--- a/articles/governance/policy/samples/built-in-policies.md
+++ b/articles/governance/policy/samples/built-in-policies.md
@@ -1,7 +1,7 @@
---
title: List of built-in policy definitions
description: List built-in policy definitions for Azure Policy. Categories include Tags, Regulatory Compliance, Key Vault, Kubernetes, Guest Configuration, and more.
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.topic: sample
ms.custom: generated
---
@@ -158,6 +158,10 @@ The name of each built-in links to the policy definition in the Azure portal. Us
[!INCLUDE [azure-policy-reference-policies-desktop-virtualization](../../../../includes/policy/reference/bycat/policies-desktop-virtualization.md)]
+## DevCenter
+
+[!INCLUDE [azure-policy-reference-policies-devcenter](../../../../includes/policy/reference/bycat/policies-devcenter.md)]
+
## ElasticSan
[!INCLUDE [azure-policy-reference-policies-elasticsan](../../../../includes/policy/reference/bycat/policies-elasticsan.md)]
@@ -334,6 +338,10 @@ The name of each built-in links to the policy definition in the Azure portal. Us
[!INCLUDE [azure-policy-reference-policies-tags](../../../../includes/policy/reference/bycat/policies-tags.md)]
+## Trusted Launch
+
+[!INCLUDE [azure-policy-reference-policies-trusted-launch](../../../../includes/policy/reference/bycat/policies-trusted-launch.md)]
+
## VirtualEnclaves
[!INCLUDE [azure-policy-reference-policies-virtualenclaves](../../../../includes/policy/reference/bycat/policies-virtualenclaves.md)]
diff --git a/articles/healthcare-apis/release-notes-2024.md b/articles/healthcare-apis/release-notes-2024.md
index 84401f36151b6..18a88340fe5d1 100644
--- a/articles/healthcare-apis/release-notes-2024.md
+++ b/articles/healthcare-apis/release-notes-2024.md
@@ -15,6 +15,24 @@ ms.custom: references_regions
This article describes features, enhancements, and bug fixes released in 2024 for the FHIR® service, DICOM® service, and MedTech service in Azure Health Data Services.
+## March 2024
+
+### DICOM service
+
+#### Integration with Azure Data Lake Storage is generally available
+
+Azure Data Lake Storage integration for the DICOM service in Azure Health Data Services is generally available. The DICOM service provides cloud-scale storage for medical imaging data using the DICOMweb standard. With the integration of Azure Data Lake Storage, organizations can enjoy full control over their imaging data and increased flexibility for accessing and working with that data through the Azure storage ecosystem and APIs.
+
+By using Azure Data Lake Storage with the DICOM service, organizations are able to:
+- Enable direct access to medical imaging data stored by the DICOM service using Azure storage APIs and DICOMweb APIs, providing more flexibility to access and work with the data.
+- Open medical imaging data up to the entire ecosystem of tools for working with Azure storage, including AzCopy, Azure Storage Explorer, and the Data Movement library.
+- Unlock new analytics and AI/ML scenarios by using services that natively integrate with Azure Data Lake Storage, including Azure Synapse, Azure Databricks, Azure Machine Learning, and Microsoft Fabric.
+- Grant controls to manage storage permissions, access controls, tiers, and rules.
+
+Learn more:
+- [Manage medical imaging data with the DICOM service and Azure Data Lake Storage](https://learn.microsoft.com/azure/healthcare-apis/dicom/dicom-data-lake)
+- [Deploy the DICOM service with Azure Data Lake Storage](https://learn.microsoft.com/azure/healthcare-apis/dicom/deploy-dicom-services-in-azure-data-lake)
+
## February 2024
### FHIR service
diff --git a/articles/iot-edge/how-to-deploy-blob.md b/articles/iot-edge/how-to-deploy-blob.md
index cdefedbddda2e..54a7028d226f6 100644
--- a/articles/iot-edge/how-to-deploy-blob.md
+++ b/articles/iot-edge/how-to-deploy-blob.md
@@ -1,9 +1,9 @@
---
-title: Deploy blob storage on module to your device - Azure IoT Edge
-description: Deploy an Azure Blob Storage module to your IoT Edge device to store data at the edge.
+title: Deploy blob storage on module to your device
+description: Deploy and configure an Azure Blob Storage module to your IoT Edge device and store data at the edge.
author: PatAltimore
ms.author: patricka
-ms.date: 02/14/2024
+ms.date: 03/18/2024
ms.topic: conceptual
ms.service: iot-edge
ms.reviewer: arduppal
@@ -91,16 +91,12 @@ A deployment manifest is a JSON document that describes which modules to deploy,
- Replace `` according to your container operating system. Provide the name of a [volume](https://docs.docker.com/storage/volumes/) or the absolute path to an existing directory on your IoT Edge device where the blob module stores its data. The storage mount maps a location on your device that you provide to a set location in the module.
- - For Linux containers, the format is **\:/blobroot**. For example:
- - use [volume mount](https://docs.docker.com/storage/volumes/): `my-volume:/blobroot`
- - use [bind mount](https://docs.docker.com/storage/bind-mounts/): `/srv/containerdata:/blobroot`. Make sure to follow the steps to [grant directory access to the container user](how-to-store-data-blob.md#granting-directory-access-to-container-user-on-linux)
- - For Windows containers, the format is **\:C:/BlobRoot**. For example:
- - use [volume mount](https://docs.docker.com/storage/volumes/): `my-volume:C:/BlobRoot`.
- - use [bind mount](https://docs.docker.com/storage/bind-mounts/): `C:/ContainerData:C:/BlobRoot`.
- - Instead of using your local drive, you can map your SMB network location, for more information, see [using SMB share as your local storage](how-to-store-data-blob.md#using-smb-share-as-your-local-storage)
+ For Linux containers, the format is **\:/blobroot**. For example:
+ - Use [volume mount](https://docs.docker.com/storage/volumes/): `my-volume:/blobroot`
+ - Use [bind mount](https://docs.docker.com/storage/bind-mounts/): `/srv/containerdata:/blobroot`. Make sure to follow the steps to [grant directory access to the container user](how-to-store-data-blob.md#granting-directory-access-to-container-user-on-linux)
> [!IMPORTANT]
- > * Do not change the second half of the storage mount value, which points to a specific location in the Blob Storage on IoT Edge module. The storage mount must always end with **:/blobroot** for Linux containers and **:C:/BlobRoot** for Windows containers.
+ > * Do not change the second half of the storage mount value, which points to a specific location in the Blob Storage on IoT Edge module. The storage mount must always end with **:/blobroot** for Linux containers.
>
> * IoT Edge does not remove volumes attached to module containers. This behavior is by design, as it allows persisting the data across container instances such as upgrade scenarios. However, if these volumes are left unused, then it may lead to disk space exhaustion and subsequent system errors. If you use docker volumes in your scenario, then we encourage you to use docker tools such as [docker volume prune](https://docs.docker.com/engine/reference/commandline/volume_prune/) and [docker volume rm](https://docs.docker.com/engine/reference/commandline/volume_rm/) to remove the unused volumes, especially for production scenarios.
@@ -138,7 +134,7 @@ A deployment manifest is a JSON document that describes which modules to deploy,
:::image type="content" source="./media/how-to-deploy-blob/addmodule-tab4.png" alt-text="Screenshot showing the Module Twin Settings tab of the Add IoT Edge Module page.":::
- For information on configuring deviceToCloudUploadProperties and deviceAutoDeleteProperties after your module has been deployed, see [Edit the Module Twin](https://github.com/Microsoft/vscode-azure-iot-toolkit/wiki/Edit-Module-Twin). For more information about desired properties, see [Define or update desired properties](module-composition.md#define-or-update-desired-properties).
+ For information on configuring deviceToCloudUploadProperties and deviceAutoDeleteProperties after your module is deployed, see [Edit the Module Twin](https://github.com/Microsoft/vscode-azure-iot-toolkit/wiki/Edit-Module-Twin). For more information about desired properties, see [Define or update desired properties](module-composition.md#define-or-update-desired-properties).
6. Select **Add**.
@@ -161,7 +157,7 @@ After you create the deployment, you return to the **Devices** page of your IoT
1. Select the IoT Edge device that you targeted with the deployment to open its details.
1. In the device details, verify that the blob storage module is listed as both **Specified in deployment** and **Reported by device**.
-It may take a few moments for the module to be started on the device and then reported back to IoT Hub. Refresh the page to see an updated status.
+It might take a few moments for the module to be started on the device and then reported back to IoT Hub. Refresh the page to see an updated status.
## Deploy from Visual Studio Code
@@ -215,16 +211,12 @@ Azure IoT Edge provides templates in Visual Studio Code to help you develop edge
1. Replace `` according to your container operating system. Provide the name of a [volume](https://docs.docker.com/storage/volumes/) or the absolute path to a directory on your IoT Edge device where you want the blob module to store its data. The storage mount maps a location on your device that you provide to a set location in the module.
- - For Linux containers, the format is **\:/blobroot**. For example:
- - use [volume mount](https://docs.docker.com/storage/volumes/): `my-volume:/blobroot`
- - use [bind mount](https://docs.docker.com/storage/bind-mounts/): `/srv/containerdata:/blobroot`. Make sure to follow the steps to [grant directory access to the container user](how-to-store-data-blob.md#granting-directory-access-to-container-user-on-linux)
- - For Windows containers, the format is **\:C:/BlobRoot**. For example:
- - Use [volume mount](https://docs.docker.com/storage/volumes/): `my-volume:C:/BlobRoot`.
- - Use [bind mount](https://docs.docker.com/storage/bind-mounts/): `C:/ContainerData:C:/BlobRoot`.
- - Instead of using your local drive, you can map your SMB network location. For more information, see [using SMB share as your local storage](how-to-store-data-blob.md#using-smb-share-as-your-local-storage).
+ For Linux containers, the format is **\:/blobroot**. For example:
+ - Use [volume mount](https://docs.docker.com/storage/volumes/): `my-volume:/blobroot`
+ - Use [bind mount](https://docs.docker.com/storage/bind-mounts/): `/srv/containerdata:/blobroot`. Make sure to follow the steps to [grant directory access to the container user](how-to-store-data-blob.md#granting-directory-access-to-container-user-on-linux)
> [!IMPORTANT]
- > * Do not change the second half of the storage mount value, which points to a specific location in the Blob Storage on IoT Edge module. The storage mount must always end with **:/blobroot** for Linux containers and **:C:/BlobRoot** for Windows containers.
+ > * Do not change the second half of the storage mount value, which points to a specific location in the Blob Storage on IoT Edge module. The storage mount must always end with **:/blobroot** for Linux containers.
>
> * IoT Edge does not remove volumes attached to module containers. This behavior is by design, as it allows persisting the data across container instances such as upgrade scenarios. However, if these volumes are left unused, then it may lead to disk space exhaustion and subsequent system errors. If you use docker volumes in your scenario, then we encourage you to use docker tools such as [docker volume prune](https://docs.docker.com/engine/reference/commandline/volume_prune/) and [docker volume rm](https://docs.docker.com/engine/reference/commandline/volume_rm/) to remove the unused volumes, especially for production scenarios.
@@ -255,7 +247,7 @@ Azure IoT Edge provides templates in Visual Studio Code to help you develop edge
:::image type="content" source="./media/how-to-deploy-blob/devicetocloud-deviceautodelete.png" alt-text="Screenshot showing how to set desired properties for azureblobstorageoniotedge in Visual Studio Code.":::
- For information on configuring deviceToCloudUploadProperties and deviceAutoDeleteProperties after your module has been deployed, see [Edit the Module Twin](https://github.com/Microsoft/vscode-azure-iot-toolkit/wiki/Edit-Module-Twin). For more information about container create options, restart policy, and desired status, see [EdgeAgent desired properties](module-edgeagent-edgehub.md#edgeagent-desired-properties).
+ For information on configuring deviceToCloudUploadProperties and deviceAutoDeleteProperties after your module is deployed, see [Edit the Module Twin](https://github.com/Microsoft/vscode-azure-iot-toolkit/wiki/Edit-Module-Twin). For more information about container create options, restart policy, and desired status, see [EdgeAgent desired properties](module-edgeagent-edgehub.md#edgeagent-desired-properties).
1. Save the *deployment.template.json* file.
@@ -304,7 +296,7 @@ In addition, a blob storage module also requires the HTTPS_PROXY setting in the
1. Select **Update**, then **Review + Create**.
-1. Note that the proxy is added to the module in deployment manifest and select **Create**.
+1. See the proxy is added to the module in deployment manifest and select **Create**.
1. Verify the setting by selecting the module from the device details page, and on the lower part of the **IoT Edge Modules Details** page select the **Environment Variables** tab.
diff --git a/articles/key-vault/general/rbac-guide.md b/articles/key-vault/general/rbac-guide.md
index 14195c09120b5..65ec6cb8ce337 100644
--- a/articles/key-vault/general/rbac-guide.md
+++ b/articles/key-vault/general/rbac-guide.md
@@ -16,7 +16,7 @@ ms.custom: "devx-track-azurepowershell, devx-track-azurecli"
> Key Vault resource provider supports two resource types: **vaults** and **managed HSMs**. Access control described in this article only applies to **vaults**. To learn more about access control for managed HSM, see [Managed HSM access control](../managed-hsm/access-control.md).
> [!NOTE]
-> Azure App Service certificate configuration through Azure Portal does not support Key Vault RBAC permission model. You can use Azure PowerShell, Azure CLI, ARM template deployments with **Key Vault Certificates User** role assignment for App Service global identity, for example Microsoft Azure App Service' in public cloud.
+> Azure App Service certificate configuration through Azure Portal does not support Key Vault RBAC permission model. You can use Azure PowerShell, Azure CLI, ARM template deployments with **Key Vault Certificate User** role assignment for App Service global identity, for example Microsoft Azure App Service' in public cloud.
Azure role-based access control (Azure RBAC) is an authorization system built on [Azure Resource Manager](../../azure-resource-manager/management/overview.md) that provides fine-grained access management of Azure resources.
diff --git a/articles/lab-services/class-type-ethical-hacking.md b/articles/lab-services/class-type-ethical-hacking.md
index 6c569847f24da..25d8e22332ad3 100644
--- a/articles/lab-services/class-type-ethical-hacking.md
+++ b/articles/lab-services/class-type-ethical-hacking.md
@@ -1,73 +1,74 @@
---
title: Set up an ethical hacking lab
titleSuffix: Azure Lab Services
-description: Learn how to set up a lab to teach ethical hacking using Azure Lab Services.
+description: Learn how to set up a lab to teach ethical hacking using Azure Lab Services. The lab includes nested VMs for students to use in a standard environment.
services: lab-services
ms.service: lab-services
-author: ntrogh
-ms.author: nicktrog
+author: RoseHJM
+ms.author: rosemalcolm
ms.topic: how-to
-ms.date: 01/24/2023
+ms.date: 03/04/2024
+#customer intent: As an administrator or educator, I want to set up a lab by using Azure Lab Services so that students can practice ethical hacking techniques.
---
# Set up a lab to teach ethical hacking class by using Azure Lab Services
-[!INCLUDE [preview note](./includes/lab-services-new-update-focused-article.md)]
-
-This article shows you how to set up a class that focuses on the forensics side of ethical hacking with Azure Lab Services. In an ethical hacking class, students can learn modern techniques for defending against vulnerabilities. Penetration testing, a practice that the ethical hacking community uses, occurs when someone attempts to gain access to the system or network to demonstrate vulnerabilities that a malicious attacker may exploit.
+This article shows you how to set up a class that focuses on the forensics side of ethical hacking with Azure Lab Services. In an ethical hacking class, students can learn modern techniques for defending against vulnerabilities. Penetration testing, a practice that the ethical hacking community uses, occurs when someone attempts to gain access to the system or network to demonstrate vulnerabilities that a malicious attacker might exploit.
-Each student gets a Windows host virtual machine (VM) that has two nested virtual machines: one VM with [Metasploitable3](https://github.com/rapid7/metasploitable3) image and another VM with the [Kali Linux](https://www.kali.org/) image. You use the Metasploitable VM for exploiting purposes. The Kali VM provides access to the tools you need to execute forensic tasks.
-
-This article has two main sections. The first section covers how to create the lab. The second section covers how to create the template machine with nested virtualization enabled and with the tools and images needed. In this case, a Metasploitable image and a Kali Linux image on a machine that has Hyper-V enabled to host the images.
+Each student gets a Windows host virtual machine (VM) that has two nested virtual machines: one VM with Metasploitable3 image and another VM with the Kali Linux image. Use the Metasploitable VM to try exploitation tasks. The Kali VM provides access to the tools you need to run forensic tasks.
## Prerequisites
-[!INCLUDE [must have subscription](./includes/lab-services-class-type-subscription.md)]
-
-[!INCLUDE [must have lab plan](./includes/lab-services-class-type-lab-plan.md)]
+- [!INCLUDE [must have subscription](./includes/lab-services-class-type-subscription.md)]
+- [!INCLUDE [must have lab plan](./includes/lab-services-class-type-lab-plan.md)]
-## Lab configuration
+## Configure your lab
-[!INCLUDE [create lab](./includes/lab-services-class-type-lab.md)] Use the following settings when creating the lab.
+[!INCLUDE [create lab](./includes/lab-services-class-type-lab.md)] Use the following settings when creating the lab.
| Lab settings | Value |
| ------------ | ------------------ |
| Virtual machine (VM) size | Medium (Nested Virtualization) |
| VM image | Windows 11 |
-## Template machine configuration
-
-[!INCLUDE [configure template vm](./includes/lab-services-class-type-template-vm.md)]
+[!INCLUDE [preview note](./includes/lab-services-new-update-focused-article.md)]
-To configure the template VM, complete the following three tasks:
+## Configure your template
-1. Set up the machine for nested virtualization. You enable all the appropriate windows features, like Hyper-V.
+[!INCLUDE [configure template vm](./includes/lab-services-class-type-template-vm.md)]
-2. Set up the [Kali](https://www.kali.org/) Linux image. Kali is a Linux distribution that includes tools for penetration testing and security auditing.
+To configure the template VM, complete the following tasks:
-3. Set up the Metasploitable image. For this example, you use the [Metasploitable3](https://github.com/rapid7/metasploitable3) image. This image is created to purposely have security vulnerabilities.
+- Set up the machine for nested virtualization. Enable all the appropriate windows features, like Hyper-V.
+- Set up the [Kali](https://www.kali.org/) Linux image. Kali is a Linux distribution that includes tools for penetration testing and security auditing.
+- Set up the Metasploitable image. For this example, use the [Metasploitable3](https://github.com/rapid7/metasploitable3) image. This image is created to purposely have security vulnerabilities.
# [PowerShell](#tab/powershell)
### Prepare template machine for nested virtualization
-```powershell
-Invoke-WebRequest 'https://aka.ms/azlabs/scripts/hyperV-powershell' -Outfile SetupForNestedVirtualization.ps1
-.\SetupForNestedVirtualization.ps1
-```
+- Launch **PowerShell** in **Administrator** mode. Run these commands.
+
+ ```powershell
+ Invoke-WebRequest 'https://aka.ms/azlabs/scripts/hyperV-powershell' -Outfile SetupForNestedVirtualization.ps1
+ .\SetupForNestedVirtualization.ps1
+ ```
+
+> [!NOTE]
+> The script might require the machine to restart. Follow instructions from the script and re-run the script until you see **Script completed** in the output.
### Set up nested virtual machine images
Kali is a Linux distribution that includes tools for penetration testing and security auditing.
-The Rapid7 Metasploitable image is an image purposely configured with security vulnerabilities. You use this image to test and find issues. The following instructions show you how to use a precreated Metasploitable image. However, if a newer version of the Metasploitable image is needed, see [https://github.com/rapid7/metasploitable3](https://github.com/rapid7/metasploitable3).
+The Rapid7 Metasploitable image is an image purposely configured with security vulnerabilities. Use this image to test and find issues. The following instructions show you how to set up a particular Metasploitable image. If you need a newer version of the Metasploitable, see [https://github.com/rapid7/metasploitable3](https://github.com/rapid7/metasploitable3).
-To install Kali Linux and Metasploitable on the template VM, run the following command:
+- To install Kali Linux and Metasploitable on the template VM, run the following command:
-```powershell
-Invoke-WebRequest ' https://aka.ms/azlabs/scripts/EthicalHacking-powershell' -Outfile Setup-EthicalHacking.ps1
-.\Setup-EthicalHacking.ps1 -SwitchName 'Default Switch'
-```
+ ```powershell
+ Invoke-WebRequest ' https://aka.ms/azlabs/scripts/EthicalHacking-powershell' -Outfile Setup-EthicalHacking.ps1
+ .\Setup-EthicalHacking.ps1 -SwitchName 'Default Switch'
+ ```
# [Windows tools](#tab/windows)
@@ -79,71 +80,85 @@ Follow the instructions to [enable nested virtualization](how-to-enable-nested-v
Kali is a Linux distribution that includes tools for penetration testing and security auditing. To install the Kali nested VM on the template VM:
-1. Connect to the template VM by using remote desktop.
+1. Connect to the template VM by using Remote Desktop.
-1. Download the image from [Offensive Security Kali Linux VM images](https://www.kali.org/get-kali/#kali-virtual-machines). Remember the default username and password are noted on the download page.
- 1. Download the **Kali Linux Hyper-V 64-Bit (7z)** image for Hyper-V.
- 1. Extract the .7z file. If you don’t already have 7-zip, download it from [https://www.7-zip.org/download.html](https://www.7-zip.org/download.html).
+1. Download the image from [Offensive Security Kali Linux VM images](https://www.kali.org/get-kali/#kali-virtual-machines). The default username and password are noted on the download page.
-1. Follow the instructions to [import a premade Kali Linux image](https://www.kali.org/docs/virtualization/import-premade-hyperv/) into Hyper-V.
+ 1. Download the **Kali Linux Hyper-V 64-Bit (7z)** image for Hyper-V.
+ 1. Extract the .7z file. If you don’t already have 7-zip, download it from [https://www.7-zip.org/download.html](https://www.7-zip.org/download.html).
-1. The Kali-Linux image is now ready for use. From **Hyper-V Manager**, choose **Action** -> **Start**, then choose **Action** -> **Connect** to connect to the virtual machine. The default username is `kali` and the password is `kali`.
+1. Follow the instructions to [import a premade Kali image](https://www.kali.org/docs/virtualization/import-premade-hyperv/) into Hyper-V.
+
+1. The Kali image is now ready for use. From **Hyper-V Manager**, choose **Action** > **Start**, then choose **Action** > **Connect** to connect to the virtual machine. The default username is `kali` and the password is `kali`.
### Set up a nested VM with Metasploitable image
-The Rapid7 Metasploitable image is an image purposely configured with security vulnerabilities. You use this image to test and find issues. The following instructions show you how to use a precreated Metasploitable image. However, if a newer version of the Metasploitable image is needed, see [https://github.com/rapid7/metasploitable3](https://github.com/rapid7/metasploitable3).
+The Rapid7 Metasploitable image is an image purposely configured with security vulnerabilities. Use this image to test and find issues. The following instructions show you how to set up a particular Metasploitable image. If you need a newer version of the Metasploitable, see [https://github.com/rapid7/metasploitable3](https://github.com/rapid7/metasploitable3).
To install the Metasploitable nested VM on the template VM:
-1. Connect to the template VM by using remote desktop.
+1. Connect to the template VM by using Remote Desktop.
1. Download the Metasploitable image.
- 1. Navigate to [https://information.rapid7.com/download-metasploitable-2017.html](https://information.rapid7.com/download-metasploitable-2017.html). Fill out the form to download the image and select the **Submit** button.
- > [!NOTE]
- > You can check for newer versions of the Metasploitable image at [https://github.com/rapid7/metasploitable3](https://github.com/rapid7/metasploitable3).
+ 1. Navigate to [https://information.rapid7.com/download-metasploitable-2017.html](https://information.rapid7.com/download-metasploitable-2017.html). Fill out the form to download the image and select the **Submit** button.
+
+ > [!NOTE]
+ > You can check for newer versions of the Metasploitable image at [https://github.com/rapid7/metasploitable3](https://github.com/rapid7/metasploitable3).
+
+ 1. Select **Download Metasploitable Now**.
+ 1. When the download finishes, extract the zip file, and remember the location of the *Metasploitable.vmdk* file.
- 2. Select the **Download Metasploitable Now** button.
- 3. When the download finishes, extract the zip file, and remember the location of the *Metasploitable.vmdk* file.
+1. Convert the extracted *.vmdk* file to a Hyper-V *.vhdx* file with StarWind V2V Converter.
-1. Convert the extracted vmdk file to a Hyper-V vhdx file with StarWind V2V Converter.
- 1. Download and install [StarWind V2V Converter](https://www.starwindsoftware.com/starwind-v2v-converter#download).
- 1. Start **StarWind V2V Converter**.
- 1. On the **Select location of image to convert** page, choose **Local file**. Select **Next**.
- 1. On the **Source image** page, navigate to and select the Metasploitable.vmdk extracted in the previous step for the **File name** setting. Select **Next**.
- 1. On the **Select location of destination image**, choose **Local file**. Select **Next**.
- 1. On the **Select destination image format** page, choose **VHD/VHDX**. Select **Next**.
- 1. On the **Select option for VHD/VHDX image format** page, choose **VHDX growable image**. Select **Next**.
- 1. On the **Select destination file name** page, accept the default file name. Select **Convert**.
- 1. On the **Converting** page, wait for the image to be converted. Conversion can take several minutes. Select **Finish** when the conversion is completed.
+ 1. Download and install [StarWind V2V Converter](https://www.starwindsoftware.com/starwind-v2v-converter#download).
+ 1. Start **StarWind V2V Converter**.
+ 1. On the **Select the location of image to convert** page, choose **Local file**. Select **Next**.
+ 1. On the **Source image** page, navigate to and select *Metasploitable.vmdk* extracted in the previous step for the **File name** setting. Select **Next**.
+ 1. On the **Select the location of destination image**, choose **Local file**. Select **Next**.
+ 1. On the **Select destination image format** page, choose **VHD/VHDX**. Select **Next**.
+ 1. On the **Select option for VHD/VHDX image format** page, choose **VHDX growable image**. Select **Next**.
+ 1. On the **Select destination file name** page, accept the default file name. Select **Convert**.
+ 1. On the **Converting** page, wait for the image to be converted. Conversion can take several minutes. Select **Finish** when the conversion is completed.
1. Create a new Hyper-V virtual machine.
- 1. Open **Hyper-V Manager**.
- 1. Choose **Action** -> **New** -> **Virtual Machine**.
- 1. On the **Before You Begin** page of the **New Virtual Machine Wizard**, select **Next**.
- 1. On the **Specify Name and Location** page, enter **Metasploitable** for the **name**, and select **Next**.
- :::image type="content" source="./media/class-type-ethical-hacking/new-vm-wizard-1.png" alt-text="Screenshot of New Virtual Machine Wizard in Hyper V.":::
- 1. On the **Specify Generation** page, accept the defaults, and select **Next**.
- 1. On the **Assign Memory** page, enter **512 MB** for the **startup memory**, and select **Next**.
- :::image type="content" source="./media/class-type-ethical-hacking/assign-memory-page.png" alt-text="Screenshot of Assign Memory page of New Virtual Machine Wizard in Hyper V.":::
- 1. On the **Configure Networking** page, leave the connection as **Not Connected**. You'll set the network adapter later.
- 1. On the **Connect Virtual Hard Disk** page, select **Use an existing virtual hard disk**. Browse to the location for the **metasploitable.vhdx** file created in the previous step, and select **Next**.
- :::image type="content" source="./media/class-type-ethical-hacking/connect-virtual-network-disk.png" alt-text="Screenshot of Connect Virtual Hard Disk page of New Virtual Machine Wizard in Hyper V.":::
- 1. On the **Completing the New Virtual Machine Wizard** page, and select **Finish**.
- 1. Once the virtual machine is created, select it in the Hyper-V Manager. Don't turn on the machine yet.
- 1. Choose **Action** -> **Settings**.
- 1. On the **Settings for Metasploitable** dialog for, select **Add Hardware**.
- 1. Select **Legacy Network Adapter**, and select **Add**.
- :::image type="content" source="./media/class-type-ethical-hacking/network-adapter-page.png" alt-text="Screenshot of settings dialog for Hyper V VM.":::
- 1. On the **Legacy Network Adapter** page, select **Default Switch** for the **Virtual Switch** setting, and select **OK**.
- :::image type="content" source="./media/class-type-ethical-hacking/legacy-network-adapter-page.png" alt-text="Screenshot of Legacy Network adapter settings page for Hyper V VM.":::
- 1. The Metasploitable image is now ready for use. From **Hyper-V Manager**, choose **Action** -> **Start**, then choose **Action** -> **Connect** to connect to the virtual machine. The default username is `msfadmin` and the password is `msfadmin`.
+
+ 1. Open **Hyper-V Manager**.
+ 1. Choose **Action** > **New** > **Virtual Machine**.
+ 1. On the **Before You Begin** page of the **New Virtual Machine Wizard**, select **Next**.
+ 1. On the **Specify Name and Location** page, enter **Metasploitable** for the **name**, and select **Next**.
+
+ :::image type="content" source="./media/class-type-ethical-hacking/new-vm-wizard-1.png" alt-text="Screenshot of New Virtual Machine Wizard in Hyper-V." lightbox="./media/class-type-ethical-hacking/new-vm-wizard-1.png":::
+
+ 1. On the **Specify Generation** page, accept the defaults, and select **Next**.
+ 1. On the **Assign Memory** page, enter **512 MB** for the **startup memory**, and select **Next**.
+
+ :::image type="content" source="./media/class-type-ethical-hacking/assign-memory-page.png" alt-text="Screenshot of Assign Memory page of New Virtual Machine Wizard in Hyper-V." lightbox="./media/class-type-ethical-hacking/assign-memory-page.png":::
+
+ 1. On the **Configure Networking** page, leave the connection as **Not Connected**. Set the network adapter later.
+ 1. On the **Connect Virtual Hard Disk** page, select **Use an existing virtual hard disk**. Browse to the location for the *Metasploitable.vhdx* file in the previous step, and select **Next**.
+
+ :::image type="content" source="./media/class-type-ethical-hacking/connect-virtual-network-disk.png" alt-text="Screenshot of Connect Virtual Hard Disk page of New Virtual Machine Wizard in Hyper-V." lightbox="./media/class-type-ethical-hacking/connect-virtual-network-disk.png":::
+
+ 1. On the **Completing the New Virtual Machine Wizard** page, and select **Finish**.
+ 1. After the virtual machine is created, select it in the Hyper-V Manager. Don't turn on the VM yet.
+ 1. Choose **Action** > **Settings**.
+ 1. On the **Settings for Metasploitable** page, select **Add Hardware**.
+ 1. Select **Legacy Network Adapter**, and select **Add**.
+
+ :::image type="content" source="./media/class-type-ethical-hacking/network-adapter-page.png" alt-text="Screenshot of settings dialog for Hyper-V VM." lightbox="./media/class-type-ethical-hacking/network-adapter-page.png":::
+
+ 1. On the **Legacy Network Adapter** page, select **Default Switch** for the **Virtual Switch** setting, and select **OK**.
+
+ :::image type="content" source="./media/class-type-ethical-hacking/legacy-network-adapter-page.png" alt-text="Screenshot of Legacy Network adapter settings page for Hyper-V VM." lightbox="./media/class-type-ethical-hacking/legacy-network-adapter-page.png":::
+
+ 1. The Metasploitable image is now ready for use. From **Hyper-V Manager**, choose **Action** > **Start**, then choose **Action** > **Connect** to connect to the virtual machine. The default username is `msfadmin` and the password is `msfadmin`.
---
The template is now updated and has the nested VM images needed for an ethical hacking penetration testing class: an image with tools to do the penetration testing, and another image with security vulnerabilities to discover. You can now [publish the template VM](how-to-create-manage-template.md#publish-the-template-vm) to the class.
-## Cost
+## Estimate cost
If you would like to estimate the cost of this lab, you can use the following example:
@@ -151,13 +166,11 @@ For a class of 25 students with 20 hours of scheduled class time and 10 hours of
25 students \* (20 + 10) hours \* 55 Lab Units \* 0.01 USD per hour = 412.50 USD
->[!IMPORTANT]
->This cost estimate is for example purposes only. For current details on pricing, see [Azure Lab Services Pricing](https://azure.microsoft.com/pricing/details/lab-services/).
+> [!IMPORTANT]
+> This cost estimate is for example purposes only. For current details on pricing, see [Azure Lab Services Pricing](https://azure.microsoft.com/pricing/details/lab-services/).
-## Conclusion
+## Related content
In this article, you went through the steps to create a lab for ethical hacking class. The lab VM contains two nested virtual machines to practice penetrating testing.
-## Next steps
-
[!INCLUDE [next steps for class types](./includes/lab-services-class-type-next-steps.md)]
diff --git a/articles/lab-services/classroom-labs-scenarios.md b/articles/lab-services/classroom-labs-scenarios.md
index 0862453cb5db5..a37b4e823b186 100644
--- a/articles/lab-services/classroom-labs-scenarios.md
+++ b/articles/lab-services/classroom-labs-scenarios.md
@@ -1,80 +1,83 @@
---
-title: Use labs for trainings
+title: Organizational role concepts for trainings
titleSuffix: Azure Lab Services
description: This article describes how to use Azure DevTest Labs for creating labs on Azure for training scenarios.
services: lab-services
ms.service: lab-services
-author: ntrogh
-ms.author: nicktrog
-ms.topic: conceptual
-ms.date: 04/04/2023
+author: RoseHJM
+ms.author: rosemalcolm
+ms.topic: concept-article
+ms.date: 03/07/2024
+#customer intent: As a training specialist, I want to learn how organizational roles map to permissions, so that I can determine the roles and responsibilities for setting up a training environment for my enterprise.
---
-# Use labs for trainings
+# Organizational role concepts for trainings in Azure Lab Services
-In this article, you learn about the different features and steps for using Azure Lab Services for conducting classes. Azure Lab Services allows educators (teachers, professors, trainers, or teaching assistants, etc.) to quickly and easily create an online lab to provision preconfigured learning environments for the trainees. Each trainee can use identical and isolated environments for the training. Apply policies to ensure that the training environments are available to each trainee only when they need them, and contain enough resources - such as virtual machines - required for the training.
+In this article, you learn about the different features and steps for using Azure Lab Services for conducting classes. Azure Lab Services supports educators, such as teachers, professors, training specialists, trainers, and teaching assistants. An educator can quickly and easily create an online lab to provision preconfigured learning environments for the trainees.
-:::image type="content" source="./media/classroom-labs-scenarios/classroom.png" alt-text="Conceptual artwork that shows a teacher and students in a classroom, using Azure Lab Services.":::
+:::image type="content" source="./media/classroom-labs-scenarios/classroom.png" alt-text="Conceptual artwork that shows a teacher and students in a classroom, using Azure Lab Services." lightbox="./media/classroom-labs-scenarios/classroom.png":::
+
+Each trainee can use identical and isolated environments for the training. Educators can apply policies to ensure that the training environments are available to each trainee only when they need them. The environments contain enough resources, such as virtual machines, required for the training.
+
+## Mapping organizational roles to permissions
Labs meet the following requirements for conducting training in any virtual environment:
- Trainees can quickly provision their training environments
-- Every training machine should be identical
+- Every training machine is identical
- Trainees can't see VMs created by other trainees
-- Control cost by ensuring that trainees can't get more VMs than they need for the training and also shutdown VMs when they aren't using them
-- Easily share the training lab with each trainee
-- Reuse the training lab again and again
-
-## Mapping organizational roles to permissions
+- You can control cost by ensuring that trainees can't get more VMs than they need for the training and also shutdown VMs when they aren't in use
+- You can easily share the training lab with each trainee
+- You can reuse the training lab again and again
-Azure Lab Services uses Azure Role-Based Access (Azure RBAC) to manage access to Azure Lab Services. For more information, see the [Azure Lab Services built-in roles](./administrator-guide.md#rbac-roles). Using Azure RBAC lets you clearly separate roles and responsibilities for creating and managing labs across different teams and people in your organization.
+Azure Lab Services uses Azure Role-Based Access (Azure RBAC) to manage access to Azure Lab Services. For more information, see the [Azure Lab Services built-in roles](./administrator-guide.md#rbac-roles). Azure RBAC lets you clearly separate roles and responsibilities for creating and managing labs across different teams and people in your organization.
-Depending on your organizational structure, responsibilities, and skill level, there might be different options to map these permissions to your organizational roles or personas, such as administrators, or educators. The scenarios and diagrams also include students to show where they fit in the process, although they don't require Microsoft Entra permissions.
+Depending on your organizational structure, responsibilities, and skill level, there might be different options to map these permissions to your roles or personas, such as administrators or educators. These scenarios and diagrams also include students to show where they fit in the process, although they don't require Microsoft Entra permissions.
The following sections give different examples of assigning permissions across an organization. Azure Lab Services enables you to flexibly assign permissions beyond these typical scenarios to match your organizational setup.
### Scenario 1: Splitting responsibilities between IT department and educators
-In this scenario, the IT department, service providers, or administrators manage the Azure subscription(s). They're responsible for creating the Azure Lab Services lab plan and then grant the educators permission to create labs in the lab plan. The educator invites students to register for and connect to a lab VM.
+In this scenario, the IT department, service providers, or administrators manage the Azure subscriptions. They're responsible for creating the Azure Lab Services lab plan. Then, they grant the permission to create labs in the lab plan. The educator invites students to register and connect to a lab VM.
-In your organization structure, the administrator activities might be further split across subteams. For example, one team might be responsible for the configuration of virtual networks for advanced networking (central IT). And the creation of the lab plan and other Azure resources might be the responsibility of another team (department IT).
+In your organization, you might further split the administrator activities across teams. For example, one team might be responsible for the configuration of virtual networks for advanced networking (central IT). The creation of the lab plan and other Azure resources might be the responsibility of another team (department IT).
Get started as an administrator with the [Quickstart: set up the resources for creating labs](./quick-create-resources.md).
Get started as an educator with the [Tutorial: set up a lab for classroom training](./tutorial-setup-lab.md).
-:::image type="content" source="./media/classroom-labs-scenarios/lab-services-process-education-roles-scenario1.png" alt-text="Diagram that shows lab creation steps where admins create the lab plan and educators create the lab.":::
+:::image type="content" source="./media/classroom-labs-scenarios/lab-services-process-education-roles-scenario1.png" alt-text="Diagram that shows lab creation steps where admins create the lab plan and educators create the lab." lightbox="./media/classroom-labs-scenarios/lab-services-process-education-roles-scenario1.png":::
The following table shows the corresponding mapping of organization roles to Microsoft Entra roles:
| Org. role | Microsoft Entra role | Description |
| --- | --- | --- |
-| Administrator | - Subscription Owner
- Subscription Contributor | Create lab plan in Azure portal. |
+| Administrator | - Subscription Owner
- Subscription Contributor | Create lab plan in the Azure portal. |
| Educator | Lab Creator | Create and manage the labs they created. |
-| | Lab Contributor | Optionally, assign to an educator to create and manage all labs (when assigned at the resource group level). |
-| | Lab Assistant | Optionally, assign to other educators to help support lab students by allowing reimage/start/stop/connect lab VMs. |
-| Student | | Students don't need a Microsoft Entra role. Educators [grant students access](./how-to-manage-lab-users.md) in the lab configuration or students are automatically granted access, for example when using [Teams](./how-to-manage-labs-within-teams.md#manage-lab-user-lists-in-teams) or [Canvas](./how-to-manage-labs-within-canvas.md#manage-lab-user-lists-in-canvas). |
+| | Lab Contributor | Optionally, assign to an educator to create and manage all labs, when assigned at the resource group level. |
+| | Lab Assistant | Optionally, assign to other educators to help support lab students. They might reimage, start, stop, and connect lab VMs. |
+| Student | | Students don't need a Microsoft Entra role. Educators [grant students access](./how-to-manage-lab-users.md) in the lab configuration. Students are automatically granted access when they use [Teams](./how-to-manage-labs-within-teams.md#manage-lab-user-lists-in-teams) or [Canvas](./how-to-manage-labs-within-canvas.md#manage-lab-user-lists-in-canvas). |
| Others | Lab Services Reader | Optionally, provide access to see all lab plans and labs without permission to modify. |
### Scenario 2: The IT department owns the entire lab creation process
In this scenario, the IT department (administrators) creates both the Azure Lab Services lab plan and lab. Optionally, the administrator grants educators permissions to manage lab users and configure lab settings, such as quotas and schedules. This scenario might be useful in cases where educators can't or don't want to set up and customize the lab.
-As mentioned in [scenario 1](#scenario-1-splitting-responsibilities-between-it-department-and-educators), the administrator tasks for creating the lab plan might also be split across multiple subteams.
+As mentioned in [scenario 1](#scenario-1-splitting-responsibilities-between-it-department-and-educators), the administrator tasks for creating the lab plan might also be split across administrator teams.
Get started as an administrator with the [Quickstart: create and connect to a lab](./quick-create-connect-lab.md).
Get started as an educator and [add students to a lab](./how-to-manage-lab-users.md), or [create a lab schedule](./how-to-create-schedules.md).
-:::image type="content" source="./media/classroom-labs-scenarios/lab-services-process-education-roles-scenario2.png" alt-text="Diagram that shows lab creation steps where admins own the entire process.":::
+:::image type="content" source="./media/classroom-labs-scenarios/lab-services-process-education-roles-scenario2.png" alt-text="Diagram that shows lab creation steps where admins own the entire process." lightbox="./media/classroom-labs-scenarios/lab-services-process-education-roles-scenario2.png":::
The following table shows the corresponding mapping of organization roles to Microsoft Entra roles:
| Org. role | Microsoft Entra role | Description |
| --- | --- | --- |
-| Administrator | - Subscription Owner
- Subscription Contributor | Create lab plan in Azure portal. |
-| Educator | - Lab Assistant | Optionally, assign to other educators to help support lab students by allowing reimage/start/stop/connect lab VMs. |
-| Student | | Students don't need a Microsoft Entra role. Educators [grant students access](./how-to-manage-lab-users.md) in the lab configuration or students are automatically granted access, for example when using [Teams](./how-to-manage-labs-within-teams.md#manage-lab-user-lists-in-teams) or [Canvas](./how-to-manage-labs-within-canvas.md#manage-lab-user-lists-in-canvas). |
+| Administrator | - Subscription Owner
- Subscription Contributor | Create lab plan in the Azure portal. |
+| Educator | - Lab Assistant | Optionally, assign to other educators to help support lab students. They might reimage, start, stop, and connect lab VMs. |
+| Student | | Students don't need a Microsoft Entra role. Educators [grant students access](./how-to-manage-lab-users.md) in the lab configuration. Students are automatically granted access when they use [Teams](./how-to-manage-labs-within-teams.md#manage-lab-user-lists-in-teams) or [Canvas](./how-to-manage-labs-within-canvas.md#manage-lab-user-lists-in-canvas). |
| Others | Lab Services Reader | Optionally, provide access to see all lab plans and labs without permission to modify. |
### Scenario 3: The educator owns the entire lab creation process
@@ -83,18 +86,18 @@ In this scenario, the educator manages their Azure subscription and manages the
Get started as an administrator with the [Quickstart: create and connect to a lab](./quick-create-connect-lab.md) and then [add students to a lab](./how-to-manage-lab-users.md), and [create a lab schedule](./how-to-create-schedules.md).
-:::image type="content" source="./media/classroom-labs-scenarios/lab-services-process-education-roles-scenario3.png" alt-text="Diagram that shows lab creation steps where educators own the entire process.":::
+:::image type="content" source="./media/classroom-labs-scenarios/lab-services-process-education-roles-scenario3.png" alt-text="Diagram that shows lab creation steps where educators own the entire process." lightbox="./media/classroom-labs-scenarios/lab-services-process-education-roles-scenario3.png":::
The following table shows the corresponding mapping of organization roles to Microsoft Entra roles:
| Org. role | Microsoft Entra role | Description |
| --- | --- | --- |
-| Educator | - Subscription Owner
- Subscription Contributor | Create lab plan in Azure portal. As an Owner, you can also fully manage all labs. |
-| | Lab Assistant | Optionally, assign to other educators to help support lab students by allowing reimage/start/stop/connect lab VMs. |
-| Student | | Students don't need a Microsoft Entra role. Educators [grant students access](./how-to-manage-lab-users.md) in the lab configuration or students are automatically granted access, for example when using [Teams](./how-to-manage-labs-within-teams.md#manage-lab-user-lists-in-teams) or [Canvas](./how-to-manage-labs-within-canvas.md#manage-lab-user-lists-in-canvas). |
+| Educator | - Subscription Owner
- Subscription Contributor | Create lab plan in the Azure portal. As an Owner, you can also fully manage all labs. |
+| | Lab Assistant | Optionally, assign to other educators to help support lab students. They might reimage, start, stop, and connect lab VMs. |
+| Student | | Students don't need a Microsoft Entra role. Educators [grant students access](./how-to-manage-lab-users.md) in the lab configuration. Students are automatically granted access when they use [Teams](./how-to-manage-labs-within-teams.md#manage-lab-user-lists-in-teams) or [Canvas](./how-to-manage-labs-within-canvas.md#manage-lab-user-lists-in-canvas). |
| Others | Lab Services Reader | Optionally, provide access to see all lab plans and labs without permission to modify. |
-## Next steps
+## Related content
- Learn more about [setting up example class types](./class-types.md).
- Get started by following the steps in the tutorial [Set up a lab for classroom training](./tutorial-setup-lab.md).
diff --git a/articles/lab-services/concept-nested-virtualization-template-vm.md b/articles/lab-services/concept-nested-virtualization-template-vm.md
index 67dd5ec37550d..be622165580e5 100644
--- a/articles/lab-services/concept-nested-virtualization-template-vm.md
+++ b/articles/lab-services/concept-nested-virtualization-template-vm.md
@@ -3,53 +3,44 @@ title: Nested virtualization in Azure Lab Services
description: Learn about considerations and recommendations for configuring nested virtualization in Azure Lab Services.
services: lab-services
ms.service: lab-services
-author: ntrogh
-ms.author: nicktrog
+author: RoseHJM
+ms.author: rosemalcolm
ms.topic: conceptual
-ms.date: 06/27/2023
+ms.date: 03/07/2024
+#customer intent: As a lab administrator, I want to create networks within a virtual lab in order to cover scenarios where multiple virtual machines interact within or across networks.
---
# Nested virtualization in Azure Lab Services
-Nested virtualization enables you to create a lab in Azure Lab Services that contains a multi-VM environment. You can use nested virtualization to provide lab users with multiple, related virtual machines as part of a lab. For example, running a lab about [networking with GNS3](./class-type-networking-gns3.md), IT administration, or [ethical hacking](./class-type-ethical-hacking.md) might require multiple VMs that can communicate with each other. This article explains the concepts, considerations, and recommendations for nested virtualization in Azure Lab Services.
+Nested virtualization enables you to create a lab in Azure Lab Services that contains multiple virtual machines (VMs). You can create and run a virtual machine (*guest VM*) within a virtual machine (*host VM*). You can use nested virtualization to provide lab users with multiple, related virtual machines as part of the lab.
-## What is nested virtualization?
+Nested virtualization is enabled through Hyper-V. It's only available on Windows-based lab VMs. You can run both Windows-based and Linux-based guest VMs inside the lab VM. This article explains the concepts, considerations, and recommendations for nested virtualization in Azure Lab Services.
-Nested virtualization enables you to create and run virtual machines (*guest VM*) within a virtual machine (*host VM*). Nested virtualization is enabled through Hyper-V, and is only available on Windows-based lab VMs. You can run both Windows-based and Linux-based guest VMs inside the lab VM.
+## Use cases
-For more information about nested virtualization, see the following articles:
-
-- [How nested virtualization works](/virtualization/hyper-v-on-windows/user-guide/nested-virtualization#how-nested-virtualization-works).
-- [Nested Virtualization in Azure](https://azure.microsoft.com/blog/nested-virtualization-in-azure/).
-
-## Considerations
-
-Before setting up a lab with nested virtualization, here are a few things to take into consideration.
-
-- Not all VM sizes support nested virtualization. When you create a new lab, select the **Medium (Nested virtualization)** or **Large (Nested virtualization)** VM size for your lab.
+With nested virtualization, you can support multiple VMs that communicate with each other. You might use such labs for the following purposes:
-- Choose a size that provides good performance for both the host (lab VM) and guest VMs (VMs inside the lab VM). Make sure the size you choose can run the host VM and any Hyper-V machines at the same time.
+- [Networking with GNS3](./class-type-networking-gns3.md)
+- IT administration
+- [Ethical hacking](./class-type-ethical-hacking.md)
-- If using Windows Server, the host VM requires extra configuration to let the guest machines have internet connectivity.
-
-- Guest VMs don't have access to Azure resources, such as DNS servers, on the Azure virtual network.
-
-- Hyper-V guest VMs are licensed as independent machines. For information about licensing for Microsoft operation systems and products, see [Microsoft Licensing](https://www.microsoft.com/licensing/default). Check licensing agreements for any other software you use, before installing it on a lab VM or guest VMs.
+For more information about nested virtualization, see the following articles:
-- Virtualization applications other than Hyper-V [*aren't* supported for nested virtualization](/virtualization/hyper-v-on-windows/user-guide/nested-virtualization#3rd-party-virtualization-apps). This includes any software that requires hardware virtualization extensions.
+- [How nested virtualization works](/virtualization/hyper-v-on-windows/user-guide/nested-virtualization#how-nested-virtualization-works)
+- [Nested Virtualization in Azure](https://azure.microsoft.com/blog/nested-virtualization-in-azure/)
## Enable nested virtualization for a lab
-You can enable nested virtualization and create nested Hyper-V VMs on the template VM. When you publish the lab, each lab user has a lab VM that already contains the nested virtual machines.
+Enable nested virtualization and create nested Hyper-V VMs on the template VM. When you publish the lab, each lab user has a lab VM that already contains the nested virtual machines.
To enable nested virtualization for a lab:
-1. Connect to the template VM by using a remote desktop client
+1. Connect to the template VM by using a remote desktop client.
1. Enable Hyper-V feature and tools on the template VM.
-1. If using Windows Server, create a Network Address Translation (NAT) network to allow the VMs inside the template VM to communicate with each other.
+1. If you use Windows Server, create a Network Address Translation (NAT) network to allow the VMs inside the template VM to communicate with each other.
> [!NOTE]
- > The NAT network created on the Lab Services VM will allow a Hyper-V VM to access the internet and other Hyper-V VMs on the same Lab Services VM. The Hyper-V VM won't be able to access Azure resources, such as DNS servers, on an Azure virtual network.
+ > The NAT network created on the Lab Services VM will allow a Hyper-V VM to access the internet and other Hyper-V VMs on the same Lab Services VM. The Hyper-V VM won't be able to access Azure resources, such as DNS servers, on an Azure virtual network.
1. Use Hyper-V manager to create the nested virtual machines inside the template VM.
1. Verify nested virtual machines have internet access.
@@ -58,30 +49,32 @@ Follow these steps to [enable nested virtualization on a template VM](./how-to-e
## Recommendations
+Keep the following recommendations in mind when you configure nested virtualization.
+
### Non-admin user
-You may choose to create a non-admin user when creating your lab. There are a few things to note when using nested virtualization with a non-admin account.
+You might choose to create a user without admin privileges when you create a lab. Consider the following issues when you use nested virtualization with such an account.
-- To be able to start or stop VMs, the non-admin user must be added to **Hyper-V Administrators** group.
-- The non-admin user can't mount drives.
-- The Hyper-V VM files must be saved in a location accessible to the non-admin user.
+- To be able to start or stop VMs, the user must belong to the **Hyper-V Administrators** group.
+- The user can't mount drives.
+- The Hyper-V VM files must be saved in a location accessible to the user.
### Processor compatibility
-The nested virtualization VM sizes may use different processors as shown in the following table:
+The nested virtualization VM sizes might use different processors as shown in the following table:
| Size | Series | Processor |
| ---- | ----- | ----- |
| Medium (nested virtualization) | [Standard_D4s_v4](/azure/virtual-machines/dv4-dsv4-series) | 3rd Generation Intel® Xeon® Platinum 8370C (Ice Lake) or the Intel® Xeon® Platinum 8272CL (Cascade Lake) |
| Large (nested virtualization) | [Standard_D8s_v4](/azure/virtual-machines/dv4-dsv4-series) | 3rd Generation Intel® Xeon® Platinum 8370C (Ice Lake) or the Intel® Xeon® Platinum 8272CL (Cascade Lake) |
-Each time that a template VM or a lab VM is stopped and started, the underlying processor type might change. To help ensure that nested VMs work consistently across processors, try enabling [processor compatibility mode](/windows-server/virtualization/hyper-v/manage/processor-compatibility-mode-hyper-v) on the nested VMs. It's recommended to enable **Processor Compatibility** mode on the template VM's nested VMs before publishing or exporting the image.
+Each time that a template VM or a lab VM is stopped and started, the underlying processor type might change. To help ensure that nested VMs work consistently across processors, enable [processor compatibility mode](/windows-server/virtualization/hyper-v/manage/processor-compatibility-mode-hyper-v) on the nested VMs. We recommend that you enable **Processor Compatibility** mode on the template VM's nested VMs before publishing or exporting the image.
-You should also test the performance of the nested VMs with the **Processor Compatibility** mode enabled to ensure performance isn't negatively impacted. For more information, see [ramifications of using processor compatibility mode](/windows-server/virtualization/hyper-v/manage/processor-compatibility-mode-hyper-v#ramifications-of-using-processor-compatibility-mode).
+You should also test the performance of the nested VMs with the **Processor Compatibility** mode enabled to ensure performance isn't negatively impacted. For more information, see [ramifications of using processor compatibility mode](/windows-server/virtualization/hyper-v/manage/processor-compatibility-mode-hyper-v#ramifications-of-using-processor-compatibility-mode).
### Automatically shut down nested VMs
-To avoid data corruption in the nested virtual machines when the lab VM shuts down, configure the nested VMs to automatically shut down when the lab VM shuts down.
+To avoid data corruption in the nested virtual machines when the lab VM shuts down, configure the nested VMs to shut down automatically when the lab VM shuts down.
Learn how you can use the `Set-VM` PowerShell command to [configure the shutdown auto stop action for a nested VM](/powershell/module/hyper-v/set-vm#example-1).
@@ -91,20 +84,36 @@ When you create the nested virtual machines, choose the [VHDX file format](/open
### Configure the number of vCPUs for nested VMs
-By default, when you create the nested virtual machine, only one virtual CPU (*vCPU*) is assigned. Depending on the operating system, and software of the nested VM, you might have to increase the number of vCPUs. For more information about managing and setting nested VM CPU resources, see [Hyper-V processor performance](/windows-server/administration/performance-tuning/role/hyper-v-server/processor-performance) or [Set-VM](/powershell/module/hyper-v/set-vm) PowerShell cmdlet.
+By default, when you create the nested virtual machine, only one virtual CPU (vCPU) is assigned. Depending on the operating system and software of the nested VM, you might have to increase the number of vCPUs. For more information about managing and setting nested VM CPU resources, see [Hyper-V processor performance](/windows-server/administration/performance-tuning/role/hyper-v-server/processor-performance) or [Set-VM](/powershell/module/hyper-v/set-vm) PowerShell cmdlet.
### Configure the assigned memory for nested VMs
-When you create the nested virtual machine, the minimum assigned memory might not be sufficient for the operating system and installed software of the nested VM. You might have to increase the minimum amount of assigned memory for the nested VM. For more information about managing and setting nested VM CPU resources, see [Hyper-V Host CPU Resource Management](/windows-server/virtualization/hyper-v/manage/manage-hyper-v-minroot-2016) or [Set-VM](/powershell/module/hyper-v/set-vm) PowerShell cmdlet.
+When you create the nested virtual machine, the minimum assigned memory might not be sufficient for the operating system and installed software. You might have to increase the minimum amount of assigned memory for the nested VM. For more information about managing and setting nested VM CPU resources, see [Hyper-V Host CPU Resource Management](/windows-server/virtualization/hyper-v/manage/manage-hyper-v-minroot-2016) or [Set-VM](/powershell/module/hyper-v/set-vm) PowerShell cmdlet.
### Best practices for running Linux on Hyper-V
-The following resources provide more best practices for running Linux or FreeBSD on Hyper-V:
+The following resources provide best practices for running Linux or FreeBSD on Hyper-V:
- [Best Practices for running Linux on Hyper-V](/windows-server/virtualization/hyper-v/best-practices-for-running-linux-on-hyper-v)
- [Best Practices for running FreeBSD on Hyper-V](/windows-server/virtualization/hyper-v/best-practices-for-running-freebsd-on-hyper-v)
-## Next steps
+## Known issues
+
+Before you set up a lab with nested virtualization, here are a few things to consider.
+
+- Not all VM sizes support nested virtualization. When you create a new lab, select the **Medium (Nested virtualization)** or **Large (Nested virtualization)** VM size for your lab.
+
+- Choose a size that provides good performance for both the host (lab VM) and guest VMs (VMs inside the lab VM). Make sure that the size you choose can run the host VM and any Hyper-V machines at the same time.
+
+- If using Windows Server, the host VM requires extra configuration to let the guest machines have internet connectivity.
+
+- Guest VMs don't have access to Azure resources, such as DNS servers, on the Azure virtual network.
+
+- Hyper-V guest VMs are licensed as independent machines. For information about licensing for Microsoft operation systems and products, see [Microsoft Licensing](https://www.microsoft.com/licensing/default). Check licensing agreements for any other software you use before you install it on the template VM or guest VMs.
+
+- Virtualization applications other than Hyper-V aren't [supported for nested virtualization](/virtualization/hyper-v-on-windows/user-guide/nested-virtualization#3rd-party-virtualization-apps). These applications include any software that requires hardware virtualization extensions.
+
+## Related content
- [Enable nested virtualization on a template VM](./how-to-enable-nested-virtualization-template-vm-using-script.md)
diff --git a/articles/lab-services/connect-virtual-machine-chromebook-remote-desktop.md b/articles/lab-services/connect-virtual-machine-chromebook-remote-desktop.md
index 8781605d4713c..2e3a484208ef9 100644
--- a/articles/lab-services/connect-virtual-machine-chromebook-remote-desktop.md
+++ b/articles/lab-services/connect-virtual-machine-chromebook-remote-desktop.md
@@ -1,60 +1,61 @@
---
title: Connect to a lab VM from Chromebook
titleSuffix: Azure Lab Services
-description: Learn how to connect from a Chromebook to a virtual machine in Azure Lab Services.
+description: Learn how to connect from your Chromebook system to a virtual machine in Azure Lab Services by using RDP.
services: lab-services
ms.service: lab-services
-author: ntrogh
-ms.author: nicktrog
+author: RoseHJM
+ms.author: rosemalcolm
ms.topic: how-to
-ms.date: 01/18/2023
+ms.date: 03/04/2024
+#customer intent: As a student or trainee, I want to connect to an Azure Lab Services VM from my Chromebook over RDP in order to use the lab resources.
---
# Connect to a VM using Remote Desktop Protocol on a Chromebook
-In this article, you learn how to connect to a lab VM in Azure Lab Services from a Chromebook by using Remote Desktop Protocol (RDP).
+In this article, you learn how to connect to a lab virtual machine (VM) in Azure Lab Services from a Chromebook by using Remote Desktop Protocol (RDP).
## Install Microsoft Remote Desktop on a Chromebook
-To connect to the lab VM via RDP, you use the Microsoft Remote Desktop app.
+To connect to the lab VM by using RDP, use the Microsoft Remote Desktop app.
To install the Microsoft Remote Desktop app:
1. Open the app store on your Chromebook, and search for **Microsoft Remote Desktop**.
- :::image type="content" source="./media/connect-virtual-machine-chromebook-remote-desktop/install-remote-desktop-chromebook.png" alt-text="Screenshot of the Microsoft Remote Desktop app in the app store.":::
+ :::image type="content" source="./media/connect-virtual-machine-chromebook-remote-desktop/install-remote-desktop-chromebook.png" alt-text="Screenshot of the Microsoft Remote Desktop app in the app store." lightbox="./media/connect-virtual-machine-chromebook-remote-desktop/install-remote-desktop-chromebook.png":::
1. Select **Install** to install the latest version of the Remote Desktop application by Microsoft Corporation.
## Access the VM from your Chromebook using RDP
-Next, you connect to the lab VM by using the remote desktop application. You can retrieve the connection information for the lab VM from the Azure Lab Services website.
+Connect to the lab VM by using the remote desktop application. You can retrieve the connection information for the lab VM from the Azure Lab Services website.
-1. Navigate to the Azure Lab Services website (https://labs.azure.com), and sign in with your credentials.
+1. Navigate to the [Azure Lab Services website](https://labs.azure.com), and sign in with your credentials.
1. On the tile for your VM, ensure the [VM is running](how-to-use-lab.md#start-or-stop-the-vm) and select the **Connect** icon.
- :::image type="content" source="./media/connect-virtual-machine-chromebook-remote-desktop/connect-vm.png" alt-text="Screenshot of My virtual machines page for Azure Lab Services. The connect icon button on the VM tile is highlighted.":::
+ :::image type="content" source="./media/connect-virtual-machine-chromebook-remote-desktop/connect-vm.png" alt-text="Screenshot of My virtual machines page for Azure Lab Services with the connect icon button on the VM tile highlighted." lightbox="./media/connect-virtual-machine-chromebook-remote-desktop/connect-vm.png":::
-1. If you’re connecting to a Linux VM, you'll see two options to connect to the VM: SSH and RDP. Select the **Connect via RDP** option. If you're connecting to a Windows VM, you don't need to choose a connection option. The RDP file will automatically start downloading.
+1. When you connect to a Linux VM, you see two options to connect to the VM: SSH and RDP. Select the **Connect via RDP** option. If you're connecting to a Windows VM, you don't need to choose a connection option. The RDP file downloads.
- :::image type="content" source="./media/connect-virtual-machine-chromebook-remote-desktop/student-vm-connect-options.png" alt-text="Screenshot that shows V M tile for student. The R D P and S S H connection options are highlighted.":::
+ :::image type="content" source="./media/connect-virtual-machine-chromebook-remote-desktop/student-vm-connect-options.png" alt-text="Screenshot that shows VM tile for student with the RDP and SSH connection options highlighted." lightbox="./media/connect-virtual-machine-chromebook-remote-desktop/student-vm-connect-options.png":::
-1. Open the **RDP** file that's downloaded on your computer with **Microsoft Remote Desktop** installed. It should start connecting to the VM.
+1. Open the **RDP** file on your computer with **Microsoft Remote Desktop** installed. It should start connecting to the VM.
- :::image type="content" source="./media/connect-virtual-machine-chromebook-remote-desktop/connect-vm-chromebook.png" alt-text="Screenshot of the Microsoft Remote Desktop app connecting to V M.":::
+ :::image type="content" source="./media/connect-virtual-machine-chromebook-remote-desktop/connect-vm-chromebook.png" alt-text="Screenshot of the Microsoft Remote Desktop app connecting to VM." lightbox="./media/connect-virtual-machine-chromebook-remote-desktop/connect-vm-chromebook.png":::
-1. When prompted, enter your username and password.
+1. When prompted, enter your user name and password.
- :::image type="content" source="./media/connect-virtual-machine-chromebook-remote-desktop/password-chromebook.png" alt-text="Screenshot that shows the Logon screen where you enter your username and password.":::
+ :::image type="content" source="./media/connect-virtual-machine-chromebook-remote-desktop/password-chromebook.png" alt-text="Screenshot that shows the Logon screen where you enter your username and password." lightbox="./media/connect-virtual-machine-chromebook-remote-desktop/password-chromebook.png":::
1. If you receive a certificate warning, you can select **Continue**.
- :::image type="content" source="./media/connect-virtual-machine-chromebook-remote-desktop/certificate-error-chromebook.png" alt-text="Screenshot that shows certificate warning when connecting to lab V M.":::
+ :::image type="content" source="./media/connect-virtual-machine-chromebook-remote-desktop/certificate-error-chromebook.png" alt-text="Screenshot that shows certificate warning when connecting to lab VM." lightbox="./media/connect-virtual-machine-chromebook-remote-desktop/certificate-error-chromebook.png":::
1. After the connection is established, you see the desktop of your lab VM.
-## Next steps
+## Related content
- As an educator, [configure RDP for Linux VMs](how-to-enable-remote-desktop-linux.md)
- As a student, [stop the VM](how-to-use-lab.md#start-or-stop-the-vm)
diff --git a/articles/lab-services/connect-virtual-machine-mac-remote-desktop.md b/articles/lab-services/connect-virtual-machine-mac-remote-desktop.md
index 7b5e0b0c7fb56..b160d83dc3a81 100644
--- a/articles/lab-services/connect-virtual-machine-mac-remote-desktop.md
+++ b/articles/lab-services/connect-virtual-machine-mac-remote-desktop.md
@@ -4,62 +4,63 @@ titleSuffix: Azure Lab Services
description: Learn how to connect using remote desktop (RDP) from a Mac to a virtual machine in Azure Lab Services.
services: lab-services
ms.service: lab-services
-author: ntrogh
-ms.author: nicktrog
+author: RoseHJM
+ms.author: rosemalcolm
ms.topic: how-to
-ms.date: 02/16/2023
+ms.date: 03/04/2024
+#customer intent: As a student or trainee, I want to connect to an Azure Lab Services VM from my Mac over RDP in order to use the lab resources.
---
# Connect to a VM using Remote Desktop Protocol on a Mac
+In this article, you learn how to connect to a lab virtual machine (VM) in Azure Lab Services from a Mac by using Remote Desktop Protocol (RDP).
+
> [!CAUTION]
> This article references CentOS, a Linux distribution that is nearing End Of Life (EOL) status. Please consider your use and planning accordingly.
-In this article, you learn how to connect to a lab VM in Azure Lab Services from a Mac by using Remote Desktop Protocol (RDP).
-
## Install Microsoft Remote Desktop on a Mac
-To connect to the lab VM via RDP, you can use the Microsoft Remote Desktop app.
+To connect to the lab VM by using RDP, use the Microsoft Remote Desktop app.
To install the Microsoft Remote Desktop app:
1. Open the App Store on your Mac, and search for **Microsoft Remote Desktop**.
- :::image type="content" source="./media/connect-virtual-machine-mac-remote-desktop\install-remote-desktop.png" alt-text="Screenshot of Microsoft Remote Desktop app in the App Store.":::
+ :::image type="content" source="./media/connect-virtual-machine-mac-remote-desktop\install-remote-desktop.png" alt-text="Screenshot of Microsoft Remote Desktop app in the App Store." lightbox="./media/connect-virtual-machine-mac-remote-desktop\install-remote-desktop.png" :::
1. Select **Install** to install the latest version of Microsoft Remote Desktop.
## Access the VM from your Mac using RDP
-Next, you connect to the lab VM by using the remote desktop application. You can retrieve the connection information for the lab VM from the Azure Lab Services website.
+Connect to the lab VM by using the remote desktop application. You can retrieve the connection information for the lab VM from the Azure Lab Services website.
-1. Navigate to the Azure Lab Services website (https://labs.azure.com), and sign in with your credentials.
+1. Navigate to the [Azure Lab Services website](https://labs.azure.com), and sign in with your credentials.
1. On the tile for your VM, ensure the [VM is running](how-to-use-lab.md#start-or-stop-the-vm) and select the **Connect** icon.
- :::image type="content" source="./media/connect-virtual-machine-mac-remote-desktop/connect-vm.png" alt-text="Screenshot of My virtual machines page for Azure Lab Services. The connect icon button on the VM tile is highlighted.":::
+ :::image type="content" source="./media/connect-virtual-machine-mac-remote-desktop/connect-vm.png" alt-text="Screenshot of My virtual machines page for Azure Lab Services with the connect icon button on the VM tile highlighted." lightbox="./media/connect-virtual-machine-mac-remote-desktop/connect-vm.png":::
-1. If you’re connecting to a Linux VM, you'll see two options to connect to the VM: SSH and RDP. Select the **Connect via RDP** option. If you're connecting to a Windows VM, you don't need to choose a connection option. The RDP file will automatically start downloading.
+1. When you connect to a Linux VM, you see two options to connect to the VM: SSH and RDP. Select the **Connect via RDP** option. If you're connecting to a Windows VM, you don't need to choose a connection option. The RDP file downloads.
- :::image type="content" source="./media/connect-virtual-machine-mac-remote-desktop/student-vm-connect-options.png" alt-text="Screenshot that shows V M tile for student. The R D P and S S H connection options are highlighted.":::
+ :::image type="content" source="./media/connect-virtual-machine-mac-remote-desktop/student-vm-connect-options.png" alt-text="Screenshot that shows VM tile for student with the RDP and SSH connection options highlighted." lightbox="./media/connect-virtual-machine-mac-remote-desktop/student-vm-connect-options.png":::
-1. Open the **RDP** file that's downloaded on your computer with **Microsoft Remote Desktop** installed. It should start connecting to the VM.
+1. Open the *RDP* file on your computer with **Microsoft Remote Desktop** installed. Your computer should start to connect to the VM.
- :::image type="content" source="./media/how-to-use-classroom-lab/connect-linux-vm.png" alt-text="Screenshot of Microsoft Remote Desktop app connecting to a remote VM.":::
+ :::image type="content" source="./media/how-to-use-classroom-lab/connect-linux-vm.png" alt-text="Screenshot of Microsoft Remote Desktop app connecting to a remote VM." lightbox="./media/how-to-use-classroom-lab/connect-linux-vm.png":::
-1. When prompted, enter your username and password.
+1. When prompted, enter your user name and password.
1. If you receive a certificate warning, you can select **Continue**.
- :::image type="content" source="./media/how-to-use-classroom-lab/certificate-error.png" alt-text="Screenshot of certificate error for Microsoft Remote Desktop app.":::
+ :::image type="content" source="./media/how-to-use-classroom-lab/certificate-error.png" alt-text="Screenshot of certificate error for Microsoft Remote Desktop app." lightbox="./media/how-to-use-classroom-lab/certificate-error.png":::
1. After the connection is established, you see the desktop of your lab VM.
The following example is for a CentOS Linux VM:
- :::image type="content" source="./media/how-to-use-classroom-lab/vm-ui.png" alt-text="Screenshot of the desktop for a CentOS Linux VM.":::
+ :::image type="content" source="./media/how-to-use-classroom-lab/vm-ui.png" alt-text="Screenshot of the desktop for a CentOS Linux VM." lightbox="./media/how-to-use-classroom-lab/vm-ui.png":::
-## Next steps
+## Related content
- As a student, learn to [connect to a VM using X2Go](connect-virtual-machine-linux-x2go.md).
- As a student, [stop the VM](how-to-use-lab.md#start-or-stop-the-vm).
diff --git a/articles/lab-services/how-to-enable-nested-virtualization-template-vm-using-script.md b/articles/lab-services/how-to-enable-nested-virtualization-template-vm-using-script.md
index f0909e48c73cc..9a8db61fbf705 100644
--- a/articles/lab-services/how-to-enable-nested-virtualization-template-vm-using-script.md
+++ b/articles/lab-services/how-to-enable-nested-virtualization-template-vm-using-script.md
@@ -4,23 +4,16 @@ titleSuffix: Azure Lab Services
description: Learn how to enable nested virtualization on a template VM in Azure Lab Services to create multi-VM labs.
services: lab-services
ms.service: lab-services
-author: ntrogh
-ms.author: nicktrog
+author: RoseHJM
+ms.author: rosemalcolm
ms.topic: how-to
-ms.date: 02/12/2024
+ms.date: 03/04/2024
+#customer intent: As an administrator or educator, I want to set up labs in Azure Lab Services that include multiple embedded virtual machines because some learning tasks require multiple computers interacting on a network.
---
# Enable nested virtualization in Azure Lab Services
-Nested virtualization enables you to create a lab in Azure Lab Services that contains a multi-VM environment. You can enable nested virtualization on the template VM and preconfigure the nested VMs on the template VM. When you publish the lab, each lab user receives a lab VM that already contains the nested VMs.
-
-For concepts, considerations, and recommendations about nested virtualization, see [nested virtualization in Azure Lab Services](./concept-nested-virtualization-template-vm.md).
-
-> [!NOTE]
-> Virtualization applications other than Hyper-V are [*not* supported for nested virtualization](/virtualization/hyper-v-on-windows/user-guide/nested-virtualization#3rd-party-virtualization-apps). This includes any software that requires hardware virtualization extensions.
-
->[!IMPORTANT]
->Select **Large (nested virtualization)** or **Medium (nested virtualization)** for the virtual machine size when creating the lab. Nested virtualization will not work otherwise.
+Nested virtualization supports a lab in Azure Lab Services that contains a multiple virtual machine (VM) environment. You can prepare a lab template for your multiple VM environment. Users don't need to enable nested virtualization on their lab VM or install the nested VMs on it. When you publish the lab, each lab user has a lab VM that already contains the nested virtual machines.
## Prerequisites
@@ -28,12 +21,20 @@ For concepts, considerations, and recommendations about nested virtualization, s
[!INCLUDE [Create and manage labs](./includes/lab-services-prerequisite-create-lab.md)]
[!INCLUDE [Existing lab plan](./includes/lab-services-prerequisite-lab-plan.md)]
-## Enable nested virtualization
+For concepts, considerations, and recommendations about nested virtualization, see [nested virtualization in Azure Lab Services](./concept-nested-virtualization-template-vm.md).
+
+> [!NOTE]
+> Virtualization applications other than Hyper-V aren't [supported for nested virtualization](/virtualization/hyper-v-on-windows/user-guide/nested-virtualization#3rd-party-virtualization-apps). This includes any software that requires hardware virtualization extensions.
> [!IMPORTANT]
-> It is recommend to use nested virtualization with Windows 11 to take advantage of the 'Default Switch' created when you install Hyper-V on a Windows client OS. Nested virtualization on Windows Server OSes should be used when additional control over the network settings is required.
+> Select **Large (nested virtualization)** or **Medium (nested virtualization)** for the virtual machine size when creating the lab. Nested virtualization doesn't work otherwise.
+
+## Enable nested virtualization
-To enable nested virtualization on the template VM, you first connect [connect to the template virtual machine by using RDP (Remote Desktop Protocol) client](./how-to-create-manage-template.md#update-a-template-vm). You can then apply the configuration changes by either running a PowerShell script or using Windows tools.
+To enable nested virtualization on the template VM, first connect to the VM by using a remote desktop (RDP) client. You can then apply the configuration changes by either running a PowerShell script or using Windows tools.
+
+> [!IMPORTANT]
+> We recommend that you use nested virtualization with Windows 11. You can take advantage of the 'Default Switch' created when you install Hyper-V on a Windows client OS. You should use nested virtualization on Windows Server operating systems when you require additional control over the network settings.
# [PowerShell](#tab/powershell)
@@ -41,15 +42,15 @@ You can use a PowerShell script to set up nested virtualization on a template VM
1. Follow these steps to [connect to and update the template machine](./how-to-create-manage-template.md#update-a-template-vm).
-1. Launch **PowerShell** in **Administrator** mode.
+1. Launch **PowerShell** as an Administrator.
-1. You might have to change the execution policy to successfully run the script.
+1. You might have to change the execution policy to successfully run the script. Run the following command:
```powershell
Set-ExecutionPolicy bypass -force
```
-1. Download and run the script to enable the Hyper-V feature and tools.
+1. Download and run the script to enable the Hyper-V feature and tools.
```powershell
Invoke-WebRequest 'https://aka.ms/azlabs/scripts/hyperV-powershell' -Outfile SetupForNestedVirtualization.ps1
@@ -57,7 +58,7 @@ You can use a PowerShell script to set up nested virtualization on a template VM
```
> [!NOTE]
- > The script might require the machine to be restarted. If so, stop and start the template VM from the [Azure Lab Services website](https://labs.azure.com) and re-run the script until **Script completed** is seen in the output.
+ > The script might require you to restart the VM. If so, stop and start the template VM from the [Azure Lab Services website](https://labs.azure.com) and re-run the script until you see **Script completed** in the output.
1. Don't forget to reset the execution policy.
@@ -65,11 +66,11 @@ You can use a PowerShell script to set up nested virtualization on a template VM
Set-ExecutionPolicy default -force
```
-The template VM is now configured for use with nested virtualization and you can [create VMs](/windows-server/virtualization/hyper-v/get-started/create-a-virtual-machine-in-hyper-v?tabs=hyper-v-manager) inside it. Use the switch specified by the script when creating new Hyper-V VMs.
+The template VM is now configured for use with nested virtualization. You can [create VMs](/windows-server/virtualization/hyper-v/get-started/create-a-virtual-machine-in-hyper-v?tabs=hyper-v-manager) inside it. Use the switch specified by the script when creating new Hyper-V VMs.
# [Windows tools](#tab/windows)
-You can set up nested virtualization on a template VM in Azure Lab Services using Windows features and tools directly. The following steps describe how to manually set up a Lab Services machine template with Hyper-V. Steps are intended for Windows 11.
+You can set up nested virtualization on a template VM in Azure Lab Services by using Windows features and tools directly. The following steps describe how to manually set up a Lab Services machine template with Hyper-V. These steps are intended for Windows 11.
1. Open the **Settings** page.
1. Select **Apps**.
@@ -77,18 +78,18 @@ You can set up nested virtualization on a template VM in Azure Lab Services usin
1. Select **More Windows features** under the **Related features** section.
1. The **Windows features** pop-up appears. Check the **Hyper-V** feature and select **OK**.
1. Wait for the Hyper-V feature to be installed. When prompted to restart the VM, select **Don't restart**.
-1. Go to the [Azure Lab Services website](https://labs.azure.com) to stop and restart the template VM.
+1. To start and stop the template VM, go to the [Azure Lab Services website](https://labs.azure.com).
-The template VM is now configured to use nested virtualization and you can [create VMs](/windows-server/virtualization/hyper-v/get-started/create-a-virtual-machine-in-hyper-v?tabs=hyper-v-manager) inside it. Use 'Default Switch' when creating new nested VMs with Hyper-V.
+The template VM is now configured to use nested virtualization. You can [create VMs](/windows-server/virtualization/hyper-v/get-started/create-a-virtual-machine-in-hyper-v?tabs=hyper-v-manager) inside it. Use Default Switch when you create new nested VMs with Hyper-V.
---
## Connect to a nested VM in another lab VM
-Extra configuration is required to connect from a nested VM on one lab VM to a nested VM that is hosted in another lab VM. Add a static mapping to the NAT instance with the [**Add-NetNatStaticMapping**](/powershell/module/netnat/add-netnatstaticmapping) PowerShell cmdlet.
+Extra configuration is required to connect from a nested VM on one lab VM to a nested VM that is hosted in another lab VM. Add a static mapping to the NAT instance with the [Add-NetNatStaticMapping](/powershell/module/netnat/add-netnatstaticmapping) PowerShell cmdlet.
> [!NOTE]
-> The ping command to test connectivity from or to a nested VM doesn't work.
+> You can't use the `ping` command to test connectivity from or to a nested VM.
> [!NOTE]
> The static mapping only works when you use private IP addresses. The VM that the lab user is connecting from must be a lab VM, or the VM has to be on the same network if using advanced networking.
@@ -134,43 +135,45 @@ Enable connection with RDP from lab VM 2, or its nested VMs, to nested lab VM 1-
## Troubleshooting
+These suggestions might address some common issues.
+
### The Linux VM is only showing a black screen
Perform the following steps to verify your nested VM configuration:
- Check which [Hyper-V virtual machine generation](/windows-server/virtualization/hyper-v/plan/should-i-create-a-generation-1-or-2-virtual-machine-in-hyper-v) you used for the nested VM. Some Linux distributions don't work with Gen 1 Hyper-V VMs.
- Learn more about the [supported guest operating systems in Hyper-V](/virtualization/hyper-v-on-windows/about/supported-guest-os).
+ Learn more about the [supported guest operating systems in Hyper-V](/virtualization/hyper-v-on-windows/about/supported-guest-os).
### Hyper-V doesn't start with error `The virtual machine is using processor-specific xsave features not supported`
- This error can happen when a lab user leaves the Hyper-V VM in the saved state. You can right-select the VM in Hyper-V Manager and select **Delete saved state**.
- > [!CAUTION]
- > Deleting the saved state means that any unsaved work is lost. Anything saved to disk remains intact.
+ > [!CAUTION]
+ > Deleting the saved state means that any unsaved work is lost, but anything saved to disk remains intact.
-- This error can happen when the Hyper-V VM is turned off and the VHDX file is corrupted. If the lab user created a backup of the VDHX file, they can restore the VM from that point.
+- This error can happen when the Hyper-V VM is turned off and the VHDX file is corrupted. If the lab user creates a backup of the VDHX file, or saved a snapshot, they can restore the VM from that point.
-Hyper-V VMs should have their [automatic shutdown action set to shutdown](./concept-nested-virtualization-template-vm.md#automatically-shut-down-nested-vms).
+We recommend that you set Hyper-V VMs [automatic shutdown action set to shutdown](./concept-nested-virtualization-template-vm.md#automatically-shut-down-nested-vms).
### Hyper-V is too slow
-Increase the number vCPUs and memory that is assigned to the Hyper-V VM in Hyper-V Manager. The total number of vCPUs can't exceed the number of cores of the host VM (lab VM). If you're using variable memory, the default option, increase the minimum amount of memory assigned to the VM. The maximum amount of assigned memory (if using variable memory) can exceed the amount of memory of the host VM. Variable memory allows greater flexibility when having to complete intensive operations on just one of the Hyper-V VMs.
+Increase the number vCPUs and memory that is assigned to the Hyper-V VM in Hyper-V Manager. The total number of vCPUs can't exceed the number of cores of the host VM (lab VM). If you're using variable memory, the default option, increase the minimum amount of memory assigned to the VM. The maximum amount of assigned memory, if you use variable memory, can exceed the amount of memory of the host VM. This approach allows greater flexibility when having to complete intensive operations on just one of the Hyper-V VMs.
-If you're using the Medium (Nested Virtualization) VM size for the lab, consider using the Large (Nested Virtualization) VM size instead to have more compute resources for each lab VM.
+If you're using the **Medium (Nested Virtualization)** VM size for the lab, consider using the **Large (Nested Virtualization)** VM size instead to have more compute resources for each lab VM.
### Internet connectivity isn't working for nested VMs
- Verify that you followed the previous steps for enabling nested virtualization. Consider using the PowerShell script option.
-- Check if the host VM (lab VM) has the DHCP role installed if you are using Windows Server.
+- Check if the host VM (lab VM) has the DHCP role installed if you're using Windows Server.
- Running a lab VM as a DHCP server is an *unsupported* scenario. See [Can I deploy a DHCP server in a virtual network?](/azure/virtual-network/virtual-networks-faq) for details. Changing the settings of the lab VM can cause issues with other lab VMs.
+ Running a lab VM as a DHCP server isn't supported. See [Can I deploy a DHCP server in a virtual network?](../virtual-network/virtual-networks-faq.md). Changing the settings of the lab VM can cause issues with other lab VMs.
- Check the network adapter settings for the Hyper-V VM.
- - Set the IP address of the DNS server and DHCP server to [*168.63.129.16*](/azure/virtual-network/what-is-ip-address-168-63-129-16).
- - If the guest VM IPv4 address is set manually, verify it is in the range of the NAT network connected to the Hyper-V switch.
+ - Set the IP address of the DNS server and DHCP server to [168.63.129.16](../virtual-network/what-is-ip-address-168-63-129-16.md).
+ - If the guest VM IPv4 address is set manually, verify that it's in the range of the NAT network connected to the Hyper-V switch.
- Try enabling Hyper-V [DHCP guard](/archive/blogs/virtual_pc_guy/hyper-v-networkingdhcp-guard) and [Router guard](/archive/blogs/virtual_pc_guy/hyper-v-networkingrouter-guard).
```powershell
@@ -178,15 +181,15 @@ If you're using the Medium (Nested Virtualization) VM size for the lab, consider
```
> [!NOTE]
-> The `ping` command from a Hyper-V VM to the host VM doesn't work. To test internet connectivity, launch a web browser and verify that the web page loads correctly.
+> You can't use the `ping` command from a Hyper-V VM to the host VM. To test internet connectivity, launch a web browser and verify that the web page loads correctly.
### Can't start Hyper-V VMs
-You might choose to create a non-admin user when creating your lab. To be able to start or stop Hyper-V VMs, the non-admin user must be added to **Hyper-V Administrators** group. For more information about Hyper-V and non-admin users, see [Non-admin user](concept-nested-virtualization-template-vm.md#non-admin-user).
+You might choose to create a non-admin user when you create a lab. To be able to start or stop Hyper-V VMs, you must add such a user to the **Hyper-V Administrators** group. For more information about Hyper-V and non-admin users, see [Non-admin user](concept-nested-virtualization-template-vm.md#non-admin-user).
-## Next steps
+## Related content
-Now that nested virtualization is configured on the template VM, you can [create nested virtual machines with Hyper-V](/windows-server/virtualization/hyper-v/get-started/create-a-virtual-machine-in-hyper-v). See [Microsoft Evaluation Center](https://www.microsoft.com/evalcenter/) to check out available operating systems and software.
+After you configure nested virtualization on the template VM, you can [create nested virtual machines with Hyper-V](/windows-server/virtualization/hyper-v/get-started/create-a-virtual-machine-in-hyper-v). See [Microsoft Evaluation Center](https://www.microsoft.com/evalcenter/) to check out available operating systems and software.
- [Add lab users](how-to-manage-lab-users.md)
- [Set quota hours](how-to-manage-lab-users.md#set-quotas-for-users)
diff --git a/articles/lab-services/includes/lab-services-class-type-lab-plan.md b/articles/lab-services/includes/lab-services-class-type-lab-plan.md
index 035cedd0bfbed..037e4f3fb10cc 100644
--- a/articles/lab-services/includes/lab-services-class-type-lab-plan.md
+++ b/articles/lab-services/includes/lab-services-class-type-lab-plan.md
@@ -4,4 +4,4 @@ ms.date: 01/04/2022
ms.topic: include
---
-Once you have an Azure subscription, you can create a new lab plan in Azure Lab Services. For more information about creating a new lab plan, see [Quickstart: Set up resources to create labs](../quick-create-resources.md). You can also use an existing lab plan.
+After you have an Azure subscription, you can create a lab plan in Azure Lab Services. For more information about creating a new lab plan, see [Quickstart: Set up resources to create labs](../quick-create-resources.md). You can also use an existing lab plan.
diff --git a/articles/lab-services/includes/lab-services-class-type-template-vm.md b/articles/lab-services/includes/lab-services-class-type-template-vm.md
index 2b2319fbc834d..bcbb0bd5a2133 100644
--- a/articles/lab-services/includes/lab-services-class-type-template-vm.md
+++ b/articles/lab-services/includes/lab-services-class-type-template-vm.md
@@ -4,4 +4,4 @@ ms.date: 01/04/2022
ms.topic: include
---
-Once you create a lab, a template VM will be created based on the virtual machine size and image you chose. You configure the template VM with everything you want to provide to your students for this class. For more information, see [Create and manage a template in Azure Lab Services](../how-to-create-manage-template.md).
+After you create a lab, create a template VM that is based on the virtual machine size and image you choose. Configure the template VM with everything you want to provide to your students for this class. For more information, see [Create and manage a template in Azure Lab Services](../how-to-create-manage-template.md).
diff --git a/articles/load-balancer/upgrade-basic-standard-with-powershell.md b/articles/load-balancer/upgrade-basic-standard-with-powershell.md
index e44db0d06c866..c0c29c7ecec87 100644
--- a/articles/load-balancer/upgrade-basic-standard-with-powershell.md
+++ b/articles/load-balancer/upgrade-basic-standard-with-powershell.md
@@ -303,6 +303,17 @@ The basic failure recovery procedure is:
1. Locate the Basic Load Balancer state backup file. This file will either be in the directory where the script was executed, or at the path specified with the `-RecoveryBackupPath` parameter during the failed execution. The file is named: `State___.json`
1. Rerun the migration script, specifying the `-FailedMigrationRetryFilePathLB ` and `-FailedMigrationRetryFilePathVMSS ` (for Virtual Machine Scale set backends) parameters instead of -BasicLoadBalancerName or passing the Basic Load Balancer over the pipeline
+### How can I list the Basic Load Balancers to be migrated in my environment?
+
+One way to get a list of the Basic Load Balancers needing to be migrated in your environment is to use an Azure Resource Graph query. A simple query like this one will list all the Basic Load Balancers you have access to see.
+
+```kusto
+Resources
+| where type == 'microsoft.network/loadbalancers' and sku.name == 'Basic'
+```
+
+We have also written a more complex query which assesses the readiness of each Basic Load Balancer for migration on most of the criteria this module checks during [validation](#example-validate-a-scenario). The Resource Graph query can be found in our [GitHub project](https://github.com/Azure/AzLoadBalancerMigration/blob/main/AzureBasicLoadBalancerUpgrade/utilities/migration_graph_query.txt) or opened in the [Azure Resource Graph Explorer](https://portal.azure.com/?#blade/HubsExtension/ArgQueryBlade/query/resources%0A%7C%20where%20type%20%3D%3D%20%27microsoft.network%2Floadbalancers%27%20and%20sku.name%20%3D%3D%20%27Basic%27%0A%7C%20project%20fes%20%3D%20properties.frontendIPConfigurations%2C%20bes%20%3D%20properties.backendAddressPools%2C%5B%27id%27%5D%2C%5B%27tags%27%5D%2CsubscriptionId%2CresourceGroup%0A%7C%20extend%20backendPoolCount%20%3D%20array_length%28bes%29%0A%7C%20extend%20internalOrExternal%20%3D%20iff%28isnotempty%28fes%29%2Ciff%28isnotempty%28fes%5B0%5D.properties.privateIPAddress%29%2C%27Internal%27%2C%27External%27%29%2C%27None%27%29%0A%20%20%20%20%7C%20join%20kind%3Dleftouter%20hint.strategy%3Dshuffle%20%28%0A%20%20%20%20%20%20%20%20resources%0A%20%20%20%20%20%20%20%20%7C%20where%20type%20%3D%3D%20%27microsoft.network%2Fpublicipaddresses%27%0A%20%20%20%20%20%20%20%20%7C%20where%20properties.publicIPAddressVersion%20%3D%3D%20%27IPv6%27%0A%20%20%20%20%20%20%20%20%7C%20extend%20publicIPv6LBId%20%3D%20tostring%28split%28properties.ipConfiguration.id%2C%27%2FfrontendIPConfigurations%2F%27%29%5B0%5D%29%0A%20%20%20%20%20%20%20%20%7C%20distinct%20publicIPv6LBId%0A%20%20%20%20%29%20on%20%24left.id%20%3D%3D%20%24right.publicIPv6LBId%0A%20%20%20%20%7C%20join%20kind%20%3D%20leftouter%20hint.strategy%3Dshuffle%20%28%0A%20%20%20%20%20%20%20%20resources%20%0A%20%20%20%20%20%20%20%20%7C%20where%20type%20%3D%3D%20%27microsoft.network%2Fnetworkinterfaces%27%20and%20isnotempty%28properties.virtualMachine.id%29%0A%20%20%20%20%20%20%20%20%7C%20extend%20vmNICHasNSG%20%3D%20isnotnull%28properties.networkSecurityGroup.id%29%0A%20%20%20%20%20%20%20%20%7C%20extend%20vmNICSubnetIds%20%3D%20tostring%28extract_all%28%27%28%2Fsubscriptions%2F%5Ba-f0-9-%5D%2B%3F%2FresourceGroups%2F%5Ba-zA-Z0-9-_%5D%2B%3F%2Fproviders%2FMicrosoft.Network%2FvirtualNetworks%2F%5Ba-zA-Z0-9-_%5D%2B%3F%2Fsubnets%2F%5Ba-zA-Z0-9-_%5D%2A%29%27%2Ctostring%28properties.ipConfigurations%29%29%29%0A%20%20%20%20%20%20%20%20%7C%20mv-expand%20ipConfigs%20%3D%20properties.ipConfigurations%0A%20%20%20%20%20%20%20%20%7C%20extend%20vmPublicIPId%20%3D%20extract%28%27%2Fsubscriptions%2F%5Ba-f0-9-%5D%2B%3F%2FresourceGroups%2F%5Ba-zA-Z0-9-_%5D%2B%3F%2Fproviders%2FMicrosoft.Network%2FpublicIPAddresses%2F%5Ba-zA-Z0-9-_%5D%2A%27%2C0%2Ctostring%28ipConfigs%29%29%0A%20%20%20%20%20%20%20%20%7C%20where%20isnotempty%28ipConfigs.properties.loadBalancerBackendAddressPools%29%20%0A%20%20%20%20%20%20%20%20%7C%20mv-expand%20bes%20%3D%20ipConfigs.properties.loadBalancerBackendAddressPools%0A%20%20%20%20%20%20%20%20%7C%20extend%20nicLoadBalancerId%20%3D%20tostring%28split%28bes.id%2C%27%2FbackendAddressPools%2F%27%29%5B0%5D%29%0A%20%20%20%20%20%20%20%20%7C%20summarize%20vmNICsNSGStatus%20%3D%20make_set%28vmNICHasNSG%29%20by%20nicLoadBalancerId%2CvmPublicIPId%2CvmNICSubnetIds%0A%20%20%20%20%20%20%20%20%7C%20extend%20allVMNicsHaveNSGs%20%3D%20set_has_element%28vmNICsNSGStatus%2CFalse%29%0A%20%20%20%20%20%20%20%20%7C%20summarize%20publicIpCount%20%3D%20dcount%28vmPublicIPId%29%20by%20nicLoadBalancerId%2C%20allVMNicsHaveNSGs%2C%20vmNICSubnetIds%0A%20%20%20%20%20%20%20%20%29%20on%20%24left.id%20%3D%3D%20%24right.nicLoadBalancerId%0A%20%20%20%20%20%20%20%20%7C%20join%20kind%20%3D%20leftouter%20%28%0A%20%20%20%20%20%20%20%20%20%20%20%20resources%0A%20%20%20%20%20%20%20%20%20%20%20%20%7C%20where%20type%20%3D%3D%20%27microsoft.compute%2Fvirtualmachinescalesets%27%0A%20%20%20%20%20%20%20%20%20%20%20%20%7C%20extend%20vmssSubnetIds%20%3D%20tostring%28extract_all%28%27%28%2Fsubscriptions%2F%5Ba-f0-9-%5D%2B%3F%2FresourceGroups%2F%5Ba-zA-Z0-9-_%5D%2B%3F%2Fproviders%2FMicrosoft.Network%2FvirtualNetworks%2F%5Ba-zA-Z0-9-_%5D%2B%3F%2Fsubnets%2F%5Ba-zA-Z0-9-_%5D%2A%29%27%2Ctostring%28properties.virtualMachineProfile.networkProfile.networkInterfaceConfigurations%29%29%29%0A%20%20%20%20%20%20%20%20%20%20%20%20%7C%20mv-expand%20nicConfigs%20%3D%20properties.virtualMachineProfile.networkProfile.networkInterfaceConfigurations%0A%20%20%20%20%20%20%20%20%20%20%20%20%7C%20extend%20vmssNicHasNSG%20%3D%20isnotnull%28properties.networkSecurityGroup.id%29%0A%20%20%20%20%20%20%20%20%20%20%20%20%7C%20mv-expand%20ipConfigs%20%3D%20nicConfigs.properties.ipConfigurations%0A%20%20%20%20%20%20%20%20%20%20%20%20%7C%20extend%20vmssHasPublicIPConfig%20%3D%20iff%28tostring%28ipConfigs%29%20matches%20regex%20%40%27publicIPAddressVersion%27%2Ctrue%2Cfalse%29%0A%20%20%20%20%20%20%20%20%20%20%20%20%7C%20where%20isnotempty%28ipConfigs.properties.loadBalancerBackendAddressPools%29%0A%20%20%20%20%20%20%20%20%20%20%20%20%7C%20mv-expand%20bes%20%3D%20ipConfigs.properties.loadBalancerBackendAddressPools%0A%20%20%20%20%20%20%20%20%20%20%20%20%7C%20extend%20vmssLoadBalancerId%20%3D%20tostring%28split%28bes.id%2C%27%2FbackendAddressPools%2F%27%29%5B0%5D%29%0A%20%20%20%20%20%20%20%20%20%20%20%20%7C%20summarize%20vmssNICsNSGStatus%20%3D%20make_set%28vmssNicHasNSG%29%20by%20vmssLoadBalancerId%2C%20vmssHasPublicIPConfig%2C%20vmssSubnetIds%0A%20%20%20%20%20%20%20%20%20%20%20%20%7C%20extend%20allVMSSNicsHaveNSGs%20%3D%20set_has_element%28vmssNICsNSGStatus%2CFalse%29%0A%20%20%20%20%20%20%20%20%20%20%20%20%7C%20distinct%20vmssLoadBalancerId%2C%20vmssHasPublicIPConfig%2C%20allVMSSNicsHaveNSGs%2C%20vmssSubnetIds%0A%20%20%20%20%20%20%20%20%29%20on%20%24left.id%20%3D%3D%20%24right.vmssLoadBalancerId%0A%7C%20extend%20subnetIds%20%3D%20set_difference%28todynamic%28coalesce%28vmNICSubnetIds%2CvmssSubnetIds%29%29%2Cdynamic%28%5B%5D%29%29%20%2F%2F%20return%20only%20unique%20subnet%20ids%0A%7C%20mv-expand%20subnetId%20%3D%20subnetIds%0A%7C%20extend%20subnetId%20%3D%20tostring%28subnetId%29%0A%7C%20project-away%20vmNICSubnetIds%2C%20vmssSubnetIds%2C%20subnetIds%0A%7C%20extend%20backendType%20%3D%20iff%28isnotempty%28bes%29%2Ciff%28isnotempty%28nicLoadBalancerId%29%2C%27VMs%27%2Ciff%28isnotempty%28vmssLoadBalancerId%29%2C%27VMSS%27%2C%27Empty%27%29%29%2C%27Empty%27%29%0A%7C%20extend%20lbHasIPv6PublicIP%20%3D%20iff%28isnotempty%28publicIPv6LBId%29%2Ctrue%2Cfalse%29%0A%7C%20project-away%20fes%2C%20bes%2C%20nicLoadBalancerId%2C%20vmssLoadBalancerId%2C%20publicIPv6LBId%2C%20subnetId%0A%7C%20extend%20vmsHavePublicIPs%20%3D%20iff%28publicIpCount%20%3E%200%2Ctrue%2Cfalse%29%0A%7C%20extend%20vmssHasPublicIPs%20%3D%20iff%28isnotempty%28vmssHasPublicIPConfig%29%2CvmssHasPublicIPConfig%2Cfalse%29%0A%7C%20extend%20warnings%20%3D%20dynamic%28%5B%5D%29%0A%7C%20extend%20errors%20%3D%20dynamic%28%5B%5D%29%0A%7C%20extend%20warnings%20%3D%20iff%28vmssHasPublicIPs%2Carray_concat%28warnings%2Cdynamic%28%5B%27VMSS%20instances%20have%20Public%20IPs%3A%20VMSS%20Public%20IPs%20will%20change%20during%20migration%27%2C%27VMSS%20instances%20have%20Public%20IPs%3A%20NSGs%20will%20be%20required%20for%20internet%20access%20through%20VMSS%20instance%20public%20IPs%20once%20upgraded%20to%20Standard%20SKU%27%5D%29%29%2Cwarnings%29%0A%7C%20extend%20warnings%20%3D%20iff%28vmsHavePublicIPs%2Carray_concat%28warnings%2Cdynamic%28%5B%27VMs%20have%20Public%20IPs%3A%20NSGs%20will%20be%20required%20for%20internet%20access%20through%20VM%20public%20IPs%20once%20upgraded%20to%20Standard%20SKU%27%5D%29%29%2Cwarnings%29%0A%7C%20extend%20warnings%20%3D%20iff%28%28internalOrExternal%20%3D%3D%20%27Internal%27%20and%20not%28vmsHavePublicIPs%29%29%2Carray_concat%28warnings%2Cdynamic%28%5B%27Internal%20Load%20Balancer%3A%20LB%20is%20internal%20and%20VMs%20do%20not%20have%20Public%20IPs.%20Unless%20internet%20traffic%20is%20already%20%20being%20routed%20through%20an%20NVA%2C%20VMs%20will%20have%20no%20internet%20connectivity%20post-migration%20without%20additional%20action.%27%5D%29%29%2Cwarnings%29%0A%7C%20extend%20warnings%20%3D%20iff%28%28internalOrExternal%20%3D%3D%20%27Internal%27%20and%20not%28vmssHasPublicIPs%29%29%2Carray_concat%28warnings%2Cdynamic%28%5B%27Internal%20Load%20Balancer%3A%20LB%20is%20internal%20and%20VMSS%20instances%20do%20not%20have%20Public%20IPs.%20Unless%20internet%20traffic%20is%20already%20being%20routed%20through%20an%20NVA%2C%20VMSS%20instances%20will%20have%20no%20internet%20connectivity%20post-migration%20without%20additional%20action.%27%5D%29%29%2Cwarnings%29%0A%7C%20extend%20warnings%20%3D%20iff%28%28internalOrExternal%20%3D%3D%20%27External%27%20and%20backendPoolCount%20%3E%201%29%2Carray_concat%28warnings%2Cdynamic%28%5B%27External%20Load%20Balancer%3A%20LB%20is%20external%20and%20has%20multiple%20backend%20pools.%20Outbound%20rules%20will%20not%20be%20created%20automatically.%27%5D%29%29%2Cwarnings%29%0A%7C%20extend%20warnings%20%3D%20iff%28%28%28vmsHavePublicIPs%20or%20internalOrExternal%20%3D%3D%20%27External%27%29%20and%20not%28allVMNicsHaveNSGs%29%29%2Carray_concat%28warnings%2Cdynamic%28%5B%27VMs%20Missing%20NSGs%3A%20Not%20all%20VM%20NICs%20or%20subnets%20have%20associated%20NSGs.%20An%20NSG%20will%20be%20created%20to%20allow%20load%20balanced%20traffic%2C%20but%20it%20is%20preferred%20that%20you%20create%20and%20associate%20an%20NSG%20before%20starting%20the%20migration.%27%5D%29%29%2Cwarnings%29%0A%7C%20extend%20warnings%20%3D%20iff%28%28%28vmssHasPublicIPs%20or%20internalOrExternal%20%3D%3D%20%27External%27%29%20and%20not%28allVMSSNicsHaveNSGs%29%29%2Carray_concat%28warnings%2Cdynamic%28%5B%27VMSS%20Missing%20NSGs%3A%20Not%20all%20VMSS%20NICs%20or%20subnets%20have%20associated%20NSGs.%20An%20NSG%20will%20be%20created%20to%20allow%20load%20balanced%20traffic%2C%20but%20it%20is%20preferred%20that%20you%20create%20and%20associate%20an%20NSG%20before%20starting%20the%20migration.%27%5D%29%29%2Cwarnings%29%0A%7C%20extend%20warnings%20%3D%20iff%28%28bag_keys%28tags%29%20contains%20%27resourceType%27%20and%20tags%5B%27resourceType%27%5D%20%3D%3D%20%27Service%20Fabric%27%29%2Carray_concat%28warnings%2Cdynamic%28%5B%27Service%20Fabric%20LB%3A%20LB%20appears%20to%20be%20in%20front%20of%20a%20Service%20Fabric%20Cluster.%20Unmanaged%20SF%20clusters%20may%20take%20an%20hour%20or%20more%20to%20migrate%3B%20managed%20are%20not%20supported%27%5D%29%29%2Cwarnings%29%0A%7C%20extend%20warningCount%20%3D%20array_length%28warnings%29%0A%7C%20extend%20errors%20%3D%20iff%28%28internalOrExternal%20%3D%3D%20%27External%27%20and%20lbHasIPv6PublicIP%29%2Carray_concat%28errors%2Cdynamic%28%5B%27External%20Load%20Balancer%20has%20IPv6%3A%20LB%20is%20external%20and%20has%20an%20IPv6%20Public%20IP.%20Basic%20SKU%20IPv6%20public%20IPs%20cannot%20be%20upgraded%20to%20Standard%20SKU%27%5D%29%29%2Cerrors%29%0A%7C%20extend%20errors%20%3D%20iff%28%28id%20matches%20regex%20%40%27%2F%28kubernetes%7Ckubernetes-internal%29%5E%27%20or%20%28bag_keys%28tags%29%20contains%20%27aks-managed-cluster-name%27%29%29%2Carray_concat%28errors%2Cdynamic%28%5B%27AKS%20Load%20Balancer%3A%20Load%20balancer%20appears%20to%20be%20in%20front%20of%20a%20Kubernetes%20cluster%2C%20which%20is%20not%20supported%20for%20migration%27%5D%29%29%2Cerrors%29%0A%7C%20extend%20errorCount%20%3D%20array_length%28errors%29%0A%7C%20project%20id%2CinternalOrExternal%2Cwarnings%2Cerrors%2CwarningCount%2CerrorCount%2CsubscriptionId%2CresourceGroup%0A%7C%20sort%20by%20errorCount%2CwarningCount%0A%7C%20project-away%20errorCount%2CwarningCount).
+
## Next steps
- [If skipped, migrate from using NAT Pools to NAT Rules for Virtual Machine Scale Sets](load-balancer-nat-pool-migration.md)
diff --git a/articles/machine-learning/concept-onnx.md b/articles/machine-learning/concept-onnx.md
index 06346db0aec91..8e0257f6a3118 100644
--- a/articles/machine-learning/concept-onnx.md
+++ b/articles/machine-learning/concept-onnx.md
@@ -5,90 +5,98 @@ description: Learn how using the Open Neural Network Exchange (ONNX) can help op
services: machine-learning
ms.service: machine-learning
ms.subservice: core
-ms.topic: conceptual
+ms.topic: concept-article
ms.author: kritifaujdar
author: fkriti
ms.reviewer: mopeakande
-ms.date: 11/04/2022
+ms.date: 03/18/2024
+
+#customer intent: As a data scientist, I want learn how to use ONNX to create machine learning models and accelerate inferencing.
---
-# ONNX and Azure Machine Learning: Create and accelerate ML models
+# ONNX and Azure Machine Learning
+
+Learn how use of the [Open Neural Network Exchange](https://onnx.ai) (ONNX) can help to optimize the inference of your machine learning model. _Inference_ or _model scoring_, is the process of using a deployed model to generate predictions on production data.
-Learn how using the [Open Neural Network Exchange](https://onnx.ai) (ONNX) can help optimize the inference of your machine learning model. Inference, or model scoring, is the phase where the deployed model is used for prediction, most commonly on production data.
+Optimizing machine learning models for inference requires you to tune the model and the inference library to make the most of the hardware capabilities. This task becomes complex if you want to get optimal performance on different kinds of platforms such as cloud or edge, CPU or GPU, and so on, since each platform has different capabilities and characteristics. The complexity increases if you have models from various frameworks that need to run on different platforms. It can be time-consuming to optimize all the different combinations of frameworks and hardware. Therefore, a useful solution is to train your model once in your preferred framework and then run it anywhere on the cloud or edge—this solution is where ONNX comes in.
-Optimizing machine learning models for inference (or model scoring) is difficult since you need to tune the model and the inference library to make the most of the hardware capabilities. The problem becomes extremely hard if you want to get optimal performance on different kinds of platforms (cloud/edge, CPU/GPU, etc.), since each one has different capabilities and characteristics. The complexity increases if you have models from a variety of frameworks that need to run on a variety of platforms. It's very time consuming to optimize all the different combinations of frameworks and hardware. A solution to train once in your preferred framework and run anywhere on the cloud or edge is needed. This is where ONNX comes in.
+## What is ONNX?
-Microsoft and a community of partners created ONNX as an open standard for representing machine learning models. Models from [many frameworks](https://onnx.ai/supported-tools) including TensorFlow, PyTorch, SciKit-Learn, Keras, Chainer, MXNet, MATLAB, and SparkML can be exported or converted to the standard ONNX format. Once the models are in the ONNX format, they can be run on a variety of platforms and devices.
+Microsoft and a community of partners created ONNX as an open standard for representing machine learning models. Models from [many frameworks](https://onnx.ai/supported-tools) including TensorFlow, PyTorch, scikit-learn, Keras, Chainer, MXNet, and MATLAB can be exported or converted to the standard ONNX format. Once the models are in the ONNX format, they can be run on various platforms and devices.
-[ONNX Runtime](https://onnxruntime.ai) is a high-performance inference engine for deploying ONNX models to production. It's optimized for both cloud and edge and works on Linux, Windows, and Mac. Written in C++, it also has C, Python, C#, Java, and JavaScript (Node.js) APIs for usage in a variety of environments. ONNX Runtime supports both DNN and traditional ML models and integrates with accelerators on different hardware such as TensorRT on NVidia GPUs, OpenVINO on Intel processors, DirectML on Windows, and more. By using ONNX Runtime, you can benefit from the extensive production-grade optimizations, testing, and ongoing improvements.
+[ONNX Runtime](https://onnxruntime.ai) is a high-performance inference engine for deploying ONNX models to production. It's optimized for both cloud and edge and works on Linux, Windows, and Mac. While ONNX is written in C++, it also has C, Python, C#, Java, and JavaScript (Node.js) APIs for usage in many environments. ONNX Runtime supports both deep neural networks (DNN) and traditional machine learning models, and it integrates with accelerators on different hardware such as TensorRT on Nvidia GPUs, OpenVINO on Intel processors, and DirectML on Windows. By using ONNX Runtime, you can benefit from the extensive production-grade optimizations, testing, and ongoing improvements.
-ONNX Runtime is used in high-scale Microsoft services such as Bing, Office, and Azure AI. Performance gains are dependent on a number of factors, but these Microsoft services have seen an __average 2x performance gain on CPU__. In addition to Azure Machine Learning services, ONNX Runtime also runs in other products that support Machine Learning workloads, including:
-+ Windows: The runtime is built into Windows as part of [Windows Machine Learning](/windows/ai/windows-ml/) and runs on hundreds of millions of devices.
-+ Azure SQL product family: Run native scoring on data in [Azure SQL Edge](../azure-sql-edge/onnx-overview.md) and [Azure SQL Managed Instance](/azure/azure-sql/managed-instance/machine-learning-services-overview).
-+ ML.NET: [Run ONNX models in ML.NET](/dotnet/machine-learning/tutorials/object-detection-onnx).
+ONNX Runtime is used in high-scale Microsoft services such as Bing, Office, and Azure AI. Although performance gains depend on many factors, these Microsoft services report an __average 2x performance gain on CPU__. In addition to Azure Machine Learning services, ONNX Runtime also runs in other products that support Machine Learning workloads, including:
+- __Windows__: The runtime is built into Windows as part of [Windows Machine Learning](/windows/ai/windows-ml/) and runs on hundreds of millions of devices.
+- __Azure SQL product family__: Run native scoring on data in [Azure SQL Edge](../azure-sql-edge/onnx-overview.md) and [Azure SQL Managed Instance](/azure/azure-sql/managed-instance/machine-learning-services-overview).
+- __ML.NET__: [Run ONNX models in ML.NET](/dotnet/machine-learning/tutorials/object-detection-onnx).
-[](././media/concept-onnx/onnx.png#lightbox)
+:::image type="content" source="media/concept-onnx/onnx.png" alt-text="ONNX flow diagram showing training, converters, and deployment." lightbox="media/concept-onnx/onnx.png":::
-## Get ONNX models
+## How to obtain ONNX models
You can obtain ONNX models in several ways:
-+ Train a new ONNX model in Azure Machine Learning (see examples at the bottom of this article) or by using [automated Machine Learning capabilities](concept-automated-ml.md#automl--onnx)
-+ Convert existing model from another format to ONNX (see the [tutorials](https://github.com/onnx/tutorials))
-+ Get a pre-trained ONNX model from the [ONNX Model Zoo](https://github.com/onnx/models)
-+ Generate a customized ONNX model from [Azure AI Custom Vision service](../ai-services/custom-vision-service/index.yml)
-Many models including image classification, object detection, and text processing can be represented as ONNX models. If you run into an issue with a model that cannot be converted successfully, please file an issue in the GitHub of the respective converter that you used. You can continue using your existing format model until the issue is addressed.
+- Train a new ONNX model in Azure Machine Learning (as described in the [examples](#examples) section of this article) or by using [automated machine learning capabilities](concept-automated-ml.md#automl--onnx).
+- Convert an existing model from another format to ONNX as shown in these [tutorials](https://github.com/onnx/tutorials).
+- Get a pretrained ONNX model from the [ONNX Model Zoo](https://github.com/onnx/models).
+- Generate a customized ONNX model from [Azure AI Custom Vision service](../ai-services/custom-vision-service/index.yml).
+
+Many models, including image classification, object detection, and text processing models can be represented as ONNX models. If you run into an issue with a model that can't be converted successfully, file a GitHub issue in the repository of the converter that you used. You can continue using your existing model format until the issue is addressed.
+
+## ONNX model deployment in Azure
-## Deploy ONNX models in Azure
+With Azure Machine Learning, you can deploy, manage, and monitor your ONNX models. Using the standard [MLOps deployment workflow](concept-model-management-and-deployment.md) and ONNX Runtime, you can create a REST endpoint hosted in the cloud. For hands-on examples, see these [Jupyter notebooks](#examples).
-With Azure Machine Learning, you can deploy, manage, and monitor your ONNX models. Using the standard [deployment workflow](concept-model-management-and-deployment.md) and ONNX Runtime, you can create a REST endpoint hosted in the cloud. See example Jupyter notebooks at the end of this article to try it out for yourself.
+### Installation and use of ONNX Runtime with Python
-### Install and use ONNX Runtime with Python
+Python packages for ONNX Runtime are available on [PyPi.org](https://pypi.org) ([CPU](https://pypi.org/project/onnxruntime) and [GPU](https://pypi.org/project/onnxruntime-gpu)). Be sure to review the [system requirements](https://github.com/Microsoft/onnxruntime#system-requirements) before installation.
-Python packages for ONNX Runtime are available on [PyPi.org](https://pypi.org) ([CPU](https://pypi.org/project/onnxruntime), [GPU](https://pypi.org/project/onnxruntime-gpu)). Please read [system requirements](https://github.com/Microsoft/onnxruntime#system-requirements) before installation.
+To install ONNX Runtime for Python, use one of the following commands:
- To install ONNX Runtime for Python, use one of the following commands:
```python
pip install onnxruntime # CPU build
pip install onnxruntime-gpu # GPU build
```
-To call ONNX Runtime in your Python script, use:
+To call ONNX Runtime in your Python script, use:
+
```python
import onnxruntime
session = onnxruntime.InferenceSession("path to model")
```
-The documentation accompanying the model usually tells you the inputs and outputs for using the model. You can also use a visualization tool such as [Netron](https://github.com/lutzroeder/Netron) to view the model. ONNX Runtime also lets you query the model metadata, inputs, and outputs:
+The documentation accompanying the model usually tells you the inputs and outputs for using the model. You can also use a visualization tool such as [Netron](https://github.com/lutzroeder/Netron) to view the model. ONNX Runtime also lets you query the model metadata, inputs, and outputs as follows:
+
```python
session.get_modelmeta()
first_input_name = session.get_inputs()[0].name
first_output_name = session.get_outputs()[0].name
```
-To inference your model, use `run` and pass in the list of outputs you want returned (leave empty if you want all of them) and a map of the input values. The result is a list of the outputs.
+To perform inferencing on your model, use `run` and pass in the list of outputs you want returned (or leave the list empty if you want all of them) and a map of the input values. The result is a list of the outputs.
+
```python
results = session.run(["output1", "output2"], {
"input1": indata1, "input2": indata2})
results = session.run([], {"input1": indata1, "input2": indata2})
```
-For the complete Python API reference, see the [ONNX Runtime reference docs](https://onnxruntime.ai/docs/api/python/api_summary.html).
+For the complete Python API reference, see the [ONNX Runtime reference docs](https://onnxruntime.ai/docs/api/python/api_summary.html).
## Examples
-See [how-to-use-azureml/deployment/onnx](https://github.com/Azure/MachineLearningNotebooks/blob/master/how-to-use-azureml/deployment/onnx) for example Python notebooks that create and deploy ONNX models.
-
-[!INCLUDE [aml-clone-in-azure-notebook](includes/aml-clone-for-examples.md)]
-Samples for usage in other languages can be found in the [ONNX Runtime GitHub](https://github.com/microsoft/onnxruntime/tree/master/samples).
+- For example Python notebooks that create and deploy ONNX models, see [how-to-use-azureml/deployment/onnx](https://github.com/Azure/MachineLearningNotebooks/blob/master/how-to-use-azureml/deployment/onnx).
+- [!INCLUDE [aml-clone-in-azure-notebook](includes/aml-clone-for-examples.md)]
+- For samples that show ONNX usage in other languages, see the [ONNX Runtime GitHub](https://github.com/microsoft/onnxruntime/tree/master/samples).
-## More info
+## Related content
Learn more about **ONNX** or contribute to the project:
-+ [ONNX project website](https://onnx.ai)
-+ [ONNX code on GitHub](https://github.com/onnx/onnx)
+- [ONNX project website](https://onnx.ai)
+- [ONNX code on GitHub](https://github.com/onnx/onnx)
Learn more about **ONNX Runtime** or contribute to the project:
-+ [ONNX Runtime project website](https://onnxruntime.ai)
-+ [ONNX Runtime GitHub Repo](https://github.com/Microsoft/onnxruntime)
+- [ONNX Runtime project website](https://onnxruntime.ai)
+- [ONNX Runtime GitHub Repo](https://github.com/Microsoft/onnxruntime)
diff --git a/articles/machine-learning/how-to-identity-based-service-authentication.md b/articles/machine-learning/how-to-identity-based-service-authentication.md
index 319e1cec9bccc..28ff7a7b58ffd 100644
--- a/articles/machine-learning/how-to-identity-based-service-authentication.md
+++ b/articles/machine-learning/how-to-identity-based-service-authentication.md
@@ -35,6 +35,17 @@ Azure Machine Learning is composed of multiple Azure services. There are multipl
* You must be familiar with creating and working with [Managed Identities](../active-directory/managed-identities-azure-resources/overview.md).
+## Azure Container Registry supported configurations
+
+The following table lists the supported configurations when authenticating to __Azure Container Registry__, depending on the authentication method and the __public network access__ workspace flag.
+
+| Authentication method | Public network accessdisabled | Public network accessenabled |
+| ---- | :----: | :----: |
+| Admin user | ✓ | ✓ |
+| Workspace system-assigned managed identity | ✓ | ✓ |
+| Workspace system-assigned and user-assigned managed identitywith the ACRPull role assigned to the identity | | ✓ |
+| Compute system-assigned or user-assigned managed identitywith the ACRPull role assigned to the identity | | |
+
## User-assigned managed identity
### Workspace
diff --git a/articles/machine-learning/how-to-secure-training-vnet.md b/articles/machine-learning/how-to-secure-training-vnet.md
index e0f350cb27772..6fb58b9a31f39 100644
--- a/articles/machine-learning/how-to-secure-training-vnet.md
+++ b/articles/machine-learning/how-to-secure-training-vnet.md
@@ -248,6 +248,9 @@ compute = AmlCompute(
ml_client.begin_create_or_update(entity=compute)
```
+> [!NOTE]
+> When configuring the **subnet** within NetworkSettings class, it should be either the name of the subnet when creating a new VNet or referencing an existing one, or the fully qualified resource ID of a subnet in an existing VNet. Do not specify **vnet_name** if the subnet ID is specified. The subnet ID can refer to a VNet/subnet in another resource group.
+
# [Studio](#tab/azure-studio)
1. Sign in to the [Azure Machine Learning studio](https://ml.azure.com), and then select your subscription and workspace.
@@ -416,6 +419,9 @@ compute = AmlCompute(
ml_client.begin_create_or_update(entity=compute)
```
+> [!NOTE]
+> When configuring the **subnet** within NetworkSettings class, it should be either the name of the subnet when creating a new VNet or referencing an existing one, or the fully qualified resource ID of a subnet in an existing VNet. Do not specify **vnet_name** if the subnet ID is specified. The subnet ID can refer to a VNet/subnet in another resource group.
+
# [Studio](#tab/azure-studio)
1. Sign in to the [Azure Machine Learning studio](https://ml.azure.com), and then select your subscription and workspace.
diff --git a/articles/machine-learning/v1/how-to-deploy-inferencing-gpus.md b/articles/machine-learning/v1/how-to-deploy-inferencing-gpus.md
index d75d4e1fc0d4f..da042deebe85b 100644
--- a/articles/machine-learning/v1/how-to-deploy-inferencing-gpus.md
+++ b/articles/machine-learning/v1/how-to-deploy-inferencing-gpus.md
@@ -291,5 +291,5 @@ aks_target.delete()
## Next steps
* [Deploy model on FPGA](how-to-deploy-fpga-web-service.md)
-* [Deploy model with ONNX](../concept-onnx.md#deploy-onnx-models-in-azure)
+* [Deploy model with ONNX](../concept-onnx.md#onnx-model-deployment-in-azure)
* [Train TensorFlow DNN Models](../how-to-train-tensorflow.md)
diff --git a/articles/network-watcher/.openpublishing.redirection.network-watcher.json b/articles/network-watcher/.openpublishing.redirection.network-watcher.json
index c9782def29613..cdbfc363bb663 100644
--- a/articles/network-watcher/.openpublishing.redirection.network-watcher.json
+++ b/articles/network-watcher/.openpublishing.redirection.network-watcher.json
@@ -1,5 +1,35 @@
{
"redirections": [
+ {
+ "source_path_from_root": "/articles/network-watcher/network-watcher-nsg-flow-logging-overview.md",
+ "redirect_url": "/azure/network-watcher/nsg-flow-logs-overview",
+ "redirect_document_id": true
+ },
+ {
+ "source_path_from_root": "/articles/network-watcher/nsg-flow-logging.md",
+ "redirect_url": "/azure/network-watcher/nsg-flow-logs-portal",
+ "redirect_document_id": true
+ },
+ {
+ "source_path_from_root": "/articles/network-watcher/network-watcher-nsg-flow-logging-powershell.md",
+ "redirect_url": "/azure/network-watcher/nsg-flow-logs-powershell",
+ "redirect_document_id": true
+ },
+ {
+ "source_path_from_root": "/articles/network-watcher/network-watcher-nsg-flow-logging-cli.md",
+ "redirect_url": "/azure/network-watcher/nsg-flow-logs-cli",
+ "redirect_document_id": true
+ },
+ {
+ "source_path_from_root": "/articles/network-watcher/network-watcher-nsg-flow-logging-rest.md",
+ "redirect_url": "/azure/network-watcher/nsg-flow-logs-rest",
+ "redirect_document_id": true
+ },
+ {
+ "source_path_from_root": "/articles/network-watcher/network-watcher-nsg-flow-logging-azure-resource-manager.md",
+ "redirect_url": "/azure/network-watcher/nsg-flow-logs-azure-resource-manager",
+ "redirect_document_id": true
+ },
{
"source_path_from_root": "/articles/network-watcher/network-watcher-connectivity-powershell.md",
"redirect_url": "/azure/network-watcher/connection-troubleshoot-powershell",
diff --git a/articles/network-watcher/connection-troubleshoot-overview.md b/articles/network-watcher/connection-troubleshoot-overview.md
index 680ec1f59e79d..dd322e9a663e1 100644
--- a/articles/network-watcher/connection-troubleshoot-overview.md
+++ b/articles/network-watcher/connection-troubleshoot-overview.md
@@ -37,9 +37,10 @@ Connection troubleshoot provides the capability to check TCP or ICMP connections
- Application gateways (except v1)
> [!IMPORTANT]
-> Connection troubleshoot requires that the virtual machine you troubleshoot from has the `AzureNetworkWatcherExtension` extension installed. The extension is not required on the destination virtual machine.
-> - To install the extension on a Windows VM, see [Azure Network Watcher Agent virtual machine extension for Windows](../virtual-machines/extensions/network-watcher-windows.md?toc=%2fazure%2fnetwork-watcher%2ftoc.json).
-> - To install the extension on a Linux VM, see [Azure Network Watcher Agent virtual machine extension for Linux](../virtual-machines/extensions/network-watcher-linux.md?toc=%2fazure%2fnetwork-watcher%2ftoc.json).
+> Connection troubleshoot requires that the virtual machine you troubleshoot from has the *Network Watcher agent VM extension* installed. The extension is not required on the destination virtual machine.
+> - To install the extension on a Windows VM, see [Azure Network Watcher agent VM extension for Windows](../virtual-machines/extensions/network-watcher-windows.md?toc=/azure/network-watcher/toc.json&bc=/azure/network-watcher/breadcrumb/toc.json).
+> - To install the extension on a Linux VM, see [Azure Network Watcher agent VM extension for Linux](../virtual-machines/extensions/network-watcher-linux.md?toc=/azure/network-watcher/toc.json&bc=/azure/network-watcher/breadcrumb/toc.json).
+> - To update an already installed extension, see [Update Network Watcher agent VM extension to the latest version](../virtual-machines/extensions/network-watcher-update.md?toc=/azure/network-watcher/toc.json&bc=/azure/network-watcher/breadcrumb/toc.json).
Connection troubleshoot can test connections to any of these destinations:
@@ -151,4 +152,4 @@ Connection troubleshoot returns fault types about the connection. The following
To learn how to use connection troubleshoot to test and troubleshoot connections, continue to:
> [!div class="nextstepaction"]
-> [Troubleshoot connections using the Azure portal](connection-troubleshoot-portal.md)
\ No newline at end of file
+> [Troubleshoot connections using the Azure portal](connection-troubleshoot-portal.md)
diff --git a/articles/network-watcher/connection-troubleshoot-portal.md b/articles/network-watcher/connection-troubleshoot-portal.md
index 441d6b4390ff9..53a0595a66b8f 100644
--- a/articles/network-watcher/connection-troubleshoot-portal.md
+++ b/articles/network-watcher/connection-troubleshoot-portal.md
@@ -6,9 +6,9 @@ author: halkazwini
ms.author: halkazwini
ms.service: network-watcher
ms.topic: how-to
-ms.date: 03/15/2024
+ms.date: 03/18/2024
-#CustomerIntent: As an Azure administrator, I want to learn how to use Connection Troubleshoot to diagnose connectivity problems in Azure.
+#CustomerIntent: As an Azure administrator, I want to learn how to use Connection Troubleshoot to diagnose outbound connectivity issues in Azure using the Azure portal.
---
# Troubleshoot outbound connections using the Azure portal
@@ -18,13 +18,21 @@ In this article, you learn how to use the connection troubleshoot feature of Azu
## Prerequisites
- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
-- Network Watcher enabled in the region of the virtual machine (VM) you want to troubleshoot. For more information, see [Enable or disable Azure Network Watcher](network-watcher-create.md).
-- A virtual machine with Network Watcher agent VM extension installed on it. To manually install the agent, see [Network Watcher Agent virtual machine extension for Windows](../virtual-machines/extensions/network-watcher-windows.md?toc=/azure/network-watcher/toc.json&bc=/azure/network-watcher/breadcrumb/toc.json) or [Network Watcher Agent virtual machine extension for Linux](../virtual-machines/extensions/network-watcher-linux.md?toc=/azure/network-watcher/toc.json&bc=/azure/network-watcher/breadcrumb/toc.json). To update an already installed agent, see [Update Azure Network Watcher extension to the latest version](../virtual-machines/extensions/network-watcher-update.md?toc=/azure/network-watcher/toc.json&bc=/azure/network-watcher/breadcrumb/toc.json).
+
+- Network Watcher enabled in the region of the virtual machine (VM) you want to troubleshoot. By default, Azure enables Network Watcher in a region when you create a virtual network in it. For more information, see [Enable or disable Azure Network Watcher](network-watcher-create.md).
+
+- A virtual machine with Network Watcher agent VM extension installed on it and the following outbound TCP connectivity:
+ - to the storage account over port 443
+ - to 169.254.169.254 over port 80
+ - to 168.63.129.16 over port 8037
+
- A second virtual machine with inbound TCP connectivity from 168.63.129.16 over the port being tested (for Port scanner diagnostic test).
> [!NOTE]
-> - By default, Azure enables Network Watcher in a region when you create a virtual network in it.
-> - When you use connection troubleshoot, Azure automatically installs the Network Watcher agent VM extension on the source virtual machine if it's not already installed.
+> When you use connection troubleshoot, Azure portal automatically installs the Network Watcher agent VM extension on the source virtual machine if it's not already installed.
+> - To install the extension on a Windows virtual machine, see [Network Watcher agent VM extension for Windows](../virtual-machines/extensions/network-watcher-windows.md?toc=/azure/network-watcher/toc.json&bc=/azure/network-watcher/breadcrumb/toc.json).
+> - To install the extension on a Linux virtual machine, see [Network Watcher agent VM extension for Linux](../virtual-machines/extensions/network-watcher-linux.md?toc=/azure/network-watcher/toc.json&bc=/azure/network-watcher/breadcrumb/toc.json).
+> - To update an already installed extension, see [Update Network Watcher agent VM extension to the latest version](../virtual-machines/extensions/network-watcher-update.md?toc=/azure/network-watcher/toc.json&bc=/azure/network-watcher/breadcrumb/toc.json).
## Test connectivity to a virtual machine
diff --git a/articles/network-watcher/connection-troubleshoot-powershell.md b/articles/network-watcher/connection-troubleshoot-powershell.md
index 63f9e118046eb..cde0e4c989e6d 100644
--- a/articles/network-watcher/connection-troubleshoot-powershell.md
+++ b/articles/network-watcher/connection-troubleshoot-powershell.md
@@ -20,20 +20,25 @@ In this article, you learn how to use the connection troubleshoot feature of Azu
- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
-- Azure Cloud Shell or Azure PowerShell.
+- Network Watcher enabled in the region of the virtual machine (VM) you want to troubleshoot. By default, Azure enables Network Watcher in a region when you create a virtual network in it. For more information, see [Enable or disable Azure Network Watcher](network-watcher-create.md).
- The steps in this article run the Azure PowerShell cmdlets interactively in [Azure Cloud Shell](/azure/cloud-shell/overview). To run the commands in the Cloud Shell, select **Open Cloudshell** at the upper-right corner of a code block. Select **Copy** to copy the code and then paste it into Cloud Shell to run it. You can also run the Cloud Shell from within the Azure portal.
+- A virtual machine with Network Watcher agent VM extension installed on it and the following outbound TCP connectivity:
+ - to the storage account over port 443
+ - to 169.254.169.254 over port 80
+ - to 168.63.129.16 over port 8037
- You can also [install Azure PowerShell locally](/powershell/azure/install-azure-powershell) to run the cmdlets. This article requires the Azure PowerShell `Az` module. To find the installed version, run `Get-Module -ListAvailable Az`. If you run PowerShell locally, sign in to Azure using the [Connect-AzAccount](/powershell/module/az.accounts/connect-azaccount) cmdlet.
+- A second virtual machine with inbound TCP connectivity from 168.63.129.16 over the port being tested (for Port scanner diagnostic test).
-- Network Watcher enabled in the region of the virtual machine (VM) you want to troubleshoot. For more information, see [Enable or disable Azure Network Watcher](network-watcher-create.md).
+- Azure Cloud Shell or Azure PowerShell.
-- A virtual machine with Network Watcher agent VM extension installed on it. To install the extension, see [Network Watcher Agent virtual machine extension for Windows](../virtual-machines/extensions/network-watcher-windows.md?toc=/azure/network-watcher/toc.json&bc=/azure/network-watcher/breadcrumb/toc.json) or [Network Watcher Agent virtual machine extension for Linux](../virtual-machines/extensions/network-watcher-linux.md?toc=/azure/network-watcher/toc.json&bc=/azure/network-watcher/breadcrumb/toc.json). To update an already installed extension, see [Update Azure Network Watcher extension to the latest version](../virtual-machines/extensions/network-watcher-update.md?toc=/azure/network-watcher/toc.json&bc=/azure/network-watcher/breadcrumb/toc.json).
+ The steps in this article run the Azure PowerShell cmdlets interactively in [Azure Cloud Shell](/azure/cloud-shell/overview). To run the commands in the Cloud Shell, select **Open Cloud Shell** at the upper-right corner of a code block. Select **Copy** to copy the code and then paste it into Cloud Shell to run it. You can also run the Cloud Shell from within the Azure portal.
-- A second virtual machine with inbound TCP connectivity from 168.63.129.16 over the port being tested (for Port scanner diagnostic test).
+ You can also [install Azure PowerShell locally](/powershell/azure/install-azure-powershell) to run the cmdlets. This article requires the Azure PowerShell `Az` module. To find the installed version, run `Get-Module -ListAvailable Az`. If you run PowerShell locally, sign in to Azure using the [Connect-AzAccount](/powershell/module/az.accounts/connect-azaccount) cmdlet.
> [!NOTE]
-> - By default, Azure enables Network Watcher in a region when you create a virtual network in it.
+> - To install the extension on a Windows virtual machine, see [Network Watcher agent VM extension for Windows](../virtual-machines/extensions/network-watcher-windows.md?toc=/azure/network-watcher/toc.json&bc=/azure/network-watcher/breadcrumb/toc.json).
+> - To install the extension on a Linux virtual machine, see [Network Watcher agent VM extension for Linux](../virtual-machines/extensions/network-watcher-linux.md?toc=/azure/network-watcher/toc.json&bc=/azure/network-watcher/breadcrumb/toc.json).
+> - To update an already installed extension, see [Update Network Watcher agent VM extension to the latest version](../virtual-machines/extensions/network-watcher-update.md?toc=/azure/network-watcher/toc.json&bc=/azure/network-watcher/breadcrumb/toc.json).
## Check connectivity to a virtual machine
diff --git a/articles/network-watcher/index.yml b/articles/network-watcher/index.yml
index 57b576cde1a90..ed5fd7ef5b1bc 100644
--- a/articles/network-watcher/index.yml
+++ b/articles/network-watcher/index.yml
@@ -81,7 +81,7 @@ landingContent:
- linkListType: concept
links:
- text: NSG flow logs overview
- url: network-watcher-nsg-flow-logging-overview.md
+ url: nsg-flow-logs-overview.md
- text: VNet flow logs overview
url: vnet-flow-logs-overview.md
- linkListType: tutorial
@@ -91,7 +91,7 @@ landingContent:
- linkListType: how-to-guide
links:
- text: Manage NSG flow logs
- url: nsg-flow-logging.md
+ url: nsg-flow-logs-portal.md
- text: Manage VNet flow logs
url: vnet-flow-logs-powershell.md
diff --git a/articles/network-watcher/media/network-watcher-nsg-flow-logging-overview/nsg-flow-logs-portal.png b/articles/network-watcher/media/nsg-flow-logs-overview/nsg-flow-logs-portal.png
similarity index 100%
rename from articles/network-watcher/media/network-watcher-nsg-flow-logging-overview/nsg-flow-logs-portal.png
rename to articles/network-watcher/media/nsg-flow-logs-overview/nsg-flow-logs-portal.png
diff --git a/articles/network-watcher/media/network-watcher-nsg-flow-logging-overview/tuple.png b/articles/network-watcher/media/nsg-flow-logs-overview/tuple.png
similarity index 100%
rename from articles/network-watcher/media/network-watcher-nsg-flow-logging-overview/tuple.png
rename to articles/network-watcher/media/nsg-flow-logs-overview/tuple.png
diff --git a/articles/network-watcher/media/nsg-flow-logging/change-flow-log.png b/articles/network-watcher/media/nsg-flow-logs-portal/change-flow-log.png
similarity index 100%
rename from articles/network-watcher/media/nsg-flow-logging/change-flow-log.png
rename to articles/network-watcher/media/nsg-flow-logs-portal/change-flow-log.png
diff --git a/articles/network-watcher/media/nsg-flow-logging/create-nsg-flow-log-basics.png b/articles/network-watcher/media/nsg-flow-logs-portal/create-nsg-flow-log-basics.png
similarity index 100%
rename from articles/network-watcher/media/nsg-flow-logging/create-nsg-flow-log-basics.png
rename to articles/network-watcher/media/nsg-flow-logs-portal/create-nsg-flow-log-basics.png
diff --git a/articles/network-watcher/media/nsg-flow-logging/create-nsg-flow-log.png b/articles/network-watcher/media/nsg-flow-logs-portal/create-nsg-flow-log.png
similarity index 100%
rename from articles/network-watcher/media/nsg-flow-logging/create-nsg-flow-log.png
rename to articles/network-watcher/media/nsg-flow-logs-portal/create-nsg-flow-log.png
diff --git a/articles/network-watcher/media/nsg-flow-logging/delete-flow-log.png b/articles/network-watcher/media/nsg-flow-logs-portal/delete-flow-log.png
similarity index 100%
rename from articles/network-watcher/media/nsg-flow-logging/delete-flow-log.png
rename to articles/network-watcher/media/nsg-flow-logs-portal/delete-flow-log.png
diff --git a/articles/network-watcher/media/nsg-flow-logging/disable-flow-log.png b/articles/network-watcher/media/nsg-flow-logs-portal/disable-flow-log.png
similarity index 100%
rename from articles/network-watcher/media/nsg-flow-logging/disable-flow-log.png
rename to articles/network-watcher/media/nsg-flow-logs-portal/disable-flow-log.png
diff --git a/articles/network-watcher/media/nsg-flow-logging/enable-traffic-analytics.png b/articles/network-watcher/media/nsg-flow-logs-portal/enable-traffic-analytics.png
similarity index 100%
rename from articles/network-watcher/media/nsg-flow-logging/enable-traffic-analytics.png
rename to articles/network-watcher/media/nsg-flow-logs-portal/enable-traffic-analytics.png
diff --git a/articles/network-watcher/media/nsg-flow-logging/flow-log-settings.png b/articles/network-watcher/media/nsg-flow-logs-portal/flow-log-settings.png
similarity index 100%
rename from articles/network-watcher/media/nsg-flow-logging/flow-log-settings.png
rename to articles/network-watcher/media/nsg-flow-logs-portal/flow-log-settings.png
diff --git a/articles/network-watcher/media/nsg-flow-logging/flow-logs.png b/articles/network-watcher/media/nsg-flow-logs-portal/flow-logs.png
similarity index 100%
rename from articles/network-watcher/media/nsg-flow-logging/flow-logs.png
rename to articles/network-watcher/media/nsg-flow-logs-portal/flow-logs.png
diff --git a/articles/network-watcher/media/nsg-flow-logging/list-flow-logs.png b/articles/network-watcher/media/nsg-flow-logs-portal/list-flow-logs.png
similarity index 100%
rename from articles/network-watcher/media/nsg-flow-logging/list-flow-logs.png
rename to articles/network-watcher/media/nsg-flow-logs-portal/list-flow-logs.png
diff --git a/articles/network-watcher/media/nsg-flow-logging/register-microsoft-insights.png b/articles/network-watcher/media/nsg-flow-logs-portal/register-microsoft-insights.png
similarity index 100%
rename from articles/network-watcher/media/nsg-flow-logging/register-microsoft-insights.png
rename to articles/network-watcher/media/nsg-flow-logs-portal/register-microsoft-insights.png
diff --git a/articles/network-watcher/network-watcher-connectivity-cli.md b/articles/network-watcher/network-watcher-connectivity-cli.md
index 5c2e33ca651f7..d78c1ac84f663 100644
--- a/articles/network-watcher/network-watcher-connectivity-cli.md
+++ b/articles/network-watcher/network-watcher-connectivity-cli.md
@@ -1,34 +1,44 @@
---
-title: Troubleshoot connections - Azure CLI
+title: Troubleshoot outbound connections - Azure CLI
titleSuffix: Azure Network Watcher
-description: Learn how to use the connection troubleshoot capability of Azure Network Watcher using the Azure CLI.
-services: network-watcher
+description: Learn how to use the connection troubleshoot feature of Azure Network Watcher to troubleshoot outbound connections using the Azure CLI.
author: halkazwini
+ms.author: halkazwini
ms.service: network-watcher
ms.topic: how-to
+ms.date: 03/18/2024
ms.custom: devx-track-azurecli
-ms.date: 01/07/2021
-ms.author: halkazwini
+
+#CustomerIntent: As an Azure administrator, I want to learn how to use Connection Troubleshoot to diagnose outbound connectivity issues in Azure using the Azure CLI.
---
-# Troubleshoot connections with Azure Network Watcher using the Azure CLI
+# Troubleshoot outbound connections using the Azure CLI
+
+In this article, you learn how to use the connection troubleshoot feature of Azure Network Watcher to diagnose and troubleshoot connectivity issues. For more information about connection troubleshoot, see [Connection troubleshoot overview](connection-troubleshoot-overview.md).
-> [!div class="op_single_selector"]
-> - [PowerShell](network-watcher-connectivity-powershell.md)
-> - [Azure CLI](network-watcher-connectivity-cli.md)
-> - [Azure REST API](network-watcher-connectivity-rest.md)
+## Prerequisites
-Learn how to use connection troubleshoot to verify whether a direct TCP connection from a virtual machine to a given endpoint can be established.
+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
-## Before you begin
+- Network Watcher enabled in the region of the virtual machine (VM) you want to troubleshoot. By default, Azure enables Network Watcher in a region when you create a virtual network in it. For more information, see [Enable or disable Azure Network Watcher](network-watcher-create.md).
-This article assumes you have the following resources:
+- A virtual machine with Network Watcher agent VM extension installed on it and the following outbound TCP connectivity:
+ - to the storage account over port 443
+ - to 169.254.169.254 over port 80
+ - to 168.63.129.16 over port 8037
-* An instance of Network Watcher in the region you want to troubleshoot a connection.
-* Virtual machines to troubleshoot connections with.
+- A second virtual machine with inbound TCP connectivity from 168.63.129.16 over the port being tested (for Port scanner diagnostic test).
-> [!IMPORTANT]
-> Connection troubleshoot requires that the VM you troubleshoot from has the `AzureNetworkWatcherExtension` VM extension installed. For installing the extension on a Windows VM visit [Azure Network Watcher Agent virtual machine extension for Windows](../virtual-machines/extensions/network-watcher-windows.md?toc=%2fazure%2fnetwork-watcher%2ftoc.json) and for Linux VM visit [Azure Network Watcher Agent virtual machine extension for Linux](../virtual-machines/extensions/network-watcher-linux.md?toc=%2fazure%2fnetwork-watcher%2ftoc.json). The extension is not required on the destination endpoint.
+- Azure Cloud Shell or Azure CLI.
+
+ The steps in this article run the Azure CLI commands interactively in [Azure Cloud Shell](/azure/cloud-shell/overview). To run the commands in the Cloud Shell, select **Open Cloud Shell** at the upper-right corner of a code block. Select **Copy** to copy the code, and paste it into Cloud Shell to run it. You can also run the Cloud Shell from within the Azure portal.
+
+ You can also [install Azure CLI locally](/cli/azure/install-azure-cli) to run the commands. If you run Azure CLI locally, sign in to Azure using the [az login](/cli/azure/reference-index#az-login) command.
+
+> [!NOTE]
+> - To install the extension on a Windows virtual machine, see [Network Watcher agent VM extension for Windows](../virtual-machines/extensions/network-watcher-windows.md?toc=/azure/network-watcher/toc.json&bc=/azure/network-watcher/breadcrumb/toc.json).
+> - To install the extension on a Linux virtual machine, see [Network Watcher agent VM extension for Linux](../virtual-machines/extensions/network-watcher-linux.md?toc=/azure/network-watcher/toc.json&bc=/azure/network-watcher/breadcrumb/toc.json).
+> - To update an already installed extension, see [Update Network Watcher agent VM extension to the latest version](../virtual-machines/extensions/network-watcher-update.md?toc=/azure/network-watcher/toc.json&bc=/azure/network-watcher/breadcrumb/toc.json).
## Check connectivity to a virtual machine
@@ -36,7 +46,7 @@ This example checks connectivity to a destination virtual machine over port 80.
### Example
-```azurecli
+```azurecli-interactive
az network watcher test-connectivity --resource-group ContosoRG --source-resource MultiTierApp0 --dest-resource Database0 --dest-port 80
```
@@ -117,7 +127,7 @@ This example checks connectivity between a virtual machine and a remote endpoint
### Example
-```azurecli
+```azurecli-interactive
az network watcher test-connectivity --resource-group ContosoRG --source-resource MultiTierApp0 --dest-address 13.107.21.200 --dest-port 80
```
@@ -175,7 +185,7 @@ The following example checks the connectivity to a website.
### Example
-```azurecli
+```azurecli-interactive
az network watcher test-connectivity --resource-group ContosoRG --source-resource MultiTierApp0 --dest-address https://bing.com --dest-port 80
```
@@ -221,7 +231,7 @@ The following example checks the connectivity from a virtual machine to a blog s
### Example
-```azurecli
+```azurecli-interactive
az network watcher test-connectivity --resource-group ContosoRG --source-resource MultiTierApp0 --dest-address https://contosoexamplesa.blob.core.windows.net/
```
@@ -260,8 +270,7 @@ The following json is the example response from running the previous cmdlet. As
}
```
-## Next steps
-
-Learn how to automate packet captures with Virtual machine alerts by viewing [Create an alert triggered packet capture](network-watcher-alert-triggered-packet-capture.md)
+## Next step
-Find if certain traffic is allowed in or out of your VM by visiting [Check IP flow verify](diagnose-vm-network-traffic-filtering-problem.md)
+> [!div class="nextstepaction"]
+> [Manage packet captures](packet-capture-vm-cli.md)
diff --git a/articles/network-watcher/network-watcher-overview.md b/articles/network-watcher/network-watcher-overview.md
index f9c551a32e23c..4da8717ac798e 100644
--- a/articles/network-watcher/network-watcher-overview.md
+++ b/articles/network-watcher/network-watcher-overview.md
@@ -90,7 +90,7 @@ Network Watcher offers two traffic tools that help you log and visualize network
### Flow logs
**Flow logs** allows you to log information about your Azure IP traffic and stores the data in Azure storage. You can log IP traffic flowing through a network security group or Azure virtual network. For more information, see:
-- [NSG flow logs](network-watcher-nsg-flow-logging-overview.md) and [Log network traffic to and from a virtual machine](network-watcher-nsg-flow-logging-portal.md).
+- [NSG flow logs](nsg-flow-logs-overview.md) and [Log network traffic to and from a virtual machine](nsg-flow-logs-portal.md).
- [VNet flow logs (preview)](vnet-flow-logs-overview.md) and [Manage VNet flow logs](vnet-flow-logs-powershell.md).
### Traffic analytics
diff --git a/articles/network-watcher/network-watcher-nsg-flow-logging-azure-resource-manager.md b/articles/network-watcher/nsg-flow-logs-azure-resource-manager.md
similarity index 91%
rename from articles/network-watcher/network-watcher-nsg-flow-logging-azure-resource-manager.md
rename to articles/network-watcher/nsg-flow-logs-azure-resource-manager.md
index 2c98ff2d0a42c..bacc418ac611b 100644
--- a/articles/network-watcher/network-watcher-nsg-flow-logging-azure-resource-manager.md
+++ b/articles/network-watcher/nsg-flow-logs-azure-resource-manager.md
@@ -3,25 +3,18 @@ title: Manage NSG flow logs - ARM template
titleSuffix: Azure Network Watcher
description: Learn how to create or delete Azure Network Watcher NSG flow logs using an Azure Resource Manager template (ARM template).
author: halkazwini
+ms.author: halkazwini
ms.service: network-watcher
ms.topic: how-to
ms.date: 06/01/2023
-ms.author: halkazwini
-ms.custom: template-how-to, fasttrack-edit, engagement-fy23, devx-track-arm-template, engagement-fy23
+ms.custom: devx-track-arm-template, fasttrack-edit
---
# Manage NSG flow logs using an Azure Resource Manager template
-> [!div class="op_single_selector"]
-> - [Azure portal](nsg-flow-logging.md)
-> - [PowerShell](network-watcher-nsg-flow-logging-powershell.md)
-> - [Azure CLI](network-watcher-nsg-flow-logging-cli.md)
-> - [REST API](network-watcher-nsg-flow-logging-rest.md)
-> - [ARM template](network-watcher-nsg-flow-logging-azure-resource-manager.md)
-
-Network security group flow logging is a feature of Azure Network Watcher that allows you to log information about IP traffic flowing through a network security group. For more information about network security group flow logging, see [NSG flow logs overview](network-watcher-nsg-flow-logging-overview.md).
+Network security group flow logging is a feature of Azure Network Watcher that allows you to log information about IP traffic flowing through a network security group. For more information about network security group flow logging, see [NSG flow logs overview](nsg-flow-logs-overview.md).
-In this article, you learn how to manage NSG flow logs programmatically using an Azure Resource Manager template and Azure PowerShell. You can learn how to manage an NSG flow log using the [Azure portal](nsg-flow-logging.md), [PowerShell](network-watcher-nsg-flow-logging-powershell.md), [Azure CLI](network-watcher-nsg-flow-logging-cli.md), or [REST API](network-watcher-nsg-flow-logging-rest.md).
+In this article, you learn how to manage NSG flow logs programmatically using an Azure Resource Manager template and Azure PowerShell. You can learn how to manage an NSG flow log using the [Azure portal](nsg-flow-logging.md), [PowerShell](nsg-flow-logs-powershell.md), [Azure CLI](nsg-flow-logs-cli.md), or [REST API](nsg-flow-logs-rest.md).
An [Azure Resource Manager template](../azure-resource-manager/templates/overview.md) is a JavaScript Object Notation (JSON) file that defines the infrastructure and configuration for your project using declarative syntax.
diff --git a/articles/network-watcher/network-watcher-nsg-flow-logging-cli.md b/articles/network-watcher/nsg-flow-logs-cli.md
similarity index 93%
rename from articles/network-watcher/network-watcher-nsg-flow-logging-cli.md
rename to articles/network-watcher/nsg-flow-logs-cli.md
index 771eef0a99ffa..6b22c72074920 100644
--- a/articles/network-watcher/network-watcher-nsg-flow-logging-cli.md
+++ b/articles/network-watcher/nsg-flow-logs-cli.md
@@ -7,21 +7,14 @@ ms.service: network-watcher
ms.topic: how-to
ms.date: 05/31/2023
ms.author: halkazwini
-ms.custom: template-how-to, engagement-fy23, devx-track-azurecli
+ms.custom: devx-track-azurecli
---
# Manage NSG flow logs using the Azure CLI
-> [!div class="op_single_selector"]
-> - [Azure portal](nsg-flow-logging.md)
-> - [PowerShell](network-watcher-nsg-flow-logging-powershell.md)
-> - [Azure CLI](network-watcher-nsg-flow-logging-cli.md)
-> - [REST API](network-watcher-nsg-flow-logging-rest.md)
-> - [ARM template](network-watcher-nsg-flow-logging-azure-resource-manager.md)
+Network security group flow logging is a feature of Azure Network Watcher that allows you to log information about IP traffic flowing through a network security group. For more information about network security group flow logging, see [NSG flow logs overview](nsg-flow-logs-overview.md).
-Network security group flow logging is a feature of Azure Network Watcher that allows you to log information about IP traffic flowing through a network security group. For more information about network security group flow logging, see [NSG flow logs overview](network-watcher-nsg-flow-logging-overview.md).
-
-In this article, you learn how to create, change, disable, or delete an NSG flow log using the Azure CLI. You can learn how to manage an NSG flow log using the [Azure portal](nsg-flow-logging.md), [PowerShell](network-watcher-nsg-flow-logging-powershell.md), [REST API](network-watcher-nsg-flow-logging-rest.md), or [ARM template](network-watcher-nsg-flow-logging-azure-resource-manager.md).
+In this article, you learn how to create, change, disable, or delete an NSG flow log using the Azure CLI. You can learn how to manage an NSG flow log using the [Azure portal](nsg-flow-logging.md), [PowerShell](nsg-flow-logs-powershell.md), [REST API](nsg-flow-logs-rest.md), or [ARM template](nsg-flow-logs-azure-resource-manager.md).
## Prerequisites
@@ -138,7 +131,7 @@ NSG flow log files saved to a storage account follow this path:
https://{storageAccountName}.blob.core.windows.net/insights-logs-networksecuritygroupflowevent/resourceId=/SUBSCRIPTIONS/{subscriptionID}/RESOURCEGROUPS/{resourceGroupName}/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/{NetworkSecurityGroupName}/y={year}/m={month}/d={day}/h={hour}/m=00/macAddress={macAddress}/PT1H.json
```
-For information about the structure of a flow log, see [Log format of NSG flow logs](network-watcher-nsg-flow-logging-overview.md#log-format).
+For information about the structure of a flow log, see [Log format of NSG flow logs](nsg-flow-logs-overview.md#log-format).
## Disable a flow log
diff --git a/articles/network-watcher/network-watcher-nsg-flow-logging-overview.md b/articles/network-watcher/nsg-flow-logs-overview.md
similarity index 98%
rename from articles/network-watcher/network-watcher-nsg-flow-logging-overview.md
rename to articles/network-watcher/nsg-flow-logs-overview.md
index f763c17c7d034..b506e9a55bc00 100644
--- a/articles/network-watcher/network-watcher-nsg-flow-logging-overview.md
+++ b/articles/network-watcher/nsg-flow-logs-overview.md
@@ -2,8 +2,8 @@
title: NSG flow logs overview
titleSuffix: Azure Network Watcher
description: Learn about NSG flow logs feature of Azure Network Watcher, which allows you to log information about IP traffic flowing through a network security group.
-ms.author: halkazwini
author: halkazwini
+ms.author: halkazwini
ms.service: network-watcher
ms.topic: concept-article
ms.date: 02/15/2024
@@ -15,7 +15,7 @@ ms.date: 02/15/2024
Network security group (NSG) flow logging is a feature of Azure Network Watcher that allows you to log information about IP traffic flowing through a [network security group](../virtual-network/network-security-groups-overview.md). Flow data is sent to Azure Storage from where you can access it and export it to any visualization tool, security information and event management (SIEM) solution, or intrusion detection system (IDS) of your choice.
-:::image type="content" source="./media/network-watcher-nsg-flow-logging-overview/nsg-flow-logs-portal.png" alt-text="Screenshot showing Network Watcher NSG flow logs page in the Azure portal.":::
+:::image type="content" source="./media/nsg-flow-logs-overview/nsg-flow-logs-portal.png" alt-text="Screenshot showing Network Watcher NSG flow logs page in the Azure portal.":::
## Why use flow logs?
@@ -389,7 +389,7 @@ Here's an example format of a version 2 NSG flow log:
### Log tuple and bandwidth calculation
-
+
Here's an example bandwidth calculation for flow tuples from a TCP conversation between 185.170.185.105:35370 and 10.2.0.4:23:
@@ -403,11 +403,11 @@ For continuation (`C`) and end (`E`) flow states, byte and packet counts are agg
To learn how to create, change, disable, or delete NSG flow logs, see one of the following guides:
-- [Azure portal](./nsg-flow-logging.md)
-- [PowerShell](./network-watcher-nsg-flow-logging-powershell.md)
-- [Azure CLI](./network-watcher-nsg-flow-logging-cli.md)
-- [REST API](./network-watcher-nsg-flow-logging-rest.md)
-- [Azure Resource Manager](./network-watcher-nsg-flow-logging-azure-resource-manager.md)
+- [Azure portal](nsg-flow-logs-portal.md)
+- [PowerShell](nsg-flow-logs-powershell.md)
+- [Azure CLI](nsg-flow-logs-cli.md)
+- [REST API](nsg-flow-logs-rest.md)
+- [Azure Resource Manager](nsg-flow-logs-azure-resource-manager.md)
## Working with flow logs
@@ -538,6 +538,6 @@ Storage of logs is charged separately. For more information, see [Azure Blob Sto
## Related content
-- To learn how to manage NSG flow logs, see [Create, change, disable, or delete NSG flow logs using the Azure portal](nsg-flow-logging.md).
+- To learn how to manage NSG flow logs, see [Create, change, disable, or delete NSG flow logs using the Azure portal](nsg-flow-logs-portal.md).
- To find answers to some of the most frequently asked questions about NSG flow logs, see [Flow logs FAQ](frequently-asked-questions.yml#flow-logs).
- To learn about traffic analytics, see [Traffic analytics overview](traffic-analytics.md).
diff --git a/articles/network-watcher/nsg-flow-logging.md b/articles/network-watcher/nsg-flow-logs-portal.md
similarity index 79%
rename from articles/network-watcher/nsg-flow-logging.md
rename to articles/network-watcher/nsg-flow-logs-portal.md
index 456da9a8b47b7..95e90c2b2bfc6 100644
--- a/articles/network-watcher/nsg-flow-logging.md
+++ b/articles/network-watcher/nsg-flow-logs-portal.md
@@ -3,25 +3,17 @@ title: Manage NSG flow logs - Azure portal
titleSuffix: Azure Network Watcher
description: Learn how to create, change, disable, or delete Azure Network Watcher NSG flow logs using the Azure portal.
author: halkazwini
+ms.author: halkazwini
ms.service: network-watcher
ms.topic: how-to
ms.date: 05/31/2023
-ms.author: halkazwini
-ms.custom: template-how-to, engagement-fy23
---
# Manage NSG flow logs using the Azure portal
-> [!div class="op_single_selector"]
-> - [Azure portal](nsg-flow-logging.md)
-> - [PowerShell](network-watcher-nsg-flow-logging-powershell.md)
-> - [Azure CLI](network-watcher-nsg-flow-logging-cli.md)
-> - [REST API](network-watcher-nsg-flow-logging-rest.md)
-> - [ARM template](network-watcher-nsg-flow-logging-azure-resource-manager.md)
-
-Network security group flow logging is a feature of Azure Network Watcher that allows you to log information about IP traffic flowing through a network security group. For more information about network security group flow logging, see [NSG flow logs overview](network-watcher-nsg-flow-logging-overview.md).
+Network security group flow logging is a feature of Azure Network Watcher that allows you to log information about IP traffic flowing through a network security group. For more information about network security group flow logging, see [NSG flow logs overview](nsg-flow-logs-overview.md).
-In this article, you learn how to create, change, disable, or delete an NSG flow log using the Azure portal. You can learn how to manage an NSG flow log using [PowerShell](network-watcher-nsg-flow-logging-powershell.md), [Azure CLI](network-watcher-nsg-flow-logging-cli.md), [REST API](network-watcher-nsg-flow-logging-rest.md), or [ARM template](network-watcher-nsg-flow-logging-azure-resource-manager.md).
+In this article, you learn how to create, change, disable, or delete an NSG flow log using the Azure portal. You can learn how to manage an NSG flow log using [PowerShell](nsg-flow-logs-powershell.md), [Azure CLI](nsg-flow-logs-cli.md), [REST API](nsg-flow-logs-rest.md), or [ARM template](nsg-flow-logs-azure-resource-manager.md).
## Prerequisites
@@ -47,7 +39,7 @@ In this article, you learn how to create, change, disable, or delete an NSG flow
1. Confirm the status of the provider displayed is **Registered**. If the status is **NotRegistered**, select the **Microsoft.Insights** provider then select **Register**.
- :::image type="content" source="./media/nsg-flow-logging/register-microsoft-insights.png" alt-text="Screenshot of registering Microsoft Insights provider in the Azure portal.":::
+ :::image type="content" source="./media/nsg-flow-logs-portal/register-microsoft-insights.png" alt-text="Screenshot of registering Microsoft Insights provider in the Azure portal.":::
## Create a flow log
@@ -59,7 +51,7 @@ Create a flow log for your network security group. This NSG flow log is saved in
1. In **Network Watcher | Flow logs**, select **+ Create** or **Create flow log** blue button.
- :::image type="content" source="./media/nsg-flow-logging/flow-logs.png" alt-text="Screenshot of Flow logs page in the Azure portal." lightbox="./media/nsg-flow-logging/flow-logs.png":::
+ :::image type="content" source="./media/nsg-flow-logs-portal/flow-logs.png" alt-text="Screenshot of Flow logs page in the Azure portal." lightbox="./media/nsg-flow-logs-portal/flow-logs.png":::
1. Enter or select the following values in **Create a flow log**:
@@ -74,7 +66,7 @@ Create a flow log for your network security group. This NSG flow log is saved in
| Storage Accounts | Select the storage account that you want to save the flow logs to. If you want to create a new storage account, select **Create a new storage account**. |
| Retention (days) | Enter a retention time for the logs. Enter *0* if you want to retain the flow logs data in the storage account forever (until you delete it from the storage account). For information about pricing, see [Azure Storage pricing](https://azure.microsoft.com/pricing/details/storage/). |
- :::image type="content" source="./media/nsg-flow-logging/create-nsg-flow-log.png" alt-text="Screenshot of creating an NSG flow log in the Azure portal.":::
+ :::image type="content" source="./media/nsg-flow-logs-portal/create-nsg-flow-log.png" alt-text="Screenshot of creating an NSG flow log in the Azure portal.":::
> [!NOTE]
> If the storage account is in a different subscription, the network security group and storage account must be associated with the same Azure Active Directory tenant. The account you use for each subscription must have the [necessary permissions](required-rbac-permissions.md).
@@ -93,7 +85,7 @@ Create a flow log for your network security group and enable traffic analytics.
1. In **Network Watcher | Flow logs**, select **+ Create** or **Create flow log** blue button.
- :::image type="content" source="./media/nsg-flow-logging/flow-logs.png" alt-text="Screenshot of Flow logs page in the Azure portal." lightbox="./media/nsg-flow-logging/flow-logs.png":::
+ :::image type="content" source="./media/nsg-flow-logs-portal/flow-logs.png" alt-text="Screenshot of Flow logs page in the Azure portal." lightbox="./media/nsg-flow-logs-portal/flow-logs.png":::
1. Enter or select the following values in **Create a flow log**:
@@ -108,7 +100,7 @@ Create a flow log for your network security group and enable traffic analytics.
| Storage Accounts | Select the storage account that you want to save the flow logs to. If you want to create a new storage account, select **Create a new storage account**. |
| Retention (days) | Enter a retention time for the logs. Enter *0* if you want to retain the flow logs data in the storage account forever (until you delete it from the storage account). For information about pricing, see [Azure Storage pricing](https://azure.microsoft.com/pricing/details/storage/). |
- :::image type="content" source="./media/nsg-flow-logging/create-nsg-flow-log-basics.png" alt-text="Screenshot of the Basics tab of Create a flow log in the Azure portal.":::
+ :::image type="content" source="./media/nsg-flow-logs-portal/create-nsg-flow-log-basics.png" alt-text="Screenshot of the Basics tab of Create a flow log in the Azure portal.":::
> [!NOTE]
> If the storage account is in a different subscription, the network security group and storage account must be associated with the same Azure Active Directory tenant. The account you use for each subscription must have the [necessary permissions](required-rbac-permissions.md).
@@ -117,14 +109,14 @@ Create a flow log for your network security group and enable traffic analytics.
| Setting | Value |
| ------- | ----- |
- | Flow Logs Version | Select the flow log version. Version 2 is selected by default when you create a flow log using the Azure portal. For more information about flow logs versions, see [Log format of NSG flow logs](network-watcher-nsg-flow-logging-overview.md#log-format). |
+ | Flow Logs Version | Select the flow log version. Version 2 is selected by default when you create a flow log using the Azure portal. For more information about flow logs versions, see [Log format of NSG flow logs](nsg-flow-logs-overview.md#log-format). |
| **Traffic Analytics** | |
| Enable Traffic Analytics | Select the checkbox to enable traffic analytics for your flow log. |
| Traffic Analytics processing interval | Select the processing interval that you prefer, available options are: **Every 1 hour** and **Every 10 mins**. The default processing interval is every one hour. For more information, see [Traffic Analytics](traffic-analytics.md). |
| Subscription | Select the Azure subscription of your Log Analytics workspace. |
| Log Analytics Workspace | Select your Log Analytics workspace. By default, Azure portal creates and selects *DefaultWorkspace-{subscription-id}-{region}* Log Analytics workspace in *defaultresourcegroup-{Region}* resource group. |
- :::image type="content" source="./media/nsg-flow-logging/enable-traffic-analytics.png" alt-text="Screenshot of enabling traffic analytics for a flow log in the Azure portal.":::
+ :::image type="content" source="./media/nsg-flow-logs-portal/enable-traffic-analytics.png" alt-text="Screenshot of enabling traffic analytics for a flow log in the Azure portal.":::
1. Select **Review + create**.
@@ -142,14 +134,14 @@ You can change the properties of a flow log after you create it. For example, yo
1. In **Flow logs settings**, you can change any of the following settings:
- - **Flow Logs Version**: Change the flow log version. Available versions are: version 1 and version 2. Version 2 is selected by default when you create a flow log using the Azure portal. For more information about flow logs versions, see [Log format of NSG flow logs](network-watcher-nsg-flow-logging-overview.md#log-format).
+ - **Flow Logs Version**: Change the flow log version. Available versions are: version 1 and version 2. Version 2 is selected by default when you create a flow log using the Azure portal. For more information about flow logs versions, see [Log format of NSG flow logs](nsg-flow-logs-overview.md#log-format).
- **Storage Account**: Change the storage account that you want to save the flow logs to. If you want to create a new storage account, select **Create a new storage account**.
- **Retention (days)**: Change the retention time in the storage account. Enter *0* if you want to retain the flow logs data in the storage account forever (until you manually delete the data from the storage account).
- **Traffic Analytics**: Enable or disable traffic analytics for your flow log. For more information, see [Traffic Analytics](traffic-analytics.md).
- **Traffic Analytics processing interval**: Change the processing interval of traffic analytics (if traffic analytics is enabled). Available options are: one hour and 10 minutes. The default processing interval is every one hour. For more information, see [Traffic Analytics](traffic-analytics.md).
- **Log Analytics workspace**: Change the Log Analytics workspace that you want to save the flow logs to (if traffic analytics is enabled).
- :::image type="content" source="./media/nsg-flow-logging/change-flow-log.png" alt-text="Screenshot of Flow logs settings page in the Azure portal where you can change some settings." lightbox="./media/nsg-flow-logging/change-flow-log.png":::
+ :::image type="content" source="./media/nsg-flow-logs-portal/change-flow-log.png" alt-text="Screenshot of Flow logs settings page in the Azure portal where you can change some settings." lightbox="./media/nsg-flow-logs-portal/change-flow-log.png":::
## List all flow logs
@@ -161,7 +153,7 @@ You can list all flow logs in a subscription or a group of subscriptions. You ca
1. Select **Subscription equals** filter to choose one or more of your subscriptions. You can apply other filters like **Location equals** to list all the flow logs in a region.
- :::image type="content" source="./media/nsg-flow-logging/list-flow-logs.png" alt-text="Screenshot shows how to use filters to list all existing flow logs in a subscription using the Azure portal." lightbox="./media/nsg-flow-logging/list-flow-logs.png":::
+ :::image type="content" source="./media/nsg-flow-logs-portal/list-flow-logs.png" alt-text="Screenshot shows how to use filters to list all existing flow logs in a subscription using the Azure portal." lightbox="./media/nsg-flow-logs-portal/list-flow-logs.png":::
## View details of a flow log resource
@@ -175,7 +167,7 @@ You can view the details of a flow log in a subscription or a group of subscript
1. In **Flow logs settings**, you can view the settings of the flow log resource.
- :::image type="content" source="./media/nsg-flow-logging/flow-log-settings.png" alt-text="Screenshot of Flow logs settings page in the Azure portal." lightbox="./media/nsg-flow-logging/flow-log-settings.png":::
+ :::image type="content" source="./media/nsg-flow-logs-portal/flow-log-settings.png" alt-text="Screenshot of Flow logs settings page in the Azure portal." lightbox="./media/nsg-flow-logs-portal/flow-log-settings.png":::
## Download a flow log
@@ -187,7 +179,7 @@ NSG flow log files saved to a storage account follow this path:
https://{storageAccountName}.blob.core.windows.net/insights-logs-networksecuritygroupflowevent/resourceId=/SUBSCRIPTIONS/{subscriptionID}/RESOURCEGROUPS/{resourceGroupName}/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/{NetworkSecurityGroupName}/y={year}/m={month}/d={day}/h={hour}/m=00/macAddress={macAddress}/PT1H.json
```
-For information about the structure of a flow log, see [Log format of NSG flow logs](network-watcher-nsg-flow-logging-overview.md#log-format).
+For information about the structure of a flow log, see [Log format of NSG flow logs](nsg-flow-logs-overview.md#log-format).
## Disable a flow log
@@ -201,7 +193,7 @@ You can temporarily disable an NSG flow log without deleting it. Disabling a flo
1. Select **Disable**.
- :::image type="content" source="./media/nsg-flow-logging/disable-flow-log.png" alt-text="Screenshot shows how to disable a flow log in the Azure portal." lightbox="./media/nsg-flow-logging/disable-flow-log.png":::
+ :::image type="content" source="./media/nsg-flow-logs-portal/disable-flow-log.png" alt-text="Screenshot shows how to disable a flow log in the Azure portal." lightbox="./media/nsg-flow-logs-portal/disable-flow-log.png":::
> [!NOTE]
> If traffic analytics is enabled for a flow log, it must disabled before you can disable the flow log. To disable traffic analytics, see [Change a flow log](#change-a-flow-log).
@@ -218,7 +210,7 @@ You can permanently delete an NSG flow log. Deleting a flow log deletes all its
1. Select **Delete**.
- :::image type="content" source="./media/nsg-flow-logging/delete-flow-log.png" alt-text="Screenshot shows how to delete a flow log in the Azure portal." lightbox="./media/nsg-flow-logging/delete-flow-log.png":::
+ :::image type="content" source="./media/nsg-flow-logs-portal/delete-flow-log.png" alt-text="Screenshot shows how to delete a flow log in the Azure portal." lightbox="./media/nsg-flow-logs-portal/delete-flow-log.png":::
> [!NOTE]
> Deleting a flow log does not delete the flow log data from the storage account. Flow logs data stored in the storage account follows the configured retention policy or stays stored in the storage account until manually deleted (in case no retention policy is configured).
diff --git a/articles/network-watcher/network-watcher-nsg-flow-logging-powershell.md b/articles/network-watcher/nsg-flow-logs-powershell.md
similarity index 93%
rename from articles/network-watcher/network-watcher-nsg-flow-logging-powershell.md
rename to articles/network-watcher/nsg-flow-logs-powershell.md
index 439034a8b3897..cf32e4c373520 100644
--- a/articles/network-watcher/network-watcher-nsg-flow-logging-powershell.md
+++ b/articles/network-watcher/nsg-flow-logs-powershell.md
@@ -3,25 +3,18 @@ title: Manage NSG flow logs - Azure PowerShell
titleSuffix: Azure Network Watcher
description: Learn how to create, change, disable, or delete Azure Network Watcher NSG flow logs using Azure PowerShell.
author: halkazwini
+ms.author: halkazwini
ms.service: network-watcher
ms.topic: how-to
ms.date: 05/31/2023
-ms.author: halkazwini
-ms.custom: template-how-to, devx-track-azurepowershell, engagement-fy23
+ms.custom: devx-track-azurepowershell
---
# Manage NSG flow logs using Azure PowerShell
-> [!div class="op_single_selector"]
-> - [Azure portal](nsg-flow-logging.md)
-> - [PowerShell](network-watcher-nsg-flow-logging-powershell.md)
-> - [Azure CLI](network-watcher-nsg-flow-logging-cli.md)
-> - [REST API](network-watcher-nsg-flow-logging-rest.md)
-> - [ARM template](network-watcher-nsg-flow-logging-azure-resource-manager.md)
-
-Network security group flow logging is a feature of Azure Network Watcher that allows you to log information about IP traffic flowing through a network security group. For more information about network security group flow logging, see [NSG flow logs overview](network-watcher-nsg-flow-logging-overview.md).
+Network security group flow logging is a feature of Azure Network Watcher that allows you to log information about IP traffic flowing through a network security group. For more information about network security group flow logging, see [NSG flow logs overview](nsg-flow-logs-overview.md).
-In this article, you learn how to create, change, disable, or delete an NSG flow log using Azure PowerShell. You can learn how to manage an NSG flow log using the [Azure portal](nsg-flow-logging.md), [Azure CLI](network-watcher-nsg-flow-logging-cli.md), [REST API](network-watcher-nsg-flow-logging-rest.md), or [ARM template](network-watcher-nsg-flow-logging-azure-resource-manager.md).
+In this article, you learn how to create, change, disable, or delete an NSG flow log using Azure PowerShell. You can learn how to manage an NSG flow log using the [Azure portal](nsg-flow-logging.md), [Azure CLI](nsg-flow-logs-cli.md), [REST API](nsg-flow-logs-rest.md), or [ARM template](nsg-flow-logs-azure-resource-manager.md).
## Prerequisites
@@ -149,7 +142,7 @@ NSG flow log files saved to a storage account follow this path:
https://{storageAccountName}.blob.core.windows.net/insights-logs-networksecuritygroupflowevent/resourceId=/SUBSCRIPTIONS/{subscriptionID}/RESOURCEGROUPS/{resourceGroupName}/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/{NetworkSecurityGroupName}/y={year}/m={month}/d={day}/h={hour}/m=00/macAddress={macAddress}/PT1H.json
```
-For information about the structure of a flow log, see [Log format of NSG flow logs](network-watcher-nsg-flow-logging-overview.md#log-format).
+For information about the structure of a flow log, see [Log format of NSG flow logs](nsg-flow-logs-overview.md#log-format).
## Disable a flow log
diff --git a/articles/network-watcher/network-watcher-nsg-flow-logging-rest.md b/articles/network-watcher/nsg-flow-logs-rest.md
similarity index 93%
rename from articles/network-watcher/network-watcher-nsg-flow-logging-rest.md
rename to articles/network-watcher/nsg-flow-logs-rest.md
index 4bbe0a4e8e4ee..9d8d8250a5b8f 100644
--- a/articles/network-watcher/network-watcher-nsg-flow-logging-rest.md
+++ b/articles/network-watcher/nsg-flow-logs-rest.md
@@ -3,25 +3,17 @@ title: Manage NSG flow logs - Azure REST API
titleSuffix: Azure Network Watcher
description: Learn how to create, change, or disable Azure Network Watcher NSG flow logs using REST API.
author: halkazwini
+ms.author: halkazwini
ms.service: network-watcher
ms.topic: how-to
ms.date: 06/01/2023
-ms.author: halkazwini
-ms.custom: template-how-to, engagement-fy23
---
# Manage NSG flow logs using REST API
-> [!div class="op_single_selector"]
-> - [Azure portal](nsg-flow-logging.md)
-> - [PowerShell](network-watcher-nsg-flow-logging-powershell.md)
-> - [Azure CLI](network-watcher-nsg-flow-logging-cli.md)
-> - [REST API](network-watcher-nsg-flow-logging-rest.md)
-> - [ARM template](network-watcher-nsg-flow-logging-azure-resource-manager.md)
-
-Network security group flow logging is a feature of Azure Network Watcher that allows you to log information about IP traffic flowing through a network security group. For more information about network security group flow logging, see [NSG flow logs overview](network-watcher-nsg-flow-logging-overview.md).
+Network security group flow logging is a feature of Azure Network Watcher that allows you to log information about IP traffic flowing through a network security group. For more information about network security group flow logging, see [NSG flow logs overview](nsg-flow-logs-overview.md).
-This article shows you how to use the REST API to enable, disable, and query flow logs using the REST API. You can learn how to manage an NSG flow log using the [Azure portal](nsg-flow-logging.md), [PowerShell](network-watcher-nsg-flow-logging-powershell.md), [Azure CLI](network-watcher-nsg-flow-logging-cli.md), or [ARM template](network-watcher-nsg-flow-logging-azure-resource-manager.md).
+This article shows you how to use the REST API to enable, disable, and query flow logs using the REST API. You can learn how to manage an NSG flow log using the [Azure portal](nsg-flow-logging.md), [PowerShell](nsg-flow-logs-powershell.md), [Azure CLI](nsg-flow-logs-cli.md), or [ARM template](nsg-flow-logs-azure-resource-manager.md).
In this article, uou learn how to:
diff --git a/articles/network-watcher/toc.yml b/articles/network-watcher/toc.yml
index 2c0a22c406e9c..6407e3660430f 100644
--- a/articles/network-watcher/toc.yml
+++ b/articles/network-watcher/toc.yml
@@ -56,7 +56,7 @@
- name: Effective security rules
href: effective-security-rules-overview.md
- name: NSG flow logs
- href: network-watcher-nsg-flow-logging-overview.md
+ href: nsg-flow-logs-overview.md
- name: VNet flow logs
href: vnet-flow-logs-overview.md
- name: Traffic analytics
@@ -178,15 +178,15 @@
- name: Manage NSG flow logs
items:
- name: Azure portal
- href: nsg-flow-logging.md
+ href: nsg-flow-logs-portal.md
- name: PowerShell
- href: network-watcher-nsg-flow-logging-powershell.md
+ href: nsg-flow-logs-powershell.md
- name: Azure CLI
- href: network-watcher-nsg-flow-logging-cli.md
+ href: nsg-flow-logs-cli.md
- name: REST
- href: network-watcher-nsg-flow-logging-rest.md
+ href: nsg-flow-logs-rest.md
- name: ARM template
- href: network-watcher-nsg-flow-logging-azure-resource-manager.md
+ href: nsg-flow-logs-azure-resource-manager.md
- name: Built-in Policy
href: nsg-flow-logs-policy-portal.md
- name: Manage VNet flow logs
diff --git a/articles/openshift/howto-update-certificates.md b/articles/openshift/howto-update-certificates.md
index 5ad75925f26a5..4ef64261f83d9 100644
--- a/articles/openshift/howto-update-certificates.md
+++ b/articles/openshift/howto-update-certificates.md
@@ -28,5 +28,4 @@ where:
Running this command restarts worker machines and updates the cluster certificates, setting the cluster to a known, proper state.
> [!NOTE]
-> Certificates for custom domains need to be updated manually. For more information, see the [Red Hat OpenShift documentation](https://docs.openshift.com/rosa/applications/deployments/osd-config-custom-domains-applications.html).
-
+> Certificates for custom domains need to be updated manually. For more information, see the [Red Hat OpenShift documentation](https://docs.openshift.com/rosa/rosa_install_access_delete_clusters/rosa_getting_started_iam/rosa-getting-started-workflow.html).
diff --git a/articles/operator-5g-core/media/overview-product/architecture-5g-core-expanded.png b/articles/operator-5g-core/media/overview-product/architecture-5g-core-expanded.png
new file mode 100644
index 0000000000000..d22afca2a587e
Binary files /dev/null and b/articles/operator-5g-core/media/overview-product/architecture-5g-core-expanded.png differ
diff --git a/articles/operator-5g-core/media/overview-product/architecture-5g-core.png b/articles/operator-5g-core/media/overview-product/architecture-5g-core.png
new file mode 100644
index 0000000000000..18021a1b5a52c
Binary files /dev/null and b/articles/operator-5g-core/media/overview-product/architecture-5g-core.png differ
diff --git a/articles/operator-5g-core/media/overview-product/deployment-models-expanded.png b/articles/operator-5g-core/media/overview-product/deployment-models-expanded.png
new file mode 100644
index 0000000000000..72f2b6a802b52
Binary files /dev/null and b/articles/operator-5g-core/media/overview-product/deployment-models-expanded.png differ
diff --git a/articles/operator-5g-core/media/overview-product/deployment-models.png b/articles/operator-5g-core/media/overview-product/deployment-models.png
new file mode 100644
index 0000000000000..7caa6a2f1109a
Binary files /dev/null and b/articles/operator-5g-core/media/overview-product/deployment-models.png differ
diff --git a/articles/operator-5g-core/overview-product.md b/articles/operator-5g-core/overview-product.md
index 65f71205d9c8e..654e67994a06f 100644
--- a/articles/operator-5g-core/overview-product.md
+++ b/articles/operator-5g-core/overview-product.md
@@ -6,28 +6,32 @@ ms.author: HollyCl
ms.service: azure-operator-5g-core
ms.custom: references_regions
ms.topic: overview
-ms.date: 03/07/2024
+ms.date: 02/21/2024
---
+
# What is Azure Operator 5G Core Preview?
Azure Operator 5G Core Preview is a carrier-grade, Any-G, hybrid mobile packet core with fully integrated network functions that run both on-premises and in-cloud. Service providers can deploy resilient networks with high performance and at high capacity while maintaining low latency. Azure Operator 5G Core is ideal for Tier 1 consumer networks, mobile network operators (MNO), virtual network operators (MVNOs), enterprises, IoT, fixed wireless access (FWA), and satellite network operators (SNOs).
+ [:::image type="content" source="media/overview-product/architecture-5g-core.png" alt-text="Diagram of text boxes showing the components that comprise Azure Operator 5G Core.":::](media/overview-product/architecture-5g-core-expanded.png#lightbox)
+
The power of Azure's global footprint ensures global coverage and operating infrastructure at scale, coupled with Microsoft’s Zero Trust security framework to provide secure and reliable connectivity to cloud applications.
-Sophisticated management tools and automated lifecycle management simplify and streamline network operations. Operators can efficiently accelerate migration to 5G in standalone and nonstandalone architectures, while continuing to support all legacy mobile network access technologies (2G, 3G, & 4G).
-
-Streamlined in-service software upgrades at both the platform and application layer minimize downtime and complexity during version updates, and automated rollback mechanism ensures the system can revert to the previous stable state if needed. Preconfigured templates and blueprints simplify and standardize deployment.
+Sophisticated management tools and automated lifecycle management simplify and streamline network operations. Operators can efficiently accelerate migration to 5G in standalone and non-standalone architectures, while continuing to support all legacy mobile network access technologies (2G, 3G, & 4G).
+
+Streamlined in-service software upgrades minimize downtime and complexity during version updates, and rollback mechanism ensures the system can revert to the previous stable state if needed.
Azure Operator 5G Core's observability stack provides a rich set of insightful dashboards out-of-the-box. Operators can use their existing analytics solutions for further analysis or use Azure Operator Insights, which combines the power of Artificial Intelligence and Machine Learning to provide advanced analytics capabilities. Azure Operator 5G Core generates detailed Event Data Records, which provide operators with the insights to optimize network performance and improve subscriber Quality of Experience.
-## Key Features and Benefits
-Azure Operator 5G Core includes the following benefits for operating secure. Carrier-grade network functions at scale.
+## Key features and benefits
-### Any-G
+Azure Operator 5G Core includes the following key features for operating secure, carrier-grade network functions at scale.
-Azure Operator 5G Core is a unified, ‘Any-G’ packet core network solution that uses cloud native capabilities to address 2G/3G/4G and 5G functionalities. It allows operators to deploy network functions compatible with not only legacy technologies but also with the latest 5G networks, modernizing operator networks while operating on a single, consistent platform to minimize costs. ‘Any-G’ offers the following features:
+### Any-G
+
+Azure Operator 5G Core is a unified, ‘Any-G’ packet core network solution that uses cloud native capabilities to address 2G/3G/4G and 5G functionalities. It allows operators to deploy network functions compatible with not only legacy technologies but also with the latest 5G networks, modernizing operator networks while operating on a single, consistent platform to minimize costs. ‘Any-G’ offers the following features:
- Common anchor points (combination nodes) that allow seamless mobility across Radio Access Technologies (RAT).
- Common UPF instances that support all RAT types for mobility and footprint reduction.
@@ -35,38 +39,41 @@ Azure Operator 5G Core is a unified, ‘Any-G’ packet core network solution th
- Consistent application of Value-added Services (VAS) regardless of the Radio Access Type.
- Integrated probing enabling an always-on capture of User Equipment/Session activities.
- Deployment options to use Diameter or Service-Based Interfaces (SBI), allowing operators to choose when to upgrade peer network functions.
-- Slicing, which provides flexibility in customizing the treatment of a set of devices.
-
-Azure Operator 5G Core offers the following network functions:
-
-**5G SA:**
-
-- Access and Mobility Management Function (AMF)
-- Session Management Function (SMF)
-- User Plane Function (UPF)
-- Network Slice Selection Function (NSSF)
-- Network Repository Function (NRF)
-
-**4G / 5G NSA:**
-
-- Mobility Management Entity (MME)
-- Packet Data Network (PDN) Gateway Control Plane Function (PGW-C)
-- PDN Gateway User Plane Function (PGW-U)
-- Serving Gateway Control Plane Function (SGW-C)
-- Serving Gateway User Plane Function (SGW-U)
-
-**2G / 3G:**
-
-- Gateway GPRS Support Node (GGSN)
-- Serving GPRS Support Node (SGSN)
-
+- Slicing, which provides flexibility in customizing the treatment of a set of devices.
+
+Azure Operator 5G Core offers the following network functions:
+
+> [!NOTE]
+> Azure Operator 5G Core Preview is provided only for 5G SA network functions.
+
+**Network functions used for 5G SA:**
+- **Access and Mobility Management Function (AMF)** - AMF is responsible for the access and mobility management of the mobile subscribers. It is the point of contact for all mobile users in the core network. It maintains connections with the Radio Access Network (RAN) to transport signaling messages to and from the users.
+- **Session Management Function (SMF)** - SMF provides session management at the highest level. It controls the creation, modification, and deletion of Protocol Data Units (PDU) sessions, providing data access from the User Equipment (UE) to one or more data networks.
+- **User Plane Function (UPF)** - UPF is a fundamental component of the 5G core infrastructure system architecture, responsible for packet processing, traffic aggregation, and management functions to the edge of the network. It also provides an IP anchor point for Intra/Inter Radio Access Technology (RAT) mobility while implementing the user plane part of policy enforcement, traffic usage reporting, and lawful intercept functionality.
+- **Network Slice Selection Function (NSSF)** - NSSF supports network slice selection capabilities in the 5G network. This functionality is used by other consumer NFs such as AMF during UE procedures to ensure that the slice-specific resources (AMF, SMF, UPF) are used for the respective procedures.
+- **Network Repository Function (NRF)** - NRF is responsible for the management of different NF instances and their respective profiles. It allows different NFs to dynamically register and de-register their services/profile whilst it also supports dynamic discovery of different NF instances based on their state and local policies.
+
+**Network functions used for 4G and 5G NSA:**
+- **Mobility Management Entity (MME)** - MME is key in managing signaling for UE access, mobility, and security in LTE networks. It establishes the connection and coordination between the UE and the evolved packet core, ensuring seamless mobility and authentication.
+- **Packet Data Network (PDN) Gateway Control Plane Function (PGW-C)** - PGW-C plays an essential role in managing session states and IP address allocation for UEs. It acts as the control plane interface between the mobile network and the PDN, orchestrating the flow of data sessions and maintaining network efficiency.
+- **PDN Gateway User Plane Function (PGW-U)** - PGW-U is responsible for the routing and forwarding of user data packets between the UE and external networks. It ensures efficient management and delivery of data traffic, maintaining the quality of service and experience for the end-user.
+- **Serving Gateway Control Plane Function (SGW-C)** - SGW-C oversees the creation and management of user plane tunnels in SGW. It is vital for maintaining session information and supporting UE mobility across different eNodeBs within the network.
+- **Serving Gateway User Plane Function (SGW-U)** - SGW-U facilitates the transfer of user data packets within the mobile network. It ensures that data packets are efficiently routed and forwarded to the right destination, supporting uninterrupted user mobility.
+
+**Network functions used for 2G and 3G:**
+- **Gateway GPRS Support Node (GGSN)** - GGSN serves as the gateway between the General Packet Radio Service (GPRS) mobile network and external packet-switched networks. It is responsible for IP address assignment, QoS enforcement, and routing data from mobile users to external networks.
+- **Serving GPRS Support Node (SGSN)** - SGSN is responsible for the operation of GPRS and Universal Mobile Telecommunications System (UMTS) networks, managing mobile data sessions and mobility. It ensures continuous data connections and optimization as users move throughout the network, handling registration, authentication, and routing of packet data.
+
:::image type="content" source="media/overview-product/all-g-network.png" alt-text="Diagram of text boxes showing the network functions supported by the all-g network offering of Azure Operator 5G Core.":::
Any-G is built on top of Azure Operator Nexus and Azure – with flexible Network Function (NF) placement based on the operator use case. Different use cases drive NF deployment topologies. Network Functions can be placed geographically closer to the users for scenarios such as consumer, low latency, and MEC or centralized for machine to machine (Internet of Things) and enterprise scenarios. Deployment is API driven regardless of the placement of the network functions.
+
+ [:::image type="content" source="media/overview-product/deployment-models.png" alt-text="Diagram describing supported deployment models for Azure Operator 5G Core.":::](media/overview-product/deployment-models-expanded.png#lightbox)
+
### Resiliency
-Azure Operator 5G Core supports recovery mechanisms for failure scenarios such as single pod, multi-pod, VM, multi-VM within the same rack, and multi-VM spread across multiple racks. As the system scales to accommodate millions of subscribers, it requires mechanisms capable of addressing both internal and external faults, extending to the failure of an entire geographical location. To effectively mitigate potential disruptions and to ensure minimal impact, Azure Operator 5G Core incorporates Geographical Redundancy and In-Service Software Upgrade (ISSU) mechanisms.
+Azure Operator 5G Core supports recovery mechanisms for failure scenarios such as single pod, multi-pod, VM, multi-VM within the same rack, and multi-VM spread across multiple racks. As the system scales to accommodate millions of subscribers, it requires mechanisms capable of addressing both internal and external faults, extending to the failure of an entire geographical location. To effectively mitigate potential disruptions and to ensure minimal impact during upgrades, Azure Operator 5G Core incorporates Geographical Redundancy and In-Service Software Upgrade (ISSU) mechanisms.
### Orchestration
@@ -78,22 +85,33 @@ Azure Operator 5G Core’s Resource Provider (RP) provides an inventory of the d
### Observability
-Azure Operator 5G Core supports local observability with a small footprint per cluster for both platform and application level metrics, key performance indicators, logs, alerts, alarms, traces, and event data records. Observability data for most network functions are supported via the following industry-standard Platform as a Service (PaaS) components:
+Azure Operator 5G Core supports local observability per cluster for both platform- and application-level metrics, key performance indicators, logs, alerts, alarms, traces, and event data records. Observability data for most network functions are supported via the following industry-standard Platform as a Service (PaaS) components:
- Prometheus
- Fluentd
- Elastic
- Alerta
- Jaeger
-- Kafka
+- Kafka
+
Once deployed, Azure Operator 5G Core provides an inventory view of clusters and first-party network functions along with deployment and operational health status. Azure Operator 5G Core provides a rich set of out-of-the-box dashboards as well.
Disconnected "break-glass" mode maintains data when connectivity between the Azure public cloud regions and local on-premises platforms is lost. Azure Operator 5G Core also allows operators to ingest the telemetry data into their chosen analytics solution for further analysis.
-## Supported Regions
+### Key benefits
+
+The key benefits of Azure Operator 5G Core include:
-Azure Operator 5G Core deployment is supported in:
+- High user plane performance with inline user-plane services.
+- API-based NF lifecycle management (LCM) via Azure, regardless of deployment model.
+- Advanced analytics via Azure Operator Insights.
+- Cloud-native architecture with no rigid deployment constraints.
+- Support for Microsoft’s Zero-Trust security model.
+
+## Supported regions
+
+For Public Preview, Azure Operator 5G Core deployment is supported in the following Azure regions:
- East US
- UAE North
@@ -104,9 +122,12 @@ Azure Operator 5G Core deployment is supported in:
The table shows which versions of Azure Kubernetes/Nexus Azure Kubernetes K8s are compatible with the current Azure Operator 5G Core release. To use or update to the current version, these clusters need to be updated to the appropriate version.
+
|Azure Operator 5G Core Version |AKS K8s Version |Nexus K8s Version |
|---------|---------|---------|
-|2402.0 | 1.27.3 | 1.27.3 |
+|2402.0 | 1.27.9 | 1.27.3 |
+
+
## Related content
diff --git a/articles/operator-5g-core/toc.yml b/articles/operator-5g-core/toc.yml
index 5036e74cb2357..fbccd42caabb0 100644
--- a/articles/operator-5g-core/toc.yml
+++ b/articles/operator-5g-core/toc.yml
@@ -29,7 +29,7 @@ items:
href: quickstart-deploy-5g-core.md
- name: Monitor the status of your Azure Operator 5G Core deployment
href: quickstart-monitor-deployment-status.md
- - name: Peform health and configuration checks post-deployment in Azure Operator 5G Core
+ - name: Perform health and configuration checks post-deployment in Azure Operator 5G Core
href: quickstart-perform-checks-post-deployment.md
- name: How-to guides
items:
@@ -48,4 +48,5 @@ items:
- name: Reference
items:
- name: REST API Reference
- href: /rest/api/mobilepacketcore
\ No newline at end of file
+ href: /rest/api/mobilepacketcore
+
\ No newline at end of file
diff --git a/articles/postgresql/flexible-server/concepts-major-version-upgrade.md b/articles/postgresql/flexible-server/concepts-major-version-upgrade.md
index 69679407f9c48..e23cf868b62f4 100644
--- a/articles/postgresql/flexible-server/concepts-major-version-upgrade.md
+++ b/articles/postgresql/flexible-server/concepts-major-version-upgrade.md
@@ -4,7 +4,7 @@ description: Learn about the concepts of in-place major version upgrade with Azu
author: kabharati
ms.author: kabharati
ms.reviewer: rajsell
-ms.date: 01/16/2024
+ms.date: 03/18/2024
ms.service: postgresql
ms.subservice: flexible-server
ms.custom: references_regions
@@ -46,13 +46,26 @@ Here are some of the important considerations with in-place major version upgrad
- Once the in-place major version upgrade is successful, there are no automated ways to revert to the earlier version. However, you can perform a Point-In-Time Recovery (PITR) to a time prior to the upgrade to restore the previous version of the database instance.
+## Major Version Upgrade Logs
+
+Major Version Upgrade Logs (PG_Upgrade_Logs) provides direct access to detailed logs through the [Server Logs](./how-to-server-logs-portal.md). Here’s how to integrate `PG_Upgrade_Logs` into your upgrade process, ensuring a smoother and more transparent transition to new PostgreSQL versions.
+
+#### Setting Up PostgreSQL Version Upgrade Logs
+- **Access via Azure portal or CLI**: To start utilizing the PG_Upgrade_Logs feature, you can configure and access the logs either through the Azure portal or by using the [Command Line Interface (CLI)](./how-to-server-logs-cli.md). This flexibility allows you to choose the method that best fits your workflow.
+- **Server Logs UI**: Once set up, the upgrade logs will be accessible through the Server Logs UI, where you can monitor the progress and details of your PostgreSQL major version upgrades in real time. This provides a centralized location for viewing logs, making it easier to track and troubleshoot the upgrade process.
+
+#### Utilizing Upgrade Logs for Troubleshooting
+
+- **Insightful Diagnostics**: The PG_Upgrade_Logs feature provides valuable insights into the upgrade process, capturing detailed information about the operations performed and highlighting any errors or warnings that occur. This level of detail is instrumental in diagnosing and resolving issues that may arise during the upgrade, ensuring a smoother transition.
+- **Streamlined Troubleshooting**: With direct access to these logs, you can quickly identify and address potential upgrade obstacles, reducing downtime and minimizing the impact on your operations. The logs serve as a crucial tool in your troubleshooting arsenal, enabling more efficient and effective problem resolution.
+
## Limitations
If in-place major version upgrade pre-check operations fail, then the upgrade aborts with a detailed error message for all the below limitations.
- In-place major version upgrade currently doesn't support read replicas, so if you have a read replica enabled server, you need to delete the replica before performing the upgrade on the primary server. After the upgrade, you can recreate the replica.
-- Azure Database for PostgreSQL - Flexible Server requires the ability to send and receive traffic to destination ports 5432, and 6432 within VNET where Flexible Server is deployed, as well as to Azure storage for log archival. If you configure Network Security Groups (NSG) to restrict traffic to or from your Flexible Server within its deployed subnet, please make sure to allow traffic to destination ports 5432 and 6432 within the subnet and to Azure storage by using service tag **Azure Storage** as a destination.If network rules are not set up properly HA is not enabled automatically post a major version upgrade and you should manually enable HA. Please modify your NSG rules to allow traffic for the destination ports and storage as requested above and enable a high availability feature on the server.
+- Azure Database for PostgreSQL - Flexible Server requires the ability to send and receive traffic to destination ports 5432, and 6432 within VNET where Flexible Server is deployed, as well as to Azure storage for log archival. If you configure Network Security Groups (NSG) to restrict traffic to or from your Flexible Server within its deployed subnet, make sure to allow traffic to destination ports 5432 and 6432 within the subnet and to Azure storage by using service tag **Azure Storage** as a destination.If network rules are not set up properly HA is not enabled automatically post a major version upgrade and you should manually enable HA. Modify your NSG rules to allow traffic for the destination ports and storage as requested above and enable a high availability feature on the server.
- In-place major version upgrade doesn't support certain extensions and there are some limitations to upgrading certain extensions. The extensions **Timescaledb**, **pgaudit**, **dblink**, **orafce**, **pg_partman**, and **postgres_fdw** are unsupported for all PostgreSQL versions.
diff --git a/articles/postgresql/flexible-server/overview.md b/articles/postgresql/flexible-server/overview.md
index 3028903075d6e..94cd686212692 100644
--- a/articles/postgresql/flexible-server/overview.md
+++ b/articles/postgresql/flexible-server/overview.md
@@ -114,8 +114,8 @@ One advantage of running your workload in Azure is global reach. Azure Database
| Poland Central| :heavy_check_mark: (v3/v4 only) | :heavy_check_mark: | :heavy_check_mark: | :x:|
| North Central US | :heavy_check_mark: | :x: | :heavy_check_mark: | :heavy_check_mark: |
| North Europe | :heavy_check_mark: (v3/v4 only) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| Norway East | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :x: |
-| Norway West * | :heavy_check_mark: (v3/v4 only) | :x: | :heavy_check_mark: | :x: |
+| Norway East | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
+| Norway West * | :heavy_check_mark: (v3/v4 only) | :x: | :heavy_check_mark: | :heavy_check_mark: |
| Qatar Central | :heavy_check_mark: (v3/v4 only) | :heavy_check_mark: | :heavy_check_mark: | :x: |
| South Africa North | :heavy_check_mark: (v3/v4/v5 only) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
| South Africa West* | :heavy_check_mark: (v3/v4/v5 only) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
@@ -126,11 +126,11 @@ One advantage of running your workload in Azure is global reach. Azure Database
| Sweden South* | :heavy_check_mark: (v3/v4/v5 only) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
| Switzerland North | :heavy_check_mark: (v3/v4/v5 only) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
| Switzerland West*| :heavy_check_mark: (v3/v4/v5 only) | :x: | :heavy_check_mark: | :heavy_check_mark: |
-| UAE Central* | :heavy_check_mark: (v3/v4 only) | :x: | :heavy_check_mark: | :x: |
-| UAE North | :heavy_check_mark: (v3/v4/v5 only) | :heavy_check_mark: | :heavy_check_mark: | :x: |
+| UAE Central* | :heavy_check_mark: (v3/v4 only) | :x: | :heavy_check_mark: | :heavy_check_mark: |
+| UAE North | :heavy_check_mark: (v3/v4/v5 only) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
| US Gov Arizona | :heavy_check_mark: (v3/v4 only) | :x: | :heavy_check_mark: | :x: |
-| US Gov Texas | :heavy_check_mark: (v3/v4 only) | :x: | :heavy_check_mark: | :x: |
-| US Gov Virginia | :heavy_check_mark: (v3/v4 only) | :heavy_check_mark: | :heavy_check_mark: | :x: |
+| US Gov Texas | :heavy_check_mark: (v3/v4 only) | :x: | :heavy_check_mark: | :heavy_check_mark: |
+| US Gov Virginia | :heavy_check_mark: (v3/v4 only) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark:|
| UK South | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
| UK West | :heavy_check_mark: | :x: | :heavy_check_mark: | :heavy_check_mark: |
| West Central US | :heavy_check_mark: | :x: | :heavy_check_mark: | :heavy_check_mark: |
diff --git a/articles/reliability/reliability-ddos.md b/articles/reliability/reliability-ddos.md
index 12c80cce83a01..0a1ed29721337 100644
--- a/articles/reliability/reliability-ddos.md
+++ b/articles/reliability/reliability-ddos.md
@@ -22,14 +22,6 @@ This article describes reliability support in [Azure DDoS Network Protection](..
Azure DDoS Protection is [zone-redundant](./availability-zones-overview.md#zonal-and-zone-redundant-services) by default and is managed by the service itself. You don't need to configure or setup zone redundancy yourself.
-### Prerequisites
-
-
-
-### Zone down experience
-
-
-
### Cross-region disaster recovery and business continuity
[!INCLUDE [introduction to disaster recovery](includes/reliability-disaster-recovery-description-include.md)]
diff --git a/articles/service-bus-messaging/service-bus-auto-forwarding.md b/articles/service-bus-messaging/service-bus-auto-forwarding.md
index 5c7c65e381a00..84e792e562a67 100644
--- a/articles/service-bus-messaging/service-bus-auto-forwarding.md
+++ b/articles/service-bus-messaging/service-bus-auto-forwarding.md
@@ -1,5 +1,5 @@
---
-title: Auto-forwarding Azure Service Bus messaging entities
+title: Autoforwarding Azure Service Bus messaging entities
description: This article describes how to chain an Azure Service Bus queue or subscription to another queue or topic.
ms.topic: article
ms.date: 07/27/2022
@@ -18,12 +18,12 @@ The destination entity must exist at the time the source entity is created. If t
## Scenarios
### Scale out an individual topic
-You can use autoforwarding to scale out an individual topic. Service Bus limits the [number of subscriptions on a given topic](service-bus-quotas.md) to 2,000. You can accommodate additional subscriptions by creating second-level topics. Even if you aren't bound by the Service Bus limitation on the number of subscriptions, adding a second level of topics can improve the overall throughput of your topic.
+You can use autoforwarding to scale out an individual topic. Service Bus limits the [number of subscriptions on a given topic](service-bus-quotas.md) to 2,000. You can accommodate more subscriptions by creating second-level topics. Even if you aren't bound by the Service Bus limitation on the number of subscriptions, adding a second level of topics can improve the overall throughput of your topic.
![Diagram of an autoforwarding scenario showing a message processed through an Orders Topic that can branch to any of three second-level Orders Topics.][0]
### Decouple message senders from receivers
-You can also use autoforwarding to decouple message senders from receivers. For example, consider an ERP system that consists of three modules: order processing, inventory management, and customer relations management. Each of these modules generates messages that are enqueued into a corresponding topic. Alice and Bob are sales representatives that are interested in all messages that relate to their customers. To receive those messages, Alice and Bob each create a personal queue and a subscription on each of the ERP topics that automatically forward all messages to their queue.
+You can also use autoforwarding to decouple message senders from receivers. For example, consider an Enterprise Resource Planning (ERP) system that consists of three modules: order processing, inventory management, and customer relations management. Each of these modules generates messages that are enqueued into a corresponding topic. Alice and Bob are sales representatives that are interested in all messages that relate to their customers. To receive those messages, Alice and Bob each create a personal queue and a subscription on each of the ERP topics that automatically forward all messages to their queue.
![Diagram of an autoforwarding scenario showing three processing modules sending messages through three corresponding topics to two separate queues.][1]
@@ -37,14 +37,16 @@ If Alice goes on vacation, her personal queue, rather than the ERP topic, fills
## Autoforwarding considerations
+- Service Bus doesn't allow creating a message receiver on a source entity with autoforwarding enabled.
- If the destination entity accumulates too many messages and exceeds the quota, or the destination entity is disabled, the source entity adds the messages to its [dead-letter queue](service-bus-dead-letter-queues.md) until there's space in the destination (or the entity is re-enabled). Those messages continue to live in the dead-letter queue, so you must explicitly receive and process them from the dead-letter queue.
- When chaining together individual topics to obtain a composite topic with many subscriptions, it's recommended that you have a moderate number of subscriptions on the first-level topic and many subscriptions on the second-level topics. For example, a first-level topic with 20 subscriptions, each of them chained to a second-level topic with 200 subscriptions, allows for higher throughput than a first-level topic with 200 subscriptions, each chained to a second-level topic with 20 subscriptions.
- Service Bus bills one operation for each forwarded message. For example, sending a message to a topic with 20 subscriptions, each of them configured to autoforward messages to another queue or topic, is billed as 21 operations if all first-level subscriptions receive a copy of the message.
- To create a subscription that is chained to another queue or topic, the creator of the subscription must have **Manage** permissions on both the source and the destination entity. Sending messages to the source topic only requires **Send** permissions on the source topic.
-- Don't create a chain that exceeds four hops. Messages that exceed four hops are dead-lettered.
+- Don't create a chain that exceeds four hops. Messages that exceed four hops are dead-lettered. The hop count of a message is incremented when a message is autoforwarded from one queue or topic to another queue or topic. The hop count of a message can also be incremented in the [send via](service-bus-transactions.md#transfers-and-send-via) scenario in which a message is sent via a transfer queue.
- Autoforwarding isn't supported for session-enabled queues or subscriptions.
- Source queue tries to forward messages to the destination entity in the same order it received, but the destination could be a topic that doesn't support ordering. If either the source or destination entity is a partitioned entity, order isn't guaranteed.
+
## Next steps
To learn how to enable or disable auto forwarding in different ways (Azure portal, PowerShell, CLI, Azure Resource Management template, etc.), see [Enable auto forwarding for queues and subscriptions](enable-auto-forward.md).
diff --git a/articles/service-bus-messaging/service-bus-geo-dr.md b/articles/service-bus-messaging/service-bus-geo-dr.md
index 065031a38d261..62f35c25f2645 100644
--- a/articles/service-bus-messaging/service-bus-geo-dr.md
+++ b/articles/service-bus-messaging/service-bus-geo-dr.md
@@ -32,7 +32,7 @@ The Geo-Disaster recovery feature ensures that the entire configuration of a nam
- Enable auto scale
- Disable local authentication
- Pairing a [partitioned namespace](enable-partitions-premium.md) with a non-partitioned namespace isn't supported.
-- If `AutoDeleteOnIdle` is turned on an entity, the entity might not be present in the secondary namespace when the failover occurs. When the secondary becomes primary the last access status, which is not part of the metadata, won't be available to the new primary and entity may be deleted as part of `AutoDeleteOnIdle` clean up.
+- If `AutoDeleteOnIdle` is enabled for an entity, the entity might not be present in the secondary namespace when the failover occurs. When the secondary becomes primary the last access status, which is not part of the metadata, won't be available to the new primary and entity may be deleted as part of `AutoDeleteOnIdle` clean up.
> [!TIP]
> For replicating the contents of queues and topic subscriptions and operating corresponding namespaces in active/active configurations to cope with outages and disasters, don't lean on this Geo-disaster recovery feature set, but follow the [replication guidance](service-bus-federation-overview.md).
@@ -197,7 +197,7 @@ If pairing between primary and secondary namespace already exists, private endpo
### Recommended configuration
When creating a disaster recovery configuration for your application and Service Bus, you must create private endpoints for both primary and secondary Service Bus namespaces against virtual networks hosting both primary and secondary instances of your application.
-Let's say you have two virtual networks: VNET-1, VNET-2 and these primary and second namespaces: `ServiceBus-Namespace1-Primary`, `ServiceBus-Namespace2-Secondary`. You need to do the following steps:
+Let's say you have two virtual networks: VNET-1, VNET-2 and these primary and secondary namespaces: `ServiceBus-Namespace1-Primary`, `ServiceBus-Namespace2-Secondary`. You need to do the following steps:
- On `ServiceBus-Namespace1-Primary`, create two private endpoints that use subnets from VNET-1 and VNET-2
- On `ServiceBus-Namespace2-Secondary`, create two private endpoints that use the same subnets from VNET-1 and VNET-2
diff --git a/articles/service-fabric/release-notes.md b/articles/service-fabric/release-notes.md
index 0d226da1bd7dd..63db787e4cd45 100644
--- a/articles/service-fabric/release-notes.md
+++ b/articles/service-fabric/release-notes.md
@@ -35,6 +35,7 @@ We're excited to announce that the 10.1 release of the Service Fabric runtime ha
| Release date | Release | More info |
|---|---|---|
| November 1, 2023 | Azure Service Fabric 10.1 Release | [Release notes](https://github.com/microsoft/service-fabric/blob/master/release_notes/Service_Fabric_ReleaseNotes_101RTO.md) |
+| April 1, 2024 | Azure Service Fabric 10.1 Second Refresh Release | [Release notes](https://github.com/microsoft/service-fabric/blob/master/release_notes/Service_Fabric_ReleaseNotes_101CU2.md) |
## Service Fabric 10.0
@@ -54,6 +55,7 @@ We're excited to announce that the 10.0 release of the Service Fabric runtime ha
|---|---|---|
| September 09, 2023 | Azure Service Fabric 10.0 Release | [Release notes](https://github.com/microsoft/service-fabric/blob/master/release_notes/Service_Fabric_ReleaseNotes_10.md) |
| November 1, 2023 | Azure Service Fabric 10.0 First Refresh Release | [Release notes](https://github.com/microsoft/service-fabric/blob/master/release_notes/Service_Fabric_ReleaseNotes_100CU1.md) |
+| April 1, 2024 | Azure Service Fabric 10.1 Third Refresh Release | [Release notes](https://github.com/microsoft/service-fabric/blob/master/release_notes/Service_Fabric_ReleaseNotes_100CU3.md) |
## Service Fabric 9.1
@@ -76,6 +78,7 @@ Instead, you should enable Automatic OS upgrades through Virtual Machine Scale S
| June 19, 2023 | Azure Service Fabric 9.1 Fifth Refresh Release | [Release notes](https://github.com/microsoft/service-fabric/blob/master/release_notes/Service_Fabric_ReleaseNotes_91CU5.md) |
| August 30, 2023 | Azure Service Fabric 9.1 Sixth Refresh Release | [Release notes](https://github.com/microsoft/service-fabric/blob/master/release_notes/Service_Fabric_ReleaseNotes_91CU6.md) |
| November 1, 2023 | Azure Service Fabric 9.1 Seventh Refresh Release | [Release notes](https://github.com/microsoft/service-fabric/blob/master/release_notes/Service_Fabric_ReleaseNotes_91CU7.md) |
+| April 1, 2024 | Azure Service Fabric 9.1 Ninth Refresh Release | [Release notes](https://github.com/microsoft/service-fabric/blob/master/release_notes/Service_Fabric_ReleaseNotes_91CU9.md) |
## Service Fabric 9.0
@@ -251,8 +254,8 @@ We also have published updates to end of support date for major releases startin
#### Improve application life cycle experience
-- **[Preview:Request drain](./service-fabric-application-upgrade-advanced.md#avoid-connection-drops-during-stateless-service-planned-downtime)**: During planned service maintenance, such as service upgrades or node deactivation, you would like to allow the services to gracefully drain connections. This feature adds an instance close delay duration in the service configuration. During planned operations, SF removes the Service's address from discovery and then wait this duration before shutting down the service.
-- **[Automatic Subcluster Detection and Balancing](./cluster-resource-manager-subclustering.md)**: Subclustering happens when services with different placement constraints have a common [load metric](./service-fabric-cluster-resource-manager-metrics.md). If the load on the different sets of nodes differs significantly, the Service Fabric Cluster Resource Manager believes that the cluster is imbalanced, even when it has the best possible balance because of the placement constraints. As a result, it attempts to rebalance the cluster, potentially causing unnecessary service movements (since the "imbalance" can't be substantially improved). Starting with this release, the Cluster Resource Manager will now attempt to automatically detect these sorts of configurations and understand when the imbalance can be fixed through movement, and when instead it should leave things alone since no substantial improvement can be made.
+- **[Preview:Request drain](./service-fabric-application-upgrade-advanced.md#avoid-connection-drops-during-stateless-service-planned-downtime)**: During planned service maintenance, such as service upgrades or node deactivation, you would like to allow the services to gracefully drain connections. This feature adds an instance close delay duration in the service configuration. During planned operations, SF removes the Service's address from discovery and then waits this duration before shutting down the service.
+- **[Automatic Subcluster Detection and Balancing](./cluster-resource-manager-subclustering.md)**: Subclustering happens when services with different placement constraints have a common [load metric](./service-fabric-cluster-resource-manager-metrics.md). If the load on the different sets of nodes differs significantly, the Service Fabric Cluster Resource Manager believes that the cluster is imbalanced, even when it has the best possible balance because of the placement constraints. As a result, it attempts to rebalance the cluster, potentially causing unnecessary service movements (since the "imbalance" can't be substantially improved). The Cluster Resource Manager will now attempt to automatically detect these sorts of configurations and understand when the imbalance can be fixed through movement, and when instead it should leave things alone since no substantial improvement can be made.
- [**Different Move cost for secondary replicas**](./service-fabric-cluster-resource-manager-movement-cost.md): We have introduced new move cost value VeryHigh that provides more flexibility in some scenarios to define if a separate move cost should be used for secondary replicas.
- Enabled [**Liveness Probe**](./probes-codepackage.md) mechanism for containerized applications. Liveness Probe help announce the liveness of the containerized application and when they don't respond in a timely fashion, it results in a restart.
- [**Run to completion/once for services**](./run-to-completion.md)**
@@ -312,7 +315,7 @@ We will also update our planned release dates to indicate that we take this poli
- Announcing availability of the [**ReliableCollectionsMissingTypesTool**](https://github.com/hiadusum/ReliableCollectionsMissingTypesTool):
This tool helps validate that types used in reliable collections are forward and backward compatible during a rolling application upgrade. This helps prevent upgrade failures or data loss and data corruption due to missing or incompatible types.
-- [**Enable stable reads on secondary replicas**](./service-fabric-reliable-services-configuration.md#configuration-names-1):Stable reads restrict secondary replicas to returning values which have been quorum-acked.
+- [**Enable stable reads on secondary replicas**](./service-fabric-reliable-services-configuration.md#configuration-names-1): Stable reads restrict secondary replicas to returning values which have been quorum-acked.
In addition, this release contains other new features, bug fixes, and supportability, reliability, and performance improvements. For the full list of changes, please refer to the [release notes](https://github.com/Azure/service-fabric/blob/master/release_notes/Service_Fabric_ReleaseNotes_70.md).
diff --git a/articles/service-fabric/service-fabric-cluster-fabric-settings.md b/articles/service-fabric/service-fabric-cluster-fabric-settings.md
index 866aa9667d781..cc8be3e0992c0 100644
--- a/articles/service-fabric/service-fabric-cluster-fabric-settings.md
+++ b/articles/service-fabric/service-fabric-cluster-fabric-settings.md
@@ -26,7 +26,7 @@ The following is a list of Fabric settings that you can customize, organized by
| --- | --- | --- | --- |
|ApplicationCertificateValidationPolicy|string, default is "None"|Static| This doesn't validate the server certificate; succeed the request. Refer to config ServiceCertificateThumbprints for the comma-separated list of thumbprints of the remote certs that the reverse proxy can trust. Refer to config ServiceCommonNameAndIssuer for the subject name and issuer thumbprint of the remote certs that the reverse proxy can trust. To learn more, see [Reverse proxy secure connection](service-fabric-reverseproxy-configure-secure-communication.md#secure-connection-establishment-between-the-reverse-proxy-and-services). |
|BodyChunkSize |Uint, default is 16384 |Dynamic| Gives the size of for the chunk in bytes used to read the body. |
-|CrlCheckingFlag|uint, default is 0x40000000 |Dynamic| Flags for application/service certificate chain validation; e.g. CRL checking 0x10000000 CERT_CHAIN_REVOCATION_CHECK_END_CERT 0x20000000 CERT_CHAIN_REVOCATION_CHECK_CHAIN 0x40000000 CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT 0x80000000 CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLY Setting to 0 disables CRL checking Full list of supported values is documented by dwFlags of CertGetCertificateChain: https://msdn.microsoft.com/library/windows/desktop/aa376078(v=vs.85).aspx |
+|CrlCheckingFlag|uint, default is 0x40000000 |Dynamic| Flags for application/service certificate chain validation; for example, CRL checking 0x10000000 CERT_CHAIN_REVOCATION_CHECK_END_CERT 0x20000000 CERT_CHAIN_REVOCATION_CHECK_CHAIN 0x40000000 CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT 0x80000000 CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLY Setting to 0 disables CRL checking Full list of supported values is documented by dwFlags of CertGetCertificateChain: https://msdn.microsoft.com/library/windows/desktop/aa376078(v=vs.85).aspx |
|DefaultHttpRequestTimeout |Time in seconds. default is 120 |Dynamic|Specify timespan in seconds. Gives the default request timeout for the http requests being processed in the http app gateway. |
|ForwardClientCertificate|bool, default is FALSE|Dynamic|When set to false, reverse proxy won't request for the client certificate. When set to true, reverse proxy requests for the client certificate during the TLS handshake and forward the base64 encoded PEM format string to the service in a header named X-Client-Certificate. The service can fail the request with appropriate status code after inspecting the certificate data. If this is true and client doesn't present a certificate, reverse proxy forwards an empty header and let the service handle the case. Reverse proxy acts as a transparent layer. To learn more, see [Set up client certificate authentication](service-fabric-reverseproxy-configure-secure-communication.md#setting-up-client-certificate-authentication-through-the-reverse-proxy). |
|GatewayAuthCredentialType |string, default is "None" |Static| Indicates the type of security credentials to use at the http app gateway endpoint Valid values are None/X509. |
@@ -38,7 +38,7 @@ The following is a list of Fabric settings that you can customize, organized by
|IgnoreCrlOfflineError|bool, default is TRUE|Dynamic|Whether to ignore CRL offline error for application/service certificate verification. |
|IsEnabled |Bool, default is false |Static| Enables/Disables the HttpApplicationGateway. HttpApplicationGateway is disabled by default and this config needs to be set to enable it. |
|NumberOfParallelOperations | Uint, default is 5000 |Static|Number of reads to post to the http server queue. This controls the number of concurrent requests that can be satisfied by the HttpGateway. |
-|RemoveServiceResponseHeaders|string, default is "Date; Server"|Static|Semi colon/ comma-separated list of response headers that is removed from the service response; before forwarding it to the client. If this is set to empty string; pass all the headers returned by the service as-is. i.e don't overwrite the Date and Server |
+|RemoveServiceResponseHeaders|string, default is "Date; Server"|Static|Semi colon/ comma-separated list of response headers that is removed from the service response; before forwarding it to the client. If this is set to empty string; pass all the headers returned by the service as-is. i.e, don't overwrite the Date and Server |
|ResolveServiceBackoffInterval |Time in seconds, default is 5 |Dynamic|Specify timespan in seconds. Gives the default back-off interval before retrying a failed resolve service operation. |
|SecureOnlyMode|bool, default is FALSE|Dynamic| SecureOnlyMode: true: Reverse Proxy will only forward to services that publish secure endpoints. false: Reverse Proxy can forward requests to secure/non-secure endpoints. To learn more, see [Reverse proxy endpoint selection logic](service-fabric-reverseproxy-configure-secure-communication.md#endpoint-selection-logic-when-services-expose-secure-as-well-as-unsecured-endpoints). |
|ServiceCertificateThumbprints|string, default is ""|Dynamic|The comma-separated list of thumbprints of the remote certs that the reverse proxy can trust. To learn more, see [Reverse proxy secure connection](service-fabric-reverseproxy-configure-secure-communication.md#secure-connection-establishment-between-the-reverse-proxy-and-services). |
@@ -79,7 +79,7 @@ The following is a list of Fabric settings that you can customize, organized by
| **Parameter** | **Allowed Values** | **Upgrade Policy** | **Guidance or Short Description** |
| --- | --- | --- | --- |
-|AllowCustomUpgradeSortPolicies | Bool, default is false |Dynamic|Whether or not custom upgrade sort policies are allowed. This is used to perform 2-phase upgrade enabling this feature. Service Fabric 6.5 adds support for specifying sort policy for upgrade domains during cluster- or application upgrades. Supported policies are Numeric, Lexicographical, ReverseNumeric and ReverseLexicographical. The default is Numeric. To be able to use this feature, the cluster manifest setting ClusterManager/ AllowCustomUpgradeSortPolicies must be set to True as a second config upgrade step after the SF 6.5 code has completed upgrade. It is important that this is done on two phases, otherwise the code upgrade may get confused about the upgrade order during the first upgrade.|
+|AllowCustomUpgradeSortPolicies | Bool, default is false |Dynamic|Whether or not custom upgrade sort policies are allowed. This is used to perform 2-phase upgrade enabling this feature. Service Fabric 6.5 adds support for specifying sort policy for upgrade domains during cluster- or application upgrades. Supported policies are Numeric, Lexicographical, ReverseNumeric, and ReverseLexicographical. The default is Numeric. To be able to use this feature, the cluster manifest setting ClusterManager/ AllowCustomUpgradeSortPolicies must be set to True as a second config upgrade step after the SF 6.5 code has completed upgrade. It is important that this is done on two phases, otherwise the code upgrade may get confused about the upgrade order during the first upgrade.|
|EnableDefaultServicesUpgrade | Bool, default is false |Dynamic|Enable upgrading default services during application upgrade. Default service descriptions would be overwritten after upgrade. |
|FabricUpgradeHealthCheckInterval |Time in seconds, default is 60 |Dynamic|The frequency of health status check during a monitored Fabric upgrade |
|FabricUpgradeStatusPollInterval |Time in seconds, default is 60 |Dynamic|The frequency of polling for Fabric upgrade status. This value determines the rate of update for any GetFabricUpgradeProgress call |
@@ -88,11 +88,11 @@ The following is a list of Fabric settings that you can customize, organized by
|InfrastructureTaskHealthCheckStableDuration | Time in seconds, default is 0|Dynamic| Specify timespan in seconds. The amount of time to observe consecutive passed health checks before post-processing of an infrastructure task finishes successfully. Observing a failed health check resets this timer. |
|InfrastructureTaskHealthCheckWaitDuration |Time in seconds, default is 0|Dynamic| Specify timespan in seconds. The amount of time to wait before starting health checks after post-processing an infrastructure task. |
|InfrastructureTaskProcessingInterval | Time in seconds, default is 10 |Dynamic|Specify timespan in seconds. The processing interval used by the infrastructure task processing state machine. |
-|MaxCommunicationTimeout |Time in seconds, default is 600 |Dynamic|Specify timespan in seconds. The maximum timeout for internal communications between ClusterManager and other system services (i.e.; Naming Service; Failover Manager and etc.). This timeout should be smaller than global MaxOperationTimeout (as there might be multiple communications between system components for each client operation). |
+|MaxCommunicationTimeout |Time in seconds, default is 600 |Dynamic|Specify timespan in seconds. The maximum timeout for internal communications between ClusterManager and other system services (that is; Naming Service; Failover Manager and etc.). This timeout should be smaller than global MaxOperationTimeout (as there might be multiple communications between system components for each client operation). |
|MaxDataMigrationTimeout |Time in seconds, default is 600 |Dynamic|Specify timespan in seconds. The maximum timeout for data migration recovery operations after a Fabric upgrade has taken place. |
|MaxOperationRetryDelay |Time in seconds, default is 5|Dynamic| Specify timespan in seconds. The maximum delay for internal retries when failures are encountered. |
|MaxOperationTimeout |Time in seconds, default is MaxValue |Dynamic| Specify timespan in seconds. The maximum global timeout for internally processing operations on ClusterManager. |
-|MaxTimeoutRetryBuffer | Time in seconds, default is 600 |Dynamic|Specify timespan in seconds. The maximum operation timeout when internally retrying due to timeouts is ` + `. Additional timeout is added in increments of MinOperationTimeout. |
+|MaxTimeoutRetryBuffer | Time in seconds, default is 600 |Dynamic|Specify timespan in seconds. The maximum operation timeout when internally retrying due to timeouts is ` + `. More timeout is added in increments of MinOperationTimeout. |
|MinOperationTimeout | Time in seconds, default is 60 |Dynamic|Specify timespan in seconds. The minimum global timeout for internally processing operations on ClusterManager. |
|MinReplicaSetSize |Int, default is 3 |Not Allowed|The MinReplicaSetSize for ClusterManager. |
|PlacementConstraints | string, default is "" |Not Allowed|The PlacementConstraints for ClusterManager. |
@@ -134,7 +134,7 @@ The following is a list of Fabric settings that you can customize, organized by
## DefragmentationMetricsPercentOrNumberOfEmptyNodesTriggeringThreshold
| **Parameter** | **Allowed Values** |**Upgrade Policy**| **Guidance or Short Description** |
| --- | --- | --- | --- |
-|PropertyGroup|KeyDoubleValueMap, default is None|Dynamic|Determines the number of free nodes which are needed to consider cluster defragmented by specifying either percent in range [0.0 - 1.0] or number of empty nodes as number >= 1.0 |
+|PropertyGroup|KeyDoubleValueMap, default is None|Dynamic|Determines the number of free nodes, which are needed to consider cluster defragmented by specifying either percent in range [0.0 - 1.0] or number of empty nodes as number >= 1.0 |
## Diagnostics
@@ -144,7 +144,7 @@ The following is a list of Fabric settings that you can customize, organized by
|AppDiagnosticStoreAccessRequiresImpersonation |Bool, default is true | Dynamic |Whether or not impersonation is required when accessing diagnostic stores on behalf of the application. |
|AppEtwTraceDeletionAgeInDays |Int, default is 3 | Dynamic |Number of days after which we delete old ETL files containing application ETW traces. |
|ApplicationLogsFormatVersion |Int, default is 0 | Dynamic |Version for application logs format. Supported values are 0 and 1. Version 1 includes more fields from the ETW event record than version 0. |
-|AuditHttpRequests |Bool, default is false | Dynamic | Turn HTTP auditing on or off. The purpose of auditing is to see the activities that have been performed against the cluster; including who initiated the request. Note that this is a best attempt logging; and trace loss may occur. HTTP requests with "User" authentication is not recorded. |
+|AuditHttpRequests |Bool, default is false | Dynamic | Turn HTTP auditing on or off. The purpose of auditing is to see the activities that have been performed against the cluster; including who initiated the request. This is a best attempt logging; and trace loss may occur. HTTP requests with "User" authentication is not recorded. |
|CaptureHttpTelemetry|Bool, default is true | Dynamic | Turn HTTP telemetry on or off. The purpose of telemetry is for Service Fabric to be able to capture telemetry data to help plan future work and identify problem areas. Telemetry doesn't record any personal data or the request body. Telemetry captures all HTTP requests unless otherwise configured. |
|ClusterId |String | Dynamic |The unique ID of the cluster. This is generated when the cluster is created. |
|ConsumerInstances |String | Dynamic |The list of DCA consumer instances. |
@@ -163,15 +163,15 @@ The following is a list of Fabric settings that you can customize, organized by
|EnablePartitionedQuery|bool, default is FALSE|Static|The flag to enable support for DNS queries for partitioned services. The feature is turned off by default. For more information, see [Service Fabric DNS Service.](service-fabric-dnsservice.md)|
|ForwarderPoolSize|Int, default is 20|Static|The number of forwarders in the forwarding pool.|
|ForwarderPoolStartPort|Int, default is 16700|Static|The start address for the forwarding pool that is used for recursive queries.|
-|InstanceCount|int, default is -1|Static|Default value is -1 which means that DnsService is running on every node. OneBox needs this to be set to 1 since DnsService uses well known port 53, so it cannot have multiple instances on the same machine.|
+|InstanceCount|int, default is -1|Static|Default value is -1, which means that DnsService is running on every node. OneBox needs this to be set to 1 since DnsService uses well known port 53, so it cannot have multiple instances on the same machine.|
|IsEnabled|bool, default is FALSE|Static|Enables/Disables DnsService. DnsService is disabled by default and this config needs to be set to enable it. |
-|PartitionPrefix|string, default is "--"|Static|Controls the partition prefix string value in DNS queries for partitioned services. The value: - Should be RFC-compliant as it will be part of a DNS query.
- Shouldn't contain a dot, '.', as dot interferes with DNS suffix behavior.
- Shouldn't be longer than 5 characters.
- Cannot be an empty string.
- If the PartitionPrefix setting is overridden, then PartitionSuffix must be overridden, and vice-versa.
For more information, see [Service Fabric DNS Service.](service-fabric-dnsservice.md).|
-|PartitionSuffix|string, default is ""|Static|Controls the partition suffix string value in DNS queries for partitioned services. The value: - Should be RFC-compliant as it will be part of a DNS query.
- Shouldn't contain a dot, '.', as dot interferes with DNS suffix behavior.
- Shouldn't be longer than 5 characters.
- If the PartitionPrefix setting is overridden, then PartitionSuffix must be overridden, and vice-versa.
For more information, see [Service Fabric DNS Service.](service-fabric-dnsservice.md). |
+|PartitionPrefix|string, default is "--"|Static|Controls the partition prefix string value in DNS queries for partitioned services. The value: - Should be RFC-compliant as it is part of a DNS query.
- Shouldn't contain a dot, '.', as dot interferes with DNS suffix behavior.
- Shouldn't be longer than five characters.
- Cannot be an empty string.
- If the PartitionPrefix setting is overridden, then PartitionSuffix must be overridden, and vice-versa.
For more information, see [Service Fabric DNS Service.](service-fabric-dnsservice.md).|
+|PartitionSuffix|string, default is ""|Static|Controls the partition suffix string value in DNS queries for partitioned services. The value: - Should be RFC-compliant as it is part of a DNS query.
- Shouldn't contain a dot, '.', as dot interferes with DNS suffix behavior.
- Shouldn't be longer than five characters.
- If the PartitionPrefix setting is overridden, then PartitionSuffix must be overridden, and vice-versa.
For more information, see [Service Fabric DNS Service.](service-fabric-dnsservice.md). |
|RecursiveQueryParallelMaxAttempts|Int, default is 0|Static|The number of times parallel queries are attempted. Parallel queries are executed after the max attempts for serial queries have been exhausted.|
|RecursiveQueryParallelTimeout|TimeSpan, default is Common::TimeSpan::FromSeconds(5)|Static|The timeout value in seconds for each attempted parallel query.|
|RecursiveQuerySerialMaxAttempts|Int, default is 2|Static|The number of serial queries that are attempted, at most. If this number is higher than the number of forwarding DNS servers, querying stops once all the servers have been attempted exactly once.|
|RecursiveQuerySerialTimeout|TimeSpan, default is Common::TimeSpan::FromSeconds(5)|Static|The timeout value in seconds for each attempted serial query.|
-|TransientErrorMaxRetryCount|Int, default is 3|Static|Controls the number of times SF DNS will retry when a transient error occurs while calling SF APIs (e.g. when retrieving names and endpoints).|
+|TransientErrorMaxRetryCount|Int, default is 3|Static|Controls the number of times SF DNS retries when a transient error occurs while calling SF APIs (for example, when retrieving names and endpoints).|
|TransientErrorRetryIntervalInMillis|Int, default is 0|Static|Sets the delay in milliseconds between retries for when SF DNS calls SF APIs.|
## EventStoreService
@@ -201,9 +201,9 @@ The following is a list of Fabric settings that you can customize, organized by
| **Parameter** | **Allowed Values** | **Upgrade Policy** | **Guidance or Short Description** |
| --- | --- | --- | --- |
-|ActivationMaxFailureCount |Int, default is 10 |Dynamic|This is the maximum count for which system will retry failed activation before giving up. |
+|ActivationMaxFailureCount |Int, default is 10 |Dynamic|This is the maximum count for which system retries failed activation before giving up. |
|ActivationMaxRetryInterval |Time in seconds, default is 300 |Dynamic|Specify timespan in seconds. Max retry interval for Activation. On every continuous failure the retry interval is calculated as Min( ActivationMaxRetryInterval; Continuous Failure Count * ActivationRetryBackoffInterval). |
-|ActivationRetryBackoffInterval |Time in seconds, default is 5 |Dynamic|Specify timespan in seconds. Backoff interval on every activation failure; On every continuous activation failure the system will retry the activation for up to the MaxActivationFailureCount. The retry interval on every try is a product of continuous activation failure and the activation back-off interval. |
+|ActivationRetryBackoffInterval |Time in seconds, default is 5 |Dynamic|Specify timespan in seconds. Backoff interval on every activation failure; On every continuous activation failure, the system retries the activation for up to the MaxActivationFailureCount. The retry interval on every try is a product of continuous activation failure and the activation back-off interval. |
|EnableRestartManagement |Bool, default is false |Dynamic|This is to enable server restart. |
|EnableServiceFabricAutomaticUpdates |Bool, default is false |Dynamic|This is to enable fabric automatic update via Windows Update. |
|EnableServiceFabricBaseUpgrade |Bool, default is false |Dynamic|This is to enable base update for server. |
@@ -251,24 +251,24 @@ The following is a list of Fabric settings that you can customize, organized by
|AllowDisableEnableService|Bool, default is FALSE |Dynamic|Flag to indicate if it's allowed to execute Disable/Enable feature |
|AllowNodeStateRemovedForSeedNode|Bool, default is FALSE |Dynamic|Flag to indicate if it's allowed to remove node state for a seed node |
|BuildReplicaTimeLimit|TimeSpan, default is Common::TimeSpan::FromSeconds(3600)|Dynamic|Specify timespan in seconds. The time limit for building a stateful replica; after which a warning health report will be initiated |
-|ClusterPauseThreshold|int, default is 1|Dynamic|If the number of nodes in system go below this value then placement; load balancing; and failover is stopped. |
+|ClusterPauseThreshold|int, default is 1|Dynamic|If the number of nodes in system go below this value, then placement; load balancing; and failover is stopped. |
|CreateInstanceTimeLimit|TimeSpan, default is Common::TimeSpan::FromSeconds(300)|Dynamic|Specify timespan in seconds. The time limit for creating a stateless instance; after which a warning health report will be initiated |
-|ExpectedClusterSize|int, default is 1|Dynamic|When the cluster is initially started up; the FM will wait for this many nodes to report themselves up before it begins placing other services; including the system services like naming. Increasing this value increases the time it takes a cluster to start up; but prevents the early nodes from becoming overloaded and also the additional moves that will be necessary as more nodes come online. This value should generally be set to some small fraction of the initial cluster size. |
+|ExpectedClusterSize|int, default is 1|Dynamic|When the cluster is initially started up; the FM will wait for this many nodes to report themselves up before it begins placing other services; including the system services like naming. Increasing this value increases the time it takes a cluster to start up; but prevents the early nodes from becoming overloaded and also the other moves that are necessary as more nodes come online. This value should generally be set to some small fraction of the initial cluster size. |
|ExpectedNodeDeactivationDuration|TimeSpan, default is Common::TimeSpan::FromSeconds(60.0 \* 30)|Dynamic|Specify timespan in seconds. This is the expected duration for a node to complete deactivation in. |
|ExpectedNodeFabricUpgradeDuration|TimeSpan, default is Common::TimeSpan::FromSeconds(60.0 \* 30)|Dynamic|Specify timespan in seconds. This is the expected duration for a node to be upgraded during Windows Fabric upgrade. |
|ExpectedReplicaUpgradeDuration|TimeSpan, default is Common::TimeSpan::FromSeconds(60.0 \* 30)|Dynamic|Specify timespan in seconds. This is the expected duration for all the replicas to be upgraded on a node during application upgrade. |
-|IgnoreReplicaRestartWaitDurationWhenBelowMinReplicaSetSize|bool, default is FALSE|Dynamic|If IgnoreReplicaRestartWaitDurationWhenBelowMinReplicaSetSize is set to:
- false: Windows Fabric will wait for fixed time specified in ReplicaRestartWaitDuration for a replica to come back up.
- true: Windows Fabric will wait for fixed time specified in ReplicaRestartWaitDuration for a replica to come back up if partition is above or at Min Replica Set Size. If partition is below Min Replica Set Size new replica will be created right away.|
+|IgnoreReplicaRestartWaitDurationWhenBelowMinReplicaSetSize|bool, default is FALSE|Dynamic|If IgnoreReplicaRestartWaitDurationWhenBelowMinReplicaSetSize is set to:
- false: Windows Fabric waits for fixed time specified in ReplicaRestartWaitDuration for a replica to come back up.
- true: Windows Fabric waits for fixed time specified in ReplicaRestartWaitDuration for a replica to come back up if partition is above or at Min Replica Set Size. If partition is below Min Replica Set Size new replica will be created right away.|
|IsSingletonReplicaMoveAllowedDuringUpgrade|bool, default is TRUE|Dynamic|If set to true; replicas with a target replica set size of 1 will be permitted to move during upgrade. |
|MaxInstanceCloseDelayDurationInSeconds|uint, default is 1800|Dynamic|Maximum value of InstanceCloseDelay that can be configured to be used for FabricUpgrade/ApplicationUpgrade/NodeDeactivations |
|MinReplicaSetSize|int, default is 3|Not Allowed|This is the minimum replica set size for the FM. If the number of active FM replicas drops below this value; the FM will reject changes to the cluster until at least the min number of replicas is recovered |
|PlacementConstraints|string, default is ""|Not Allowed|Any placement constraints for the failover manager replicas |
|PlacementTimeLimit|TimeSpan, default is Common::TimeSpan::FromSeconds(600)|Dynamic|Specify timespan in seconds. The time limit for reaching target replica count; after which a warning health report will be initiated |
-|QuorumLossWaitDuration |Time in seconds, default is MaxValue |Dynamic|Specify timespan in seconds. This is the max duration for which we allow a partition to be in a state of quorum loss. If the partition is still in quorum loss after this duration; the partition is recovered from quorum loss by considering the down replicas as lost. Note that this can potentially incur data loss. |
+|QuorumLossWaitDuration |Time in seconds, default is MaxValue |Dynamic|Specify timespan in seconds. This is the max duration for which we allow a partition to be in a state of quorum loss. If the partition is still in quorum loss after this duration; the partition is recovered from quorum loss by considering the down replicas as lost. This can potentially incur data loss. |
|ReconfigurationTimeLimit|TimeSpan, default is Common::TimeSpan::FromSeconds(300)|Dynamic|Specify timespan in seconds. The time limit for reconfiguration; after which a warning health report will be initiated |
|ReplicaRestartWaitDuration|TimeSpan, default is Common::TimeSpan::FromSeconds(60.0 \* 30)|Not Allowed|Specify timespan in seconds. This is the ReplicaRestartWaitDuration for the FMService |
| SeedNodeQuorumAdditionalBufferNodes | int, default is 0 | Dynamic | Buffer of seed nodes that is needed to be up (together with quorum of seed nodes) FM should allow a maximum of (totalNumSeedNodes - (seedNodeQuorum + SeedNodeQuorumAdditionalBufferNodes)) seed nodes to go down. |
|StandByReplicaKeepDuration|Timespan, default is Common::TimeSpan::FromSeconds(3600.0 \* 24 \* 7)|Not Allowed|Specify timespan in seconds. This is the StandByReplicaKeepDuration for the FMService |
-|TargetReplicaSetSize|int, default is 7|Not Allowed|This is the target number of FM replicas that Windows Fabric will maintain. A higher number results in higher reliability of the FM data; with a small performance tradeoff. |
+|TargetReplicaSetSize|int, default is 7|Not Allowed|This is the target number of FM replicas that Windows Fabric maintains. A higher number results in higher reliability of the FM data; with a small performance tradeoff. |
|UserMaxStandByReplicaCount |Int, default is 1 |Dynamic|The default max number of StandBy replicas that the system keeps for user services. |
|UserReplicaRestartWaitDuration |Time in seconds, default is 60.0 \* 30 |Dynamic|Specify timespan in seconds. When a persisted replica goes down; Windows Fabric waits for this duration for the replica to come back up before creating new replacement replicas (which would require a copy of the state). |
|UserStandByReplicaKeepDuration |Time in seconds, default is 3600.0 \* 24 \* 7 |Dynamic|Specify timespan in seconds. When a persisted replica come back from a down state; it may have already been replaced. This timer determines how long the FM will keep the standby replica before discarding it. |
@@ -277,9 +277,9 @@ The following is a list of Fabric settings that you can customize, organized by
| **Parameter** | **Allowed Values** | **Upgrade Policy** | **Guidance or Short Description** |
| --- | --- | --- | --- |
-|CompletedActionKeepDurationInSeconds | Int, default is 604800 |Static| This is approximately how long to keep actions that are in a terminal state. This also depends on StoredActionCleanupIntervalInSeconds; since the work to clean up is only done on that interval. 604800 is 7 days. |
+|CompletedActionKeepDurationInSeconds | Int, default is 604800 |Static| This is approximately how long to keep actions that are in a terminal state. This also depends on StoredActionCleanupIntervalInSeconds; since the work to clean up is only done on that interval. 604800 is seven days. |
|DataLossCheckPollIntervalInSeconds|int, default is 5|Static|This is the time between the checks the system performs while waiting for data loss to happen. The number of times the data loss number will be checked per internal iteration is DataLossCheckWaitDurationInSeconds/this. |
-|DataLossCheckWaitDurationInSeconds|int, default is 25|Static|The total amount of time; in seconds; that the system will wait for data loss to happen. This is internally used when the StartPartitionDataLossAsync() api is called. |
+|DataLossCheckWaitDurationInSeconds|int, default is 25|Static|The total amount of time; in seconds; that the system waits for data loss to happen. This is internally used when the StartPartitionDataLossAsync() api is called. |
|MinReplicaSetSize |Int, default is 0 |Static|The MinReplicaSetSize for FaultAnalysisService. |
|PlacementConstraints | string, default is ""|Static| The PlacementConstraints for FaultAnalysisService. |
|QuorumLossWaitDuration | Time in seconds, default is MaxValue |Static|Specify timespan in seconds. The QuorumLossWaitDuration for FaultAnalysisService. |
@@ -287,7 +287,7 @@ The following is a list of Fabric settings that you can customize, organized by
|ReplicaRestartWaitDuration |Time in seconds, default is 60 minutes|Static|Specify timespan in seconds. The ReplicaRestartWaitDuration for FaultAnalysisService. |
|StandByReplicaKeepDuration| Time in seconds, default is (60*24*7) minutes |Static|Specify timespan in seconds. The StandByReplicaKeepDuration for FaultAnalysisService. |
|StoredActionCleanupIntervalInSeconds | Int, default is 3600 |Static|This is how often the store is cleaned up. Only actions in a terminal state; and that completed at least CompletedActionKeepDurationInSeconds ago will be removed. |
-|StoredChaosEventCleanupIntervalInSeconds | Int, default is 3600 |Static|This is how often the store will be audited for cleanup; if the number of events is more than 30000; the cleanup will kick in. |
+|StoredChaosEventCleanupIntervalInSeconds | Int, default is 3600 |Static|This is how often the store is audited for cleanup; if the number of events is more than 30000; the cleanup kicks in. |
|TargetReplicaSetSize |Int, default is 0 |Static|NOT_PLATFORM_UNIX_START The TargetReplicaSetSize for FaultAnalysisService. |
## Federation
@@ -309,7 +309,7 @@ The following is a list of Fabric settings that you can customize, organized by
|CommonName2Ntlmx509CommonName|string, default is ""|Static|The common name of the X509 certificate used to generate HMAC on the CommonName2NtlmPasswordSecret when using NTLM authentication |
|CommonName2Ntlmx509StoreLocation|string, default is "LocalMachine"| Static|The store location of the X509 certificate used to generate HMAC on the CommonName2NtlmPasswordSecret when using NTLM authentication |
|CommonName2Ntlmx509StoreName|string, default is "MY"|Static| The store name of the X509 certificate used to generate HMAC on the CommonName2NtlmPasswordSecret when using NTLM authentication |
-|CommonNameNtlmPasswordSecret|SecureString, default is Common::SecureString("")| Static|The password secret which used as seed to generated same password when using NTLM authentication |
+|CommonNameNtlmPasswordSecret|SecureString, default is Common::SecureString("")| Static|The password secret, which used as seed to generated same password when using NTLM authentication |
|DiskSpaceHealthReportingIntervalWhenCloseToOutOfDiskSpace |TimeSpan, default is Common::TimeSpan::FromMinutes(5)|Dynamic|Specify timespan in seconds. The time interval between checking of disk space for reporting health event when disk is close to out of space. |
|DiskSpaceHealthReportingIntervalWhenEnoughDiskSpace |TimeSpan, default is Common::TimeSpan::FromMinutes(15)|Dynamic|Specify timespan in seconds. The time interval between checking of disk space for reporting health event when there is enough space on disk. |
|EnableImageStoreHealthReporting |bool, default is TRUE |Static|Config to determine whether file store service should report its health. |
@@ -322,7 +322,7 @@ The following is a list of Fabric settings that you can customize, organized by
|MaxSecondaryFileCopyFailureThreshold | Uint, default is 25|Dynamic|The maximum number of file copy retries on the secondary before giving up. |
|MaxStoreOperations | Uint, default is 4096 |Static|The maximum number of parallel store transaction operations allowed on primary. '0' == number of cores. |
|NamingOperationTimeout |Time in seconds, default is 60 |Dynamic|Specify timespan in seconds. The timeout for performing naming operation. |
-|PrimaryAccountNTLMPasswordSecret | SecureString, default is empty |Static| The password secret which used as seed to generated same password when using NTLM authentication. |
+|PrimaryAccountNTLMPasswordSecret | SecureString, default is empty |Static| The password secret, which used as seed to generated same password when using NTLM authentication. |
|PrimaryAccountNTLMX509StoreLocation | string, default is "LocalMachine"|Static| The store location of the X509 certificate used to generate HMAC on the PrimaryAccountNTLMPasswordSecret when using NTLM authentication. |
|PrimaryAccountNTLMX509StoreName | string, default is "MY"|Static| The store name of the X509 certificate used to generate HMAC on the PrimaryAccountNTLMPasswordSecret when using NTLM authentication. |
|PrimaryAccountNTLMX509Thumbprint | string, default is ""|Static|The thumbprint of the X509 certificate used to generate HMAC on the PrimaryAccountNTLMPasswordSecret when using NTLM authentication. |
@@ -330,7 +330,7 @@ The following is a list of Fabric settings that you can customize, organized by
|PrimaryAccountUserName | string, default is "" |Static|The primary account Username of the principal to ACL the FileStoreService shares. |
|PrimaryAccountUserPassword | SecureString, default is empty |Static|The primary account password of the principal to ACL the FileStoreService shares. |
|QueryOperationTimeout | Time in seconds, default is 60 |Dynamic|Specify timespan in seconds. The timeout for performing query operation. |
-|SecondaryAccountNTLMPasswordSecret | SecureString, default is empty |Static| The password secret which used as seed to generated same password when using NTLM authentication. |
+|SecondaryAccountNTLMPasswordSecret | SecureString, default is empty |Static| The password secret, which used as seed to generated same password when using NTLM authentication. |
|SecondaryAccountNTLMX509StoreLocation | string, default is "LocalMachine" |Static|The store location of the X509 certificate used to generate HMAC on the SecondaryAccountNTLMPasswordSecret when using NTLM authentication. |
|SecondaryAccountNTLMX509StoreName | string, default is "MY" |Static|The store name of the X509 certificate used to generate HMAC on the SecondaryAccountNTLMPasswordSecret when using NTLM authentication. |
|SecondaryAccountNTLMX509Thumbprint | string, default is ""| Static|The thumbprint of the X509 certificate used to generate HMAC on the SecondaryAccountNTLMPasswordSecret when using NTLM authentication. |
@@ -338,14 +338,14 @@ The following is a list of Fabric settings that you can customize, organized by
|SecondaryAccountUserName | string, default is ""| Static|The secondary account Username of the principal to ACL the FileStoreService shares. |
|SecondaryAccountUserPassword | SecureString, default is empty |Static|The secondary account password of the principal to ACL the FileStoreService shares. |
|SecondaryFileCopyRetryDelayMilliseconds|uint, default is 500|Dynamic|The file copy retry delay (in milliseconds).|
-|UseChunkContentInTransportMessage|bool, default is TRUE|Dynamic|The flag for using the new version of the upload protocol introduced in v6.4. This protocol version uses service fabric transport to upload files to image store which provides better performance than SMB protocol used in previous versions. |
+|UseChunkContentInTransportMessage|bool, default is TRUE|Dynamic|The flag for using the new version of the upload protocol introduced in v6.4. This protocol version uses service fabric transport to upload files to image store, which provides better performance than SMB protocol used in previous versions. |
## FileStoreService/Replication
| **Parameter** | **Allowed Values** | **Upgrade Policy** | **Guidance or Short Description** |
| --- | --- | --- | --- |
|ReplicationBatchSendInterval|TimeSpan, default is Common::TimeSpan::FromSeconds(15)|Static|Specify timespan in seconds. Determines the amount of time that the replicator waits after receiving an operation before force sending a batch.|
-|ReplicationBatchSize|uint, default is 1|Static|Specifies the number of operations to be sent between primary and secondary replicas. If zero the primary sends one record per operation to the secondary. Otherwise the primary replica aggregates log records until the config value is reached. This will reduce network traffic.|
+|ReplicationBatchSize|uint, default is 1|Static|Specifies the number of operations to be sent between primary and secondary replicas. If zero the primary sends one record per operation to the secondary. Otherwise the primary replica aggregates log records until the config value is reached. This reduces reduce network traffic.|
## HealthManager
@@ -392,13 +392,13 @@ The following is a list of Fabric settings that you can customize, organized by
|DefaultContainerRepositoryPassword|string, default is ""|Static|Default password credentials used instead of credentials specified in ApplicationManifest.xml|
|DefaultContainerRepositoryPasswordType|string, default is ""|Static|When not empty string, the value can be "Encrypted" or "SecretsStoreRef".|
|DefaultDnsSearchSuffixEmpty|bool, default is FALSE|Static|By default the service name is appended to the SF DNS name for container services. This feature stops this behavior so that nothing is appended to the SF DNS name by default in the resolution pathway.|
-|DeploymentMaxFailureCount|int, default is 20| Dynamic|Application deployment will be retried for DeploymentMaxFailureCount times before failing the deployment of that application on the node.|
+|DeploymentMaxFailureCount|int, default is 20| Dynamic|Application deployment is retried for DeploymentMaxFailureCount times before failing the deployment of that application on the node.|
|DeploymentMaxRetryInterval| TimeSpan, default is Common::TimeSpan::FromSeconds(3600)|Dynamic| Specify timespan in seconds. Max retry interval for the deployment. On every continuous failure the retry interval is calculated as Min( DeploymentMaxRetryInterval; Continuous Failure Count * DeploymentRetryBackoffInterval) |
-|DeploymentRetryBackoffInterval| TimeSpan, default is Common::TimeSpan::FromSeconds(10)|Dynamic|Specify timespan in seconds. Back-off interval for the deployment failure. On every continuous deployment failure the system will retry the deployment for up to the MaxDeploymentFailureCount. The retry interval is a product of continuous deployment failure and the deployment backoff interval. |
-|DisableContainers|bool, default is FALSE|Static|Config for disabling containers - used instead of DisableContainerServiceStartOnContainerActivatorOpen which is deprecated config |
-|DisableDockerRequestRetry|bool, default is FALSE |Dynamic| By default SF communicates with DD (docker daemon) with a timeout of 'DockerRequestTimeout' for each http request sent to it. If DD doesn't responds within this time period; SF resends the request if top level operation still has remaining time. With Hyper-V container; DD sometimes takes much more time to bring up the container or deactivate it. In such cases DD request times out from SF perspective and SF retries the operation. Sometimes this seems to add more pressure on DD. This config allows you to disable this retry and wait for DD to respond. |
-|DisableLivenessProbes | wstring, default is L"" | Static | Config to disable Liveness probes in cluster. You can specify any non-empty value for SF to disable probes. |
-|DisableReadinessProbes | wstring, default is L"" | Static | Config to disable Readiness probes in cluster. You can specify any non-empty value for SF to disable probes. |
+|DeploymentRetryBackoffInterval| TimeSpan, default is Common::TimeSpan::FromSeconds(10)|Dynamic|Specify timespan in seconds. Back-off interval for the deployment failure. On every continuous deployment failure, the system retries the deployment for up to the MaxDeploymentFailureCount. The retry interval is a product of continuous deployment failure and the deployment backoff interval. |
+|DisableContainers|bool, default is FALSE|Static|Config for disabling containers - used instead of DisableContainerServiceStartOnContainerActivatorOpen, which is deprecated config |
+|DisableDockerRequestRetry|bool, default is FALSE |Dynamic| By default SF communicates with DD (docker daemon) with a timeout of 'DockerRequestTimeout' for each http request sent to it. If DD doesn't responds within this time period; SF resends the request if top level operation still has remaining time. With Hyper-V container; DD sometimes takes more time to bring up the container or deactivate it. In such cases DD request times out from SF perspective and SF retries the operation. Sometimes this seems to add more pressure on DD. This config allows you to disable this retry and wait for DD to respond. |
+|DisableLivenessProbes | wstring, default is L"" | Static | Config to disable Liveness probes in cluster. You can specify any nonempty value for SF to disable probes. |
+|DisableReadinessProbes | wstring, default is L"" | Static | Config to disable Readiness probes in cluster. You can specify any nonempty value for SF to disable probes. |
|DnsServerListTwoIps | Bool, default is FALSE | Static | This flag adds the local dns server twice to help alleviate intermittent resolve issues. |
| DockerTerminateOnLastHandleClosed | bool, default is TRUE | Static | By default if FabricHost is managing the 'dockerd' (based on: SkipDockerProcessManagement == false) this setting configures what happens when either FabricHost or dockerd crash. When set to `true` if either process crashes all running containers will be forcibly terminated by the HCS. If set to `false` the containers will continue to keep running. Note: Previous to 8.0 this behavior was unintentionally the equivalent of `false`. The default setting of `true` here is what we expect to happen by default moving forward for our cleanup logic to be effective on restart of these processes. |
| DoNotInjectLocalDnsServer | bool, default is FALSE | Static | Prevents the runtime to injecting the local IP as DNS server for containers. |
@@ -410,7 +410,7 @@ The following is a list of Fabric settings that you can customize, organized by
|FabricContainerAppsEnabled| bool, default is FALSE|Static| |
|FirewallPolicyEnabled|bool, default is FALSE|Static| Enables opening firewall ports for Endpoint resources with explicit ports specified in ServiceManifest |
|GetCodePackageActivationContextTimeout|TimeSpan, default is Common::TimeSpan::FromSeconds(120)|Dynamic|Specify timespan in seconds. The timeout value for the CodePackageActivationContext calls. This is not applicable to ad hoc services. |
-|GovernOnlyMainMemoryForProcesses|bool, default is FALSE|Static|Default behavior of Resource Governance is to put limit specified in MemoryInMB on amount of total memory (RAM + swap) that process uses. If the limit is exceeded; the process will receive OutOfMemory exception. If this parameter is set to true; limit will be applied only to the amount of RAM memory that a process will use. If this limit is exceeded; and if this setting is true; then OS will swap the main memory to disk. |
+|GovernOnlyMainMemoryForProcesses|bool, default is FALSE|Static|Default behavior of Resource Governance is to put limit specified in MemoryInMB on amount of total memory (RAM + swap) that process uses. If the limit is exceeded; the process receives OutOfMemory exception. If this parameter is set to true; limit will be applied only to the amount of RAM memory that a process uses. If this limit is exceeded; and if this setting is true; then OS will swap the main memory to disk. |
|IPProviderEnabled|bool, default is FALSE|Static|Enables management of IP addresses. |
|IsDefaultContainerRepositoryPasswordEncrypted|bool, default is FALSE|Static|Whether the DefaultContainerRepositoryPassword is encrypted or not.|
|LinuxExternalExecutablePath|string, default is "/usr/bin/" |Static|The primary directory of external executable commands on the node.|
@@ -436,7 +436,7 @@ The following is a list of Fabric settings that you can customize, organized by
|HttpGatewayHealthReportSendInterval |Time in seconds, default is 30 |Static|Specify timespan in seconds. The interval at which the Http Gateway sends accumulated health reports to the Health Manager. |
|HttpStrictTransportSecurityHeader|string, default is ""|Dynamic| Specify the HTTP Strict Transport Security header value to be included in every response sent by the HttpGateway. When set to empty string; this header will not be included in the gateway response.|
|IsEnabled|Bool, default is false |Static| Enables/Disables the HttpGateway. HttpGateway is disabled by default. |
-|MaxEntityBodySize |Uint, default is 4194304 |Dynamic|Gives the maximum size of the body that can be expected from an http request. Default value is 4MB. Httpgateway will fail a request if it has a body of size > this value. Minimum read chunk size is 4096 bytes. So this has to be >= 4096. |
+|MaxEntityBodySize |Uint, default is 4194304 |Dynamic|Gives the maximum size of the body that can be expected from an http request. Default value is 4 MB. Httpgateway will fail a request if it has a body of size > this value. Minimum read chunk size is 4,096 bytes. So this has to be >= 4096. |
## ImageStoreService
@@ -459,7 +459,7 @@ The following is a list of Fabric settings that you can customize, organized by
|SharedLogId |string, default is "" |Static|Unique guid for shared log container. Use "" if using default path under fabric data root. |
|SharedLogPath |string, default is "" |Static|Path and file name to location to place shared log container. Use "" for using default path under fabric data root. |
|SharedLogSizeInMB |Int, default is 8192 |Static|The number of MB to allocate in the shared log container. |
-|SharedLogThrottleLimitInPercentUsed|int, default is 0 | Static | The percentage of usage of the shared log that will induce throttling. Value should be between 0 and 100. A value of 0 implies using the default percentage value. A value of 100 implies no throttling at all. A value between 1 and 99 specifies the percentage of log usage above which throttling will occur; for example if the shared log is 10GB and the value is 90 then throttling will occur once 9GB is in use. Using the default value is recommended.|
+|SharedLogThrottleLimitInPercentUsed|int, default is 0 | Static | The percentage of usage of the shared log that will induce throttling. Value should be between 0 and 100. A value of 0 implies using the default percentage value. A value of 100 implies no throttling at all. A value between 1 and 99 specifies the percentage of log usage above which throttling will occur; for example, if the shared log is 10 GB and the value is 90 then throttling will occur once 9 GB is in use. Using the default value is recommended.|
|WriteBufferMemoryPoolMaximumInKB | Int, default is 0 |Dynamic|The number of KB to allow the write buffer memory pool to grow up to. Use 0 to indicate no limit. |
|WriteBufferMemoryPoolMinimumInKB |Int, default is 8388608 |Dynamic|The number of KB to initially allocate for the write buffer memory pool. Use 0 to indicate no limit Default should be consistent with SharedLogSizeInMB below. |
@@ -483,19 +483,19 @@ The following is a list of Fabric settings that you can customize, organized by
|AzureStorageMaxWorkerThreads | Int, default is 25 |Dynamic|The maximum number of worker threads in parallel. |
|AzureStorageOperationTimeout | Time in seconds, default is 6000 |Dynamic|Specify timespan in seconds. Time out for xstore operation to complete. |
|CleanupApplicationPackageOnProvisionSuccess|bool, default is true |Dynamic|Enables or disables the automatic cleanup of application package on successful provision.
-|CleanupUnusedApplicationTypes|Bool, default is FALSE |Dynamic|This configuration if enabled, allows you to automatically unregister unused application type versions skipping the latest three unused versions, thereby trimming the disk space occupied by image store. The automatic cleanup will be triggered at the end of successful provision for that specific app type and also runs periodically once a day for all the application types. Number of unused versions to skip is configurable using parameter "MaxUnusedAppTypeVersionsToKeep".
*Best practice is to use `true`.*
+|CleanupUnusedApplicationTypes|Bool, default is FALSE |Dynamic|This configuration if enabled, allows you to automatically unregister unused application type versions skipping the latest three unused versions, thereby trimming the disk space occupied by image store. The automatic cleanup is triggered at the end of successful provision for that specific app type and also runs periodically once a day for all the application types. Number of unused versions to skip is configurable using parameter "MaxUnusedAppTypeVersionsToKeep".
*Best practice is to use `true`.*
|DisableChecksumValidation | Bool, default is false |Static| This configuration allows us to enable or disable checksum validation during application provisioning. |
|DisableServerSideCopy | Bool, default is false |Static|This configuration enables or disables server-side copy of application package on the ImageStore during application provisioning. |
|ImageCachingEnabled | Bool, default is true |Static|This configuration allows us to enable or disable caching. |
|ImageStoreConnectionString |SecureString |Static|Connection string to the Root for ImageStore. |
|ImageStoreMinimumTransferBPS | Int, default is 1024 |Dynamic|The minimum transfer rate between the cluster and ImageStore. This value is used to determine the timeout when accessing the external ImageStore. Change this value only if the latency between the cluster and ImageStore is high to allow more time for the cluster to download from the external ImageStore. |
-|MaxUnusedAppTypeVersionsToKeep | Int, default is 3 |Dynamic|This configuration defines the number of unused application type versions to be skipped for cleanup. This parameter is applicable only if parameter CleanupUnusedApplicationTypes is enabled.
*General best practice is to use the default (`3`). Values less than 1 are not valid.*|
+|MaxUnusedAppTypeVersionsToKeep | Int, default is 3 |Dynamic|This configuration defines the number of unused application type versions to be skipped for cleanup. This parameter is applicable only if parameter CleanupUnusedApplicationTypes is enabled.
*General best practice is to use the default (`3`). Values less than one are not valid.*|
## MetricActivityThresholds
| **Parameter** | **Allowed Values** |**Upgrade Policy**| **Guidance or Short Description** |
| --- | --- | --- | --- |
-|PropertyGroup|KeyIntegerValueMap, default is None|Dynamic|Determines the set of MetricActivityThresholds for the metrics in the cluster. Balancing will work if maxNodeLoad is greater than MetricActivityThresholds. For defrag metrics it defines the amount of load equal to or below which Service Fabric will consider the node empty |
+|PropertyGroup|KeyIntegerValueMap, default is None|Dynamic|Determines the set of MetricActivityThresholds for the metrics in the cluster. Balancing works if maxNodeLoad is greater than MetricActivityThresholds. For defrag metrics it defines the amount of load equal to or below which Service Fabric will consider the node empty |
## MetricActivityThresholdsPerNodeType
| **Parameter** | **Allowed Values** |**Upgrade Policy**| **Guidance or Short Description** |
@@ -505,7 +505,7 @@ The following is a list of Fabric settings that you can customize, organized by
## MetricBalancingThresholds
| **Parameter** | **Allowed Values** |**Upgrade Policy**| **Guidance or Short Description** |
| --- | --- | --- | --- |
-|PropertyGroup|KeyDoubleValueMap, default is None|Dynamic|Determines the set of MetricBalancingThresholds for the metrics in the cluster. Balancing will work if maxNodeLoad/minNodeLoad is greater than MetricBalancingThresholds. Defragmentation will work if maxNodeLoad/minNodeLoad in at least one FD or UD is smaller than MetricBalancingThresholds. |
+|PropertyGroup|KeyDoubleValueMap, default is None|Dynamic|Determines the set of MetricBalancingThresholds for the metrics in the cluster. Balancing works if maxNodeLoad/minNodeLoad is greater than MetricBalancingThresholds. Defragmentation works if maxNodeLoad/minNodeLoad in at least one FD or UD is smaller than MetricBalancingThresholds. |
## MetricBalancingThresholdsPerNodeType
| **Parameter** | **Allowed Values** |**Upgrade Policy**| **Guidance or Short Description** |
@@ -522,7 +522,7 @@ The following is a list of Fabric settings that you can customize, organized by
| **Parameter** | **Allowed Values** | **Upgrade Policy** | **Guidance or Short Description** |
| --- | --- | --- | --- |
|ReplicationBatchSendInterval|TimeSpan, default is Common::TimeSpan::FromSeconds(15)|Static|Specify timespan in seconds. Determines the amount of time that the replicator waits after receiving an operation before force sending a batch.|
-|ReplicationBatchSize|uint, default is 1|Static|Specifies the number of operations to be sent between primary and secondary replicas. If zero the primary sends one record per operation to the secondary. Otherwise the primary replica aggregates log records until the config value is reached. This will reduce network traffic.|
+|ReplicationBatchSize|uint, default is 1|Static|Specifies the number of operations to be sent between primary and secondary replicas. If zero the primary sends one record per operation to the secondary. Otherwise the primary replica aggregates log records until the config value is reached. This reduces network traffic.|
## NamingService
@@ -530,18 +530,18 @@ The following is a list of Fabric settings that you can customize, organized by
| --- | --- | --- | --- |
|GatewayServiceDescriptionCacheLimit |Int, default is 0 |Static|The maximum number of entries maintained in the LRU service description cache at the Naming Gateway (set to 0 for no limit). |
|MaxClientConnections |Int, default is 1000 |Dynamic|The maximum allowed number of client connections per gateway. |
-|MaxFileOperationTimeout |Time in seconds, default is 30 |Dynamic|Specify timespan in seconds. The maximum timeout allowed for file store service operation. Requests specifying a larger timeout will be rejected. |
+|MaxFileOperationTimeout |Time in seconds, default is 30 |Dynamic|Specify timespan in seconds. The maximum timeout allowed for file store service operation. Requests specifying a larger timeout is rejected. |
|MaxIndexedEmptyPartitions |Int, default is 1000 |Dynamic|The maximum number of empty partitions that will remain indexed in the notification cache for synchronizing reconnecting clients. Any empty partitions above this number will be removed from the index in ascending lookup version order. Reconnecting clients can still synchronize and receive missed empty partition updates; but the synchronization protocol becomes more expensive. |
-|MaxMessageSize |Int, default is 4\*1024\*1024 |Static|The maximum message size for client node communication when using naming. DOS attack alleviation; default value is 4MB. |
+|MaxMessageSize |Int, default is 4\*1024\*1024 |Static|The maximum message size for client node communication when using naming. DOS attack alleviation; default value is 4 MB. |
|MaxNamingServiceHealthReports | Int, default is 10 |Dynamic|The maximum number of slow operations that Naming store service reports unhealthy at one time. If 0; all slow operations are sent. |
-|MaxOperationTimeout |Time in seconds, default is 600 |Dynamic|Specify timespan in seconds. The maximum timeout allowed for client operations. Requests specifying a larger timeout will be rejected. |
+|MaxOperationTimeout |Time in seconds, default is 600 |Dynamic|Specify timespan in seconds. The maximum timeout allowed for client operations. Requests specifying a larger timeout is rejected. |
|MaxOutstandingNotificationsPerClient |Int, default is 1000 |Dynamic|The maximum number of outstanding notifications before a client registration is forcibly closed by the gateway. |
|MinReplicaSetSize | Int, default is 3 |Not Allowed| The minimum number of Naming Service replicas required to write into to complete an update. If there are fewer replicas than this active in the system the Reliability System denies updates to the Naming Service Store until replicas are restored. This value should never be more than the TargetReplicaSetSize. |
|PartitionCount |Int, default is 3 |Not Allowed|The number of partitions of the Naming Service store to be created. Each partition owns a single partition key that corresponds to its index; so partition keys [0; PartitionCount] exist. Increasing the number of Naming Service partitions increases the scale that the Naming Service can perform at by decreasing the average amount of data held by any backing replica set; at a cost of increased utilization of resources (since PartitionCount*ReplicaSetSize service replicas must be maintained).|
|PlacementConstraints | string, default is "" |Not Allowed| Placement constraint for the Naming Service. |
|QuorumLossWaitDuration | Time in seconds, default is MaxValue |Not Allowed| Specify timespan in seconds. When a Naming Service gets into quorum loss; this timer starts. When it expires the FM will consider the down replicas as lost; and attempt to recover quorum. Not that this may result in data loss. |
|RepairInterval | Time in seconds, default is 5 |Static| Specify timespan in seconds. Interval in which the naming inconsistency repair between the authority owner and name owner will start. |
-|ReplicaRestartWaitDuration | Time in seconds, default is (60.0 * 30)|Not Allowed| Specify timespan in seconds. When a Naming Service replica goes down; this timer starts. When it expires the FM will begin to replace the replicas which are down (it does not yet consider them lost). |
+|ReplicaRestartWaitDuration | Time in seconds, default is (60.0 * 30)|Not Allowed| Specify timespan in seconds. When a Naming Service replica goes down; this timer starts. When it expires the FM will begin to replace the replicas, which are down (it does not yet consider them lost). |
|ServiceDescriptionCacheLimit | Int, default is 0 |Static| The maximum number of entries maintained in the LRU service description cache at the Naming Store Service (set to 0 for no limit). |
|ServiceNotificationTimeout |Time in seconds, default is 30 |Dynamic|Specify timespan in seconds. The timeout used when delivering service notifications to the client. |
|StandByReplicaKeepDuration | Time in seconds, default is 3600.0 * 2 |Not Allowed| Specify timespan in seconds. When a Naming Service replica come back from a down state; it may have already been replaced. This timer determines how long the FM will keep the standby replica before discarding it. |
@@ -599,7 +599,7 @@ The following is a list of Fabric settings that you can customize, organized by
| --- | --- | --- | --- |
|AffinityConstraintPriority | Int, default is 0 | Dynamic|Determines the priority of affinity constraint: 0: Hard; 1: Soft; negative: Ignore. |
|ApplicationCapacityConstraintPriority | Int, default is 0 | Dynamic|Determines the priority of capacity constraint: 0: Hard; 1: Soft; negative: Ignore. |
-|AutoDetectAvailableResources|bool, default is TRUE|Static|This config will trigger auto detection of available resources on node (CPU and Memory) When this config is set to true - we will read real capacities and correct them if user specified bad node capacities or didn't define them at all If this config is set to false - we will trace a warning that user specified bad node capacities; but we will not correct them; meaning that user wants to have the capacities specified as > than the node really has or if capacities are undefined; it will assume unlimited capacity |
+|AutoDetectAvailableResources|bool, default is TRUE|Static|This config triggers auto detection of available resources on node (CPU and Memory) When this config is set to true - we read real capacities and correct them if user specified bad node capacities or didn't define them at all If this config is set to false - we trace a warning that user specified bad node capacities; but we will not correct them; meaning that user wants to have the capacities specified as > than the node really has or if capacities are undefined; it will assume unlimited capacity |
|AuxiliaryInBuildThrottlingWeight | double, default is 1 | Static|Auxiliary replica's weight against the current InBuildThrottling max limit. |
|BalancingDelayAfterNewNode | Time in seconds, default is 120 |Dynamic|Specify timespan in seconds. Don't start balancing activities within this period after adding a new node. |
|BalancingDelayAfterNodeDown | Time in seconds, default is 120 |Dynamic|Specify timespan in seconds. Don't start balancing activities within this period after a node down event. |
@@ -631,24 +631,24 @@ The following is a list of Fabric settings that you can customize, organized by
|MinConstraintCheckInterval | Time in seconds, default is 1 |Dynamic| Specify timespan in seconds. Defines the minimum amount of time that must pass before two consecutive constraint check rounds. |
|MinLoadBalancingInterval | Time in seconds, default is 5 |Dynamic| Specify timespan in seconds. Defines the minimum amount of time that must pass before two consecutive balancing rounds. |
|MinPlacementInterval | Time in seconds, default is 1 |Dynamic| Specify timespan in seconds. Defines the minimum amount of time that must pass before two consecutive placement rounds. |
-|MoveExistingReplicaForPlacement | Bool, default is true |Dynamic|Setting which determines if to move existing replica during placement. |
+|MoveExistingReplicaForPlacement | Bool, default is true |Dynamic|Setting, which determines if to move existing replica during placement. |
|MovementPerPartitionThrottleCountingInterval | Time in seconds, default is 600 |Static| Specify timespan in seconds. Indicate the length of the past interval for which to track replica movements for each partition (used along with MovementPerPartitionThrottleThreshold). |
|MovementPerPartitionThrottleThreshold | Uint, default is 50 |Dynamic| No balancing-related movement will occur for a partition if the number of balancing related movements for replicas of that partition has reached or exceeded MovementPerFailoverUnitThrottleThreshold in the past interval indicated by MovementPerPartitionThrottleCountingInterval. |
-|MoveParentToFixAffinityViolation | Bool, default is false |Dynamic| Setting which determines if parent replicas can be moved to fix affinity constraints.|
+|MoveParentToFixAffinityViolation | Bool, default is false |Dynamic| Setting, which determines if parent replicas can be moved to fix affinity constraints.|
|NodeTaggingEnabled | Bool, default is false |Dynamic| If true; NodeTagging feature will be enabled. |
|NodeTaggingConstraintPriority | Int, default is 0 |Dynamic| Configurable priority of node tagging. |
|PartiallyPlaceServices | Bool, default is true |Dynamic| Determines if all service replicas in cluster will be placed "all or nothing" given limited suitable nodes for them.|
-|PlaceChildWithoutParent | Bool, default is true | Dynamic|Setting which determines if child service replica can be placed if no parent replica is up. |
+|PlaceChildWithoutParent | Bool, default is true | Dynamic|Setting, which determines if child service replica can be placed if no parent replica is up. |
|PlacementConstraintPriority | Int, default is 0 | Dynamic|Determines the priority of placement constraint: 0: Hard; 1: Soft; negative: Ignore. |
|PlacementConstraintValidationCacheSize | Int, default is 10000 |Dynamic| Limits the size of the table used for quick validation and caching of Placement Constraint Expressions. |
|PlacementSearchTimeout | Time in seconds, default is 0.5 |Dynamic| Specify timespan in seconds. When placing services; search for at most this long before returning a result. |
|PLBRefreshGap | Time in seconds, default is 1 |Dynamic| Specify timespan in seconds. Defines the minimum amount of time that must pass before PLB refreshes state again. |
|PreferredLocationConstraintPriority | Int, default is 2| Dynamic|Determines the priority of preferred location constraint: 0: Hard; 1: Soft; 2: Optimization; negative: Ignore |
|PreferredPrimaryDomainsConstraintPriority| Int, default is 1 | Dynamic| Determines the priority of preferred primary domain constraint: 0: Hard; 1: Soft; negative: Ignore |
-|PreferUpgradedUDs|bool, default is FALSE|Dynamic|Turns on and off logic which prefers moving to already upgraded UDs. Starting with SF 7.0, the default value for this parameter is changed from TRUE to FALSE.|
+|PreferUpgradedUDs|bool, default is FALSE|Dynamic|Turns on and off logic, which prefers moving to already upgraded UDs. Starting with SF 7.0, the default value for this parameter is changed from TRUE to FALSE.|
|PreventTransientOvercommit | Bool, default is false | Dynamic|Determines should PLB immediately count on resources that will be freed up by the initiated moves. By default; PLB can initiate move out and move in on the same node which can create transient overcommit. Setting this parameter to true will prevent those kinds of overcommits and on-demand defrag (also known as placementWithMove) will be disabled. |
-|RelaxUnlimitedPartitionBasedAutoScaling | Bool, default is false | Dynamic|Allow partition based auto-scaling for -1 upper scaling limit exceeds number of available nodes. If config is enabled; maximum partition count is calculated as ratio of available load and default partition load. If RelaxUnlimitedPartitionBasedAutoScaling is enabled; maximum partition count won't be less than number of available nodes. |
-|RelaxUnlimitedInstanceBasedAutoScaling | Bool, default is false | Dynamic|Allow instance based auto-scaling for -1 upper scaling limit exceeds number of available nodes. If config is enabled; maximum partition count is calculated as ratio of available load and default instance load. If RelaxUnlimitedInstanceBasedAutoScaling is enabled; maximum instance count won't be less than number of available nodes. If service doesn't allow multi-instance on the same node; enabling RelaxUnlimitedInstanceBasedAutoScaling config doesn't have impact on that service. If AllowCreateUpdateMultiInstancePerNodeServices config is disabled; enabling RelaxUnlimitedInstanceBasedAutoScaling config doesn't have impact. |
+|RelaxUnlimitedPartitionBasedAutoScaling | Bool, default is false | Dynamic|Allow partition based autoscaling for -1 upper scaling limit exceeds number of available nodes. If config is enabled; maximum partition count is calculated as ratio of available load and default partition load. If RelaxUnlimitedPartitionBasedAutoScaling is enabled; maximum partition count won't be less than number of available nodes. |
+|RelaxUnlimitedInstanceBasedAutoScaling | Bool, default is false | Dynamic|Allow instance based autoscaling for -1 upper scaling limit exceeds number of available nodes. If config is enabled; maximum partition count is calculated as ratio of available load and default instance load. If RelaxUnlimitedInstanceBasedAutoScaling is enabled; maximum instance count won't be less than number of available nodes. If service doesn't allow multi-instance on the same node; enabling RelaxUnlimitedInstanceBasedAutoScaling config doesn't have impact on that service. If AllowCreateUpdateMultiInstancePerNodeServices config is disabled; enabling RelaxUnlimitedInstanceBasedAutoScaling config doesn't have impact. |
|ScaleoutCountConstraintPriority | Int, default is 0 |Dynamic| Determines the priority of scaleout count constraint: 0: Hard; 1: Soft; negative: Ignore. |
|SeparateBalancingStrategyPerNodeType | Bool, default is false |Dynamic| Balancing configuration per node type Enable or disable balancing per node type feature. |
|SubclusteringEnabled|Bool, default is FALSE | Dynamic |Acknowledge subclustering when calculating standard deviation for balancing |
@@ -659,10 +659,10 @@ The following is a list of Fabric settings that you can customize, organized by
|TraceCRMReasons |Bool, default is true |Dynamic|Specifies whether to trace reasons for CRM issued movements to the operational events channel. |
|UpgradeDomainConstraintPriority | Int, default is 1| Dynamic|Determines the priority of upgrade domain constraint: 0: Hard; 1: Soft; negative: Ignore. |
|UseMoveCostReports | Bool, default is false | Dynamic|Instructs the LB to ignore the cost element of the scoring function; resulting potentially large number of moves for better balanced placement. |
-|UseSeparateAuxiliaryLoad | Bool, default is true | Dynamic|Setting which determines if PLB should use different load for auxiliary on each node. If UseSeparateAuxiliaryLoad is turned off: - Reported load for auxiliary on one node will result in overwriting load for each auxiliary (on all other nodes) If UseSeparateAuxiliaryLoad is turned on: - Reported load for auxiliary on one node will take effect only on that auxiliary (no effect on auxiliaries on other nodes) - If replica crash happens - new replica is created with average load of all the rest auxiliaries - If PLB moves existing replica - load goes with it. |
-|UseSeparateAuxiliaryMoveCost | Bool, default is false | Dynamic|Setting which determines if PLB should use different move cost for auxiliary on each node. If UseSeparateAuxiliaryMoveCost is turned off: - Reported move cost for auxiliary on one node will result in overwriting move cost for each auxiliary (on all other nodes) If UseSeparateAuxiliaryMoveCost is turned on: - Reported move cost for auxiliary on one node will take effect only on that auxiliary (no effect on auxiliaries on other nodes) - If replica crash happens - new replica is created with default move cost specified on service level - If PLB moves existing replica - move cost goes with it. |
-|UseSeparateSecondaryLoad | Bool, default is true | Dynamic|Setting which determines if separate load should be used for secondary replicas. |
-|UseSeparateSecondaryMoveCost | Bool, default is true | Dynamic|Setting which determines if PLB should use different move cost for secondary on each node. If UseSeparateSecondaryMoveCost is turned off: - Reported move cost for secondary on one node will result in overwriting move cost for each secondary (on all other nodes) If UseSeparateSecondaryMoveCost is turned on: - Reported move cost for secondary on one node will take effect only on that secondary (no effect on secondaries on other nodes) - If replica crash happens - new replica is created with default move cost specified on service level - If PLB moves existing replica - move cost goes with it. |
+|UseSeparateAuxiliaryLoad | Bool, default is true | Dynamic|Setting, which determines if PLB should use different load for auxiliary on each node. If UseSeparateAuxiliaryLoad is turned off: - Reported load for auxiliary on one node will result in overwriting load for each auxiliary (on all other nodes) If UseSeparateAuxiliaryLoad is turned on: - Reported load for auxiliary on one node will take effect only on that auxiliary (no effect on auxiliaries on other nodes) - If replica crash happens - new replica is created with average load of all the rest auxiliaries - If PLB moves existing replica - load goes with it. |
+|UseSeparateAuxiliaryMoveCost | Bool, default is false | Dynamic|Setting, which determines if PLB should use different move cost for auxiliary on each node. If UseSeparateAuxiliaryMoveCost is turned off: - Reported move cost for auxiliary on one node will result in overwriting move cost for each auxiliary (on all other nodes) If UseSeparateAuxiliaryMoveCost is turned on: - Reported move cost for auxiliary on one node will take effect only on that auxiliary (no effect on auxiliaries on other nodes) - If replica crash happens - new replica is created with default move cost specified on service level - If PLB moves existing replica - move cost goes with it. |
+|UseSeparateSecondaryLoad | Bool, default is true | Dynamic|Setting, which determines if separate load should be used for secondary replicas. |
+|UseSeparateSecondaryMoveCost | Bool, default is true | Dynamic|Setting, which determines if PLB should use different move cost for secondary on each node. If UseSeparateSecondaryMoveCost is turned off: - Reported move cost for secondary on one node will result in overwriting move cost for each secondary (on all other nodes) If UseSeparateSecondaryMoveCost is turned on: - Reported move cost for secondary on one node will take effect only on that secondary (no effect on secondaries on other nodes) - If replica crash happens - new replica is created with default move cost specified on service level - If PLB moves existing replica - move cost goes with it. |
|ValidatePlacementConstraint | Bool, default is true |Dynamic| Specifies whether or not the PlacementConstraint expression for a service is validated when a service's ServiceDescription is updated. |
|ValidatePrimaryPlacementConstraintOnPromote| Bool, default is TRUE |Dynamic|Specifies whether or not the PlacementConstraint expression for a service is evaluated for primary preference on failover. |
|VerboseHealthReportLimit | Int, default is 20 | Dynamic|Defines the number of times a replica has to go unplaced before a health warning is reported for it (if verbose health reporting is enabled). |
@@ -678,7 +678,7 @@ The following is a list of Fabric settings that you can customize, organized by
|GracefulReplicaShutdownMaxDuration|TimeSpan, default is Common::TimeSpan::FromSeconds(120)|Dynamic|Specify timespan in seconds. The duration for which the system will wait before terminating service hosts that have replicas that are stuck in close. If this value is set to 0, replicas will not be instructed to close.|
|NodeDeactivationMaxReplicaCloseDuration | Time in seconds, default is 900 |Dynamic|Specify timespan in seconds. The duration for which the system will wait before terminating service hosts that have replicas that are stuck in close during node deactivation. |
|PeriodicApiSlowTraceInterval | Time in seconds, default is 5 minutes |Dynamic| Specify timespan in seconds. PeriodicApiSlowTraceInterval defines the interval over which slow API calls will be retraced by the API monitor. |
-|ReplicaChangeRoleFailureRestartThreshold|int, default is 10|Dynamic| Integer. Specify the number of API failures during primary promotion after which auto-mitigation action (replica restart) will be applied. |
+|ReplicaChangeRoleFailureRestartThreshold|int, default is 10|Dynamic| Integer. Specify the number of API failures during primary promotion after which automitigation action (replica restart) will be applied. |
|ReplicaChangeRoleFailureWarningReportThreshold|int, default is 2147483647|Dynamic| Integer. Specify the number of API failures during primary promotion after which warning health report will be raised.|
|ServiceApiHealthDuration | Time in seconds, default is 30 minutes |Dynamic| Specify timespan in seconds. ServiceApiHealthDuration defines how long do we wait for a service API to run before we report it unhealthy. |
|ServiceReconfigurationApiHealthDuration | Time in seconds, default is 30 |Dynamic| Specify timespan in seconds. ServiceReconfigurationApiHealthDuration defines how long do we wait for a service API to run before we report unhealthy. This applies to API calls that impact availability.|
@@ -687,7 +687,7 @@ The following is a list of Fabric settings that you can customize, organized by
| **Parameter** | **Allowed Values** | **Upgrade Policy**| **Guidance or Short Description** |
| --- | --- | --- | --- |
|ReplicationBatchSendInterval|TimeSpan, default is Common::TimeSpan::FromSeconds(15)|Static|Specify timespan in seconds. Determines the amount of time that the replicator waits after receiving an operation before force sending a batch.|
-|ReplicationBatchSize|uint, default is 1|Static|Specifies the number of operations to be sent between primary and secondary replicas. If zero the primary sends one record per operation to the secondary. Otherwise the primary replica aggregates log records until the config value is reached. This will reduce network traffic.|
+|ReplicationBatchSize|uint, default is 1|Static|Specifies the number of operations to be sent between primary and secondary replicas. If zero the primary sends one record per operation to the secondary. Otherwise the primary replica aggregates log records until the config value is reached. This reduces network traffic.|
## Replication
**Warning Note** : Changing Replication/TranscationalReplicator settings at cluster level changes settings for all stateful services include system services. This is generally not recommended. See this document [Configure Azure Service Fabric Reliable Services - Azure Service Fabric | Microsoft Docs](./service-fabric-reliable-services-configuration.md) to configure services at app level.
@@ -698,18 +698,18 @@ The following is a list of Fabric settings that you can customize, organized by
|BatchAcknowledgementInterval|TimeSpan, default is Common::TimeSpan::FromMilliseconds(15)|Static|Specify timespan in seconds. Determines the amount of time that the replicator waits after receiving an operation before sending back an acknowledgment. Other operations received during this time period will have their acknowledgments sent back in a single message-> reducing network traffic but potentially reducing the throughput of the replicator.|
|MaxCopyQueueSize|uint, default is 1024|Static|This is the maximum value defines the initial size for the queue which maintains replication operations. Note that it must be a power of 2. If during runtime the queue grows to this size operation will be throttled between the primary and secondary replicators.|
|MaxPrimaryReplicationQueueMemorySize|uint, default is 0|Static|This is the maximum value of the primary replication queue in bytes.|
-|MaxPrimaryReplicationQueueSize|uint, default is 1024|Static|This is the maximum number of operations that could exist in the primary replication queue. Note that it must be a power of 2.|
-|MaxReplicationMessageSize|uint, default is 52428800|Static|Maximum message size of replication operations. Default is 50MB.|
+|MaxPrimaryReplicationQueueSize|uint, default is 8192|Static|This is the maximum number of operations that could exist in the primary replication queue. Note that it must be a power of 2.|
+|MaxReplicationMessageSize|uint, default is 52428800|Static|Maximum message size of replication operations. Default is 50 MB.|
|MaxSecondaryReplicationQueueMemorySize|uint, default is 0|Static|This is the maximum value of the secondary replication queue in bytes.|
-|MaxSecondaryReplicationQueueSize|uint, default is 2048|Static|This is the maximum number of operations that could exist in the secondary replication queue. Note that it must be a power of 2.|
+|MaxSecondaryReplicationQueueSize|uint, default is 16384|Static|This is the maximum number of operations that could exist in the secondary replication queue. Note that it must be a power of 2.|
|QueueHealthMonitoringInterval|TimeSpan, default is Common::TimeSpan::FromSeconds(30)|Static|Specify timespan in seconds. This value determines the time period used by the Replicator to monitor any warning/error health events in the replication operation queues. A value of '0' disables health monitoring |
|QueueHealthWarningAtUsagePercent|uint, default is 80|Static|This value determines the replication queue usage(in percentage) after which we report warning about high queue usage. We do so after a grace interval of QueueHealthMonitoringInterval. If the queue usage falls below this percentage in the grace interval|
|ReplicatorAddress|string, default is "localhost:0"|Static|The endpoint in form of a string -'IP:Port' which is used by the Windows Fabric Replicator to establish connections with other replicas in order to send/receive operations.|
|ReplicationBatchSendInterval|TimeSpan, default is Common::TimeSpan::FromSeconds(15)|Static|Specify timespan in seconds. Determines the amount of time that the replicator waits after receiving an operation before force sending a batch.|
-|ReplicationBatchSize|uint, default is 1|Static|Specifies the number of operations to be sent between primary and secondary replicas. If zero the primary sends one record per operation to the secondary. Otherwise the primary replica aggregates log records until the config value is reached. This will reduce network traffic.|
+|ReplicationBatchSize|uint, default is 1|Static|Specifies the number of operations to be sent between primary and secondary replicas. If zero the primary sends one record per operation to the secondary. Otherwise the primary replica aggregates log records until the config value is reached. This reduces network traffic.|
|ReplicatorListenAddress|string, default is "localhost:0"|Static|The endpoint in form of a string -'IP:Port' which is used by the Windows Fabric Replicator to receive operations from other replicas.|
|ReplicatorPublishAddress|string, default is "localhost:0"|Static|The endpoint in form of a string -'IP:Port' which is used by the Windows Fabric Replicator to send operations to other replicas.|
-|RetryInterval|TimeSpan, default is Common::TimeSpan::FromSeconds(5)|Static|Specify timespan in seconds. When an operation is lost or rejected this timer determines how often the replicator will retry sending the operation.|
+|RetryInterval|TimeSpan, default is Common::TimeSpan::FromSeconds(5)|Static|Specify timespan in seconds. When an operation is lost or rejected this timer determines how often the replicator retries sending the operation.|
## ResourceMonitorService
| **Parameter** | **Allowed Values** | **Upgrade Policy**| **Guidance or Short Description** |
@@ -790,7 +790,7 @@ The following is a list of Fabric settings that you can customize, organized by
|SettingsX509StoreName| string, default is "MY"| Dynamic|X509 certificate store used by fabric for configuration protection |
|UseClusterCertForIpcServerTlsSecurity|bool, default is FALSE|Static|Whether to use cluster certificate to secure IPC Server TLS transport unit |
|X509Folder|string, default is /var/lib/waagent|Static|Folder where X509 certificates and private keys are located |
-|TLS1_2_CipherList| string| Static|If set to a non-empty string; overrides the supported cipher list for TLS1.2 and below. See the 'openssl-ciphers' documentation for retrieving the supported cipher list and the list format Example of strong cipher list for TLS1.2: "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES-128-GCM-SHA256:ECDHE-ECDSA-AES256-CBC-SHA384:ECDHE-ECDSA-AES128-CBC-SHA256:ECDHE-RSA-AES256-CBC-SHA384:ECDHE-RSA-AES128-CBC-SHA256" Applies to Linux only. |
+|TLS1_2_CipherList| string| Static|If set to a nonempty string; overrides the supported cipher list for TLS1.2 and below. See the 'openssl-ciphers' documentation for retrieving the supported cipher list and the list format Example of strong cipher list for TLS1.2: "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES-128-GCM-SHA256:ECDHE-ECDSA-AES256-CBC-SHA384:ECDHE-ECDSA-AES128-CBC-SHA256:ECDHE-RSA-AES256-CBC-SHA384:ECDHE-RSA-AES128-CBC-SHA256" Applies to Linux only. |
## Security/AdminClientX509Names
diff --git a/articles/service-fabric/service-fabric-get-started.md b/articles/service-fabric/service-fabric-get-started.md
index 28b2fbfe5be31..6b839f1e3ad97 100644
--- a/articles/service-fabric/service-fabric-get-started.md
+++ b/articles/service-fabric/service-fabric-get-started.md
@@ -1,6 +1,6 @@
---
title: Set up a Windows development environment
-description: Install the runtime, SDK, and tools and create a local development cluster. After completing this setup, you will be ready to build applications on Windows.
+description: Install the runtime, SDK, and tools and create a local development cluster. After completing this setup, you'll be ready to build applications on Windows.
ms.topic: how-to
ms.author: tomcassidy
author: tomvcassidy
@@ -22,7 +22,7 @@ To build and run [Azure Service Fabric applications][1] on your Windows developm
## Prerequisites
-Ensure you are using a supported [Windows version](service-fabric-versions.md#supported-windows-versions-and-support-end-date).
+Ensure you're using a supported [Windows version](service-fabric-versions.md#supported-windows-versions-and-support-end-date).
## Install the SDK and tools
> [!NOTE]
@@ -32,19 +32,19 @@ For latest Runtime and SDK you can download from below:
| Package |Version|
| --- | --- |
-|[Install Service Fabric Runtime for Windows](https://download.microsoft.com/download/b/8/a/b8a2fb98-0ec1-41e5-be98-9d8b5abf7856/MicrosoftServiceFabric.10.0.1949.9590.exe) | 10.0.1949.9590 |
-|[Install Service Fabric SDK](https://download.microsoft.com/download/b/8/a/b8a2fb98-0ec1-41e5-be98-9d8b5abf7856/MicrosoftServiceFabricSDK.7.0.1949.msi) | 7.0.1949 |
+|[Install Service Fabric Runtime for Windows](https://download.microsoft.com/download/b/8/a/b8a2fb98-0ec1-41e5-be98-9d8b5abf7856/MicrosoftServiceFabric.10.1.1951.9590.exe) | 10.1.1951.9590 |
+|[Install Service Fabric SDK](https://download.microsoft.com/download/b/8/a/b8a2fb98-0ec1-41e5-be98-9d8b5abf7856/MicrosoftServiceFabricSDK.7.1.1951.msi) | 7.1.1951 |
-You can find direct links to the installers for previous releases on [Service Fabric Releases](https://github.com/microsoft/service-fabric/tree/master/release_notes)
+You can find direct links to the installers for previous releases on [Service Fabric Releases.](https://github.com/microsoft/service-fabric/tree/master/release_notes)
-For supported versions, see [Service Fabric versions](service-fabric-versions.md)
+For supported versions, see [Service Fabric versions.](service-fabric-versions.md)
> [!NOTE]
> Single machine clusters (OneBox) are not supported for Application or Cluster upgrades; delete the OneBox cluster and recreate it if you need to perform a Cluster upgrade, or have any issues performing an Application upgrade.
### To use Visual Studio 2017 or 2019
-The Service Fabric Tools are part of the Azure Development workload in Visual Studio 2019 and 2017. Enable this workload as part of your Visual Studio installation. In addition, you need to install the Microsoft Azure Service Fabric SDK and runtime as described above [Install the SDK and tools](#install-the-sdk-and-tools)
+The Service Fabric Tools are part of the Azure Development workload in Visual Studio 2019 and 2017. Enable this workload as part of your Visual Studio installation. In addition, you need to install the Microsoft Azure Service Fabric SDK and runtime as described above [Install the SDK and tools.](#install-the-sdk-and-tools)
## Enable PowerShell script execution
diff --git a/articles/service-fabric/service-fabric-versions.md b/articles/service-fabric/service-fabric-versions.md
index 3cf7feae49779..70dfa6ef9d466 100644
--- a/articles/service-fabric/service-fabric-versions.md
+++ b/articles/service-fabric/service-fabric-versions.md
@@ -19,9 +19,12 @@ If you want to find a list of all the available Service Fabric runtime versions
### Current versions
| Service Fabric runtime |Can upgrade directly from|Can downgrade to*|Compatible SDK or NuGet package version|Supported .NET runtimes** |OS Version |End of support |
| --- | --- | --- | --- | --- | --- | --- |
+| 10.1 CU2
10.1.1951.9590 | 9.1 CU6
9.1.1851.9590 | 9.0 | Less than or equal to version 6.0 | .NET 7, .NET 6, All,
>= .NET Framework 4.6.2 | [See supported OS version](#supported-windows-versions-and-support-end-date) | Current version |
| 10.1 RTO
10.1.1541.9590 | 9.1 CU6
9.1.1851.9590 | 9.0 | Less than or equal to version 6.0 | .NET 7, .NET 6, All,
>= .NET Framework 4.6.2 | [See supported OS version](#supported-windows-versions-and-support-end-date) | Current version |
-| 10.0 CU1
10.0.1949.9590 | 9.0 CU10
9.0.1553.9590 | 9.0 | Less than or equal to version 6.0 | .NET 7, .NET 6, All,
>= .NET Framework 4.6.2 | [See supported OS version](#supported-windows-versions-and-support-end-date) | Current version |
-| 10.0 RTO
10.0.1816.9590 | 9.0 CU10
9.0.1553.9590 | 9.0 | Less than or equal to version 6.0 | .NET 7, .NET 6, All,
>= .NET Framework 4.6.2 | [See supported OS version](#supported-windows-versions-and-support-end-date) | Current version |
+| 10.0 CU3
10.0.2226.9590 | 9.0 CU10
9.0.1553.9590 | 9.0 | Less than or equal to version 6.0 | .NET 7, .NET 6, All,
>= .NET Framework 4.6.2 | [See supported OS version](#supported-windows-versions-and-support-end-date) | September 30, 2024 |
+| 10.0 CU1
10.0.1949.9590 | 9.0 CU10
9.0.1553.9590 | 9.0 | Less than or equal to version 6.0 | .NET 7, .NET 6, All,
>= .NET Framework 4.6.2 | [See supported OS version](#supported-windows-versions-and-support-end-date) | September 30, 2024 |
+| 10.0 RTO
10.0.1816.9590 | 9.0 CU10
9.0.1553.9590 | 9.0 | Less than or equal to version 6.0 | .NET 7, .NET 6, All,
>= .NET Framework 4.6.2 | [See supported OS version](#supported-windows-versions-and-support-end-date) | September 30, 2024 |
+| 9.1 CU9
9.1.2277.9590 | 8.2 CU6
8.2.1686.9590 | 8.2 | Less than or equal to version 6.0 | .NET 7, .NET 6, All,
>= .NET Framework 4.6.2 | [See supported OS version](#supported-windows-versions-and-support-end-date) | April 30, 2024 |
| 9.1 CU7
9.1.1993.9590 | 8.2 CU6
8.2.1686.9590 | 8.2 | Less than or equal to version 6.0 | .NET 7, .NET 6, All,
>= .NET Framework 4.6.2 | [See supported OS version](#supported-windows-versions-and-support-end-date) | April 30, 2024 |
| 9.1 CU6
9.1.1851.9590 | 8.2 CU6
8.2.1686.9590 | 8.2 | Less than or equal to version 6.0 | .NET 7, .NET 6, All,
>= .NET Framework 4.6.2 | [See supported OS version](#supported-windows-versions-and-support-end-date) | April 30, 2024 |
| 9.1 CU5
9.1.1833.9590 | 8.2 CU6
8.2.1686.9590 | 8.2 | Less than or equal to version 6.0 | .NET 7, .NET 6, All,
>= .NET Framework 4.6.2 | [See supported OS version](#supported-windows-versions-and-support-end-date) | April 30, 2024 |
@@ -108,9 +111,12 @@ Support for Service Fabric on a specific OS ends when support for the OS version
### Current versions
| Service Fabric runtime | Can upgrade directly from |Can downgrade to*|Compatible SDK or NuGet package version | Supported .NET runtimes** | OS version | End of support |
| --- | --- | --- | --- | --- | --- | --- |
+| 10.1 CU2
10.1.1885.1 | 9.1 CU6
9.1.1642.1 | 9.0 | .NET 7, .NET 6, All | N/A | [See supported OS version](#supported-linux-versions-and-support-end-date) | Current version |
| 10.1 RTO
10.1.1507.1 | 9.1 CU6
9.1.1642.1 | 9.0 | .NET 7, .NET 6, All | N/A | [See supported OS version](#supported-linux-versions-and-support-end-date) | Current version |
-| 10.0 CU1
10.0.1829.1 | 9.0 CU10
9.0.1489.1 | 9.0 | .NET 7, .NET 6, All | N/A | [See supported OS version](#supported-linux-versions-and-support-end-date) | Current version |
-| 10.0 RTO
10.0.1728.1 | 9.0 CU10
9.0.1489.1 | 9.0 | .NET 7, .NET 6, All | N/A | [See supported OS version](#supported-linux-versions-and-support-end-date) | Current version |
+| 10.0 CU3
10.0.2105.1 | 9.0 CU10
9.0.1489.1 | 9.0 | .NET 7, .NET 6, All | N/A | [See supported OS version](#supported-linux-versions-and-support-end-date) | September 30, 2024 |
+| 10.0 CU1
10.0.1829.1 | 9.0 CU10
9.0.1489.1 | 9.0 | .NET 7, .NET 6, All | N/A | [See supported OS version](#supported-linux-versions-and-support-end-date) | September 30, 2024 |
+| 10.0 RTO
10.0.1728.1 | 9.0 CU10
9.0.1489.1 | 9.0 | .NET 7, .NET 6, All | N/A | [See supported OS version](#supported-linux-versions-and-support-end-date) | September 30, 2024 |
+| 9.1 CU9
9.1.2038.1 | 8.2 CU6
8.2.1485.1 | 8.2 | .NET 7, .NET 6, All | N/A | [See supported OS version](#supported-linux-versions-and-support-end-date) | April 30, 2024 |
| 9.1 CU7
9.1.1740.1 | 8.2 CU6
8.2.1485.1 | 8.2 | .NET 7, .NET 6, All | N/A | [See supported OS version](#supported-linux-versions-and-support-end-date) | April 30, 2024 |
| 9.1 CU6
9.1.1642.1 | 8.2 CU6
8.2.1485.1 | 8.2 | .NET 7, .NET 6, All | N/A | [See supported OS version](#supported-linux-versions-and-support-end-date) | April 30, 2024 |
| 9.1 CU5
9.1.1625.1 | 8.2 CU6
8.2.1485.1 | 8.2 | .NET 7, .NET 6, All | N/A | [See supported OS version](#supported-linux-versions-and-support-end-date) | April 30, 2024 |
@@ -174,9 +180,12 @@ The following table lists the version names of Service Fabric and their correspo
| Version name | Windows version number | Linux version number |
| --- | --- | --- |
+| 10.1 CU2 | 10.1.1951.9590 | 10.1.1885.1 |
| 10.1 RTO | 10.1.1541.9590 | 10.1.1507.1 |
+| 10.0 CU3 | 10.0.2226.9590 | 10.0.2105.1 |
| 10.0 CU1 | 10.0.1949.9590 | 10.0.1829.1 |
| 10.0 RTO | 10.0.1816.9590 | 10.0.1728.1 |
+| 9.1 CU9 | 9.1.2277.9590 | 9.1.2038.1 |
| 9.1 CU7 | 9.1.1993.9590 | 9.1.1740.1 |
| 9.1 CU6 | 9.1.1851.9590 | 9.1.1642.1 |
| 9.1 CU5 | 9.1.1833.9590 | 9.1.1625.1 |
diff --git a/articles/synapse-analytics/security/synapse-workspace-synapse-rbac-roles.md b/articles/synapse-analytics/security/synapse-workspace-synapse-rbac-roles.md
index a1fa08d36ea86..58ce8627067d9 100644
--- a/articles/synapse-analytics/security/synapse-workspace-synapse-rbac-roles.md
+++ b/articles/synapse-analytics/security/synapse-workspace-synapse-rbac-roles.md
@@ -28,7 +28,7 @@ The following table describes the built-in roles and the scopes at which they ca
|Role |Permissions|Scopes|
|---|---|-----|
-|Synapse Administrator |Full Synapse access to SQL pools, Data Explorer pools, Apache Spark pools, and Integration runtimes. Includes create, read, update, and delete access to all published code artifacts. Includes Compute Operator, Linked Data Manager, and Credential User permissions on the workspace system identity credential. Includes assigning Synapse RBAC roles. In addition to Synapse Administrator, Azure Owners can also assign Synapse RBAC roles. Azure permissions are required to create, delete, and manage compute resources. Synapse RBAC roles can be assigned even when the associated subscription is disabled._Can read and write artifacts Can do all actions on Spark activities. Can view Spark pool logs Can view saved notebook and pipeline output Can use the secrets stored by linked services or credentialsCan assign and revoke Synapse RBAC roles at current scope_|Workspace Spark pool
Integration runtime Linked serviceCredential |
+|Synapse Administrator |Full Synapse access to serverless and dedicated SQL pools, Data Explorer pools, Apache Spark pools, and Integration runtimes. Includes create, read, update, and delete access to all published code artifacts. Includes Compute Operator, Linked Data Manager, and Credential User permissions on the workspace system identity credential. Includes assigning Synapse RBAC roles. In addition to Synapse Administrator, Azure Owners can also assign Synapse RBAC roles. Azure permissions are required to create, delete, and manage compute resources. Synapse RBAC roles can be assigned even when the associated subscription is disabled._Can read and write artifacts Can do all actions on Spark activities. Can view Spark pool logs Can view saved notebook and pipeline output Can use the secrets stored by linked services or credentialsCan assign and revoke Synapse RBAC roles at current scope_|Workspace Spark pool
Integration runtime Linked serviceCredential |
|Synapse Apache Spark Administrator|Full Synapse access to Apache Spark Pools. Create, read, update, and delete access to published Spark job definitions, notebooks and their outputs, and to libraries, linked services, and credentials. Includes read access to all other published code artifacts. Doesn't include permission to use credentials and run pipelines. Doesn't include granting access. _Can do all actions on Spark artifactsCan do all actions on Spark activities_|WorkspaceSpark pool|
|Synapse SQL Administrator|Full Synapse access to serverless SQL pools. Create, read, update, and delete access to published SQL scripts, credentials, and linked services. Includes read access to all other published code artifacts. Doesn't include permission to use credentials and run pipelines. Doesn't include granting access. *Can do all actions on SQL scripts
Can connect to SQL serverless endpoints with SQL `db_datareader`, `db_datawriter`, `connect`, and `grant` permissions*|Workspace|
|Synapse Contributor|Full Synapse access to Apache Spark pools and Integration runtimes. Includes create, read, update, and delete access to all published code artifacts and their outputs, including scheduled pipelines, credentials and linked services. Includes compute operator permissions. Doesn't include permission to use credentials and run pipelines. Doesn't include granting access. _Can read and write artifactsCan view saved notebook and pipeline outputCan do all actions on Spark activitiesCan view Spark pool logs_|Workspace Spark pool
Integration runtime|
diff --git a/articles/synapse-analytics/spark/apache-spark-33-runtime.md b/articles/synapse-analytics/spark/apache-spark-33-runtime.md
index 1c027a8f6333c..451aa0fd3a54d 100644
--- a/articles/synapse-analytics/spark/apache-spark-33-runtime.md
+++ b/articles/synapse-analytics/spark/apache-spark-33-runtime.md
@@ -27,6 +27,9 @@ Azure Synapse Analytics supports multiple runtimes for Apache Spark. This docume
| Python | 3.10 |
| R (Preview) | 4.2.2 |
+>[!TIP]
+> For up-to-date information, a detailed list of changes, and specific release notes for Spark runtimes, check and subscribe [Spark Runtimes Releases and Updates](https://github.com/microsoft/synapse-spark-runtime).
+
[Synapse-Python310-CPU.yml](https://github.com/Azure-Samples/Synapse/blob/main/Spark/Python/Synapse-Python310-CPU.yml) contains the list of libraries shipped in the default Python 3.10 environment in Azure Synapse Spark.
@@ -584,4 +587,4 @@ The following sections present the libraries included in Azure Synapse Runtime f
## Migration between Apache Spark versions - support
-For guidance on migrating from older runtime versions to Azure Synapse Runtime for Apache Spark 3.3 or 3.4 please refer to [Runtime for Apache Spark Overview](./apache-spark-version-support.md).
+For guidance on migrating from older runtime versions to Azure Synapse Runtime for Apache Spark 3.3 or 3.4 refer to [Runtime for Apache Spark Overview](./apache-spark-version-support.md).
diff --git a/articles/virtual-desktop/whats-new-agent.md b/articles/virtual-desktop/whats-new-agent.md
index 0fdc49c772c5b..eaf91251e0561 100644
--- a/articles/virtual-desktop/whats-new-agent.md
+++ b/articles/virtual-desktop/whats-new-agent.md
@@ -3,7 +3,7 @@ title: What's new in the Azure Virtual Desktop Agent? - Azure
description: New features and product updates for the Azure Virtual Desktop Agent.
author: Heidilohr
ms.topic: release-notes
-ms.date: 02/08/2024
+ms.date: 03/18/2024
ms.author: helohr
ms.custom: references_regions
---
@@ -27,18 +27,18 @@ A rollout may take several weeks before the agent is available in all environmen
| Release | Latest version |
|--|--|
| Production | 1.0.8297.800 |
-| Validation | 1.0.8431.300 |
+| Validation | 1.0.8431.1500 |
> [!TIP]
> The Azure Virtual Desktop Agent is automatically installed when adding session hosts in most scenarios. If you need to install the agent manually, you can download it at [Register session hosts to a host pool](add-session-hosts-host-pool.md#register-session-hosts-to-a-host-pool), together with the steps to install it.
-## Version 1.0.8431.300 (validation)
+## Version 1.0.8431.1500 (validation)
-*Published: February 2024*
+*Published: March 2024*
In this update, we've made the following changes:
-- General improvements and bug fixes.
+- General improvements and bug fixes.
## Version 1.0.8297.800
diff --git a/articles/virtual-wan/how-to-network-virtual-appliance-inbound.md b/articles/virtual-wan/how-to-network-virtual-appliance-inbound.md
index 702075c4aaaa9..a7d8fbdaf551f 100644
--- a/articles/virtual-wan/how-to-network-virtual-appliance-inbound.md
+++ b/articles/virtual-wan/how-to-network-virtual-appliance-inbound.md
@@ -80,9 +80,6 @@ The list below corresponds to the diagram above and describes the packet flow fo
## Managing DNAT/Internet Inbound configurations
-> [!Important]
-> The Azure portal experience for Destination NAT (DNAT) for Virtual WAN integrated Network Virtual Appliances is currently rolling out. If you do not see the DNAT options described below available in Portal, reach out to your NVA provider.
-
The following section describes how to manage NVA configurations related to internet inbound and DNAT.
1. Navigate to your Virtual WAN Hub. Select **Network Virtual Appliances** under Third Party Providers. Click on **Manage Configurations** next to the NVA.
diff --git a/articles/vpn-gateway/azure-vpn-client-optional-configurations.md b/articles/vpn-gateway/azure-vpn-client-optional-configurations.md
index 22d3dfa000948..228b482d14748 100644
--- a/articles/vpn-gateway/azure-vpn-client-optional-configurations.md
+++ b/articles/vpn-gateway/azure-vpn-client-optional-configurations.md
@@ -5,7 +5,7 @@ description: Learn how to configure optional configuration settings for the Azur
author: cherylmc
ms.service: vpn-gateway
ms.topic: how-to
-ms.date: 02/21/2024
+ms.date: 03/18/2024
ms.author: cherylmc
---
@@ -51,6 +51,9 @@ The steps in this article require you to modify and import the Azure VPN Client
### Add DNS suffixes
+> [!NOTE]
+> At this time, additional DNS suffixes for the Azure VPN Client aren't generated in a format that can be properly used by macOS. The specified values for DNS suffixes don't persist for macOS.
+
To add DNS suffixes, modify the downloaded profile XML file and add the **\\ \\** tags.
```xml
diff --git a/articles/vpn-gateway/create-custom-policies-p2s-ps.md b/articles/vpn-gateway/create-custom-policies-p2s-ps.md
index e4b564334b164..919c32dc6fec6 100644
--- a/articles/vpn-gateway/create-custom-policies-p2s-ps.md
+++ b/articles/vpn-gateway/create-custom-policies-p2s-ps.md
@@ -1,18 +1,18 @@
---
title: 'Create and set custom IPsec policies for Point-to-Site: PowerShell'
titleSuffix: Azure VPN Gateway
-description: This article helps you create and set custom IPSec policies for VPN Gateway P2S configurations
+description: This article helps you create and set custom IPSec policies for VPN Gateway P2S configurations.
author: cherylmc
ms.service: vpn-gateway
ms.topic: how-to
-ms.date: 09/09/2020
+ms.date: 03/18/2024
ms.author: cherylmc
ms.custom: devx-track-azurepowershell
---
-# Create and set custom IPsec policies for Point-to-Site (preview)
+# Create and set custom IPsec policies for point-to-site connections
-If your environment requires a custom IPsec policy for encryption, you can easily configure a policy object with the required settings. This article helps you create a custom policy object, and then set it using PowerShell.
+If your point-to-site (P2S) VPN environment requires a custom IPsec policy for encryption, you can easily configure a policy object with the required settings. This article helps you create a custom policy object, and then set it using PowerShell.
## Before you begin
@@ -26,32 +26,28 @@ Verify that your environment meets the following prerequisites:
[!INCLUDE [PowerShell](../../includes/vpn-gateway-cloud-shell-powershell.md)]
-## 1. Set variables
+## Create and set a policy
-Declare the variables that you want to use. Use the following sample, replacing the values for your own when necessary. If you close your PowerShell/Cloud Shell session at any point during the exercise, just copy and paste the values again to redeclare the variables.
+1. Declare the variables that you want to use. Use the following sample, replacing the values for your own when necessary. If you close your PowerShell/Cloud Shell session at any point during the exercise, just copy and paste the values again to redeclare the variables.
- ```azurepowershell-interactive
- $RG = "TestRG"
- $GWName = "VNet1GW"
- ```
+ ```azurepowershell-interactive
+ $RG = "TestRG"
+ $GWName = "VNet1GW"
+ ```
-## 2. Create policy object
+1. Create a custom IPsec policy object. Adjust the values in the example to meet your requirements.
-Create a custom IPsec policy object. You can adjust the values to meet the criteria you require.
+ ```azurepowershell-interactive
+ $vpnclientipsecpolicy = New-AzVpnClientIpsecPolicy -IpsecEncryption AES256 -IpsecIntegrity SHA256 -SALifeTime 86471 -SADataSize 429496 -IkeEncryption AES256 -IkeIntegrity SHA384 -DhGroup DHGroup2 -PfsGroup PFS2
+ ```
-```azurepowershell-interactive
-$vpnclientipsecpolicy = New-AzVpnClientIpsecPolicy -IpsecEncryption AES256 -IpsecIntegrity SHA256 -SALifeTime 86471 -SADataSize 429496 -IkeEncryption AES256 -IkeIntegrity SHA384 -DhGroup DHGroup2 -PfsGroup PFS2
-```
+1. Update your existing P2S VPN gateway and set the IPsec policy.
-## 3. Update gateway and set policy
-
-In this step, update your existing P2S VPN gateway and set the IPsec policy.
-
-```azurepowershell-interactive
-$gateway = Get-AzVirtualNetworkGateway -ResourceGroupName $RG -name $GWName
-Set-AzVirtualNetworkGateway -VirtualNetworkGateway $gateway -VpnClientIpsecPolicy $vpnclientipsecpolicy
-```
+ ```azurepowershell-interactive
+ $gateway = Get-AzVirtualNetworkGateway -ResourceGroupName $RG -name $GWName
+ Set-AzVirtualNetworkGateway -VirtualNetworkGateway $gateway -VpnClientIpsecPolicy $vpnclientipsecpolicy
+ ```
## Next steps
-For more information about P2S configurations, see [About Point-to-Site VPN](point-to-site-about.md).
+For more information about P2S configurations, see [About point-to-site VPN](point-to-site-about.md).
diff --git a/includes/container-instances-gpu-limits.md b/includes/container-instances-gpu-limits.md
index ccee101d2dec6..6c8dff55940dd 100644
--- a/includes/container-instances-gpu-limits.md
+++ b/includes/container-instances-gpu-limits.md
@@ -9,12 +9,6 @@ ms.author: tomcassidy
| OS | GPU SKU | GPU count | Max CPU | Max Memory (GB) | Storage (GB) |
| --- | --- | --- | --- | --- | --- |
-| Linux | K80 | 1 | 6 | 56 | 50 |
-| Linux | K80 | 2 | 12 | 112 | 50 |
-| Linux | K80 | 4 | 24 | 224 | 50 |
-| Linux | P100 | 1 | 6 | 112 | 50 |
-| Linux | P100 | 2 | 12 | 224 | 50 |
-| Linux | P100 | 4 | 24 | 448 | 50 |
| Linux | V100 | 1 | 6 | 112 | 50 |
| Linux | V100 | 2 | 12 | 224 | 50 |
| Linux | V100 | 4 | 24 | 448 | 50 |
diff --git a/includes/container-instances-gpu-regions.md b/includes/container-instances-gpu-regions.md
index 306721d609706..436d700c0dd86 100644
--- a/includes/container-instances-gpu-regions.md
+++ b/includes/container-instances-gpu-regions.md
@@ -9,6 +9,4 @@ ms.author: tomcassidy
| Regions | OS | Available GPU SKUs |
| -------- | ---- | :-----------: |
-| East US, West Europe, West US 2 | Linux | K80, P100, V100 |
-| Southeast Asia | Linux | V100|
-| Central India | Linux | V100 |
+| East US, West Europe, West US 2, Southeast Asia, Central India | Linux | V100 |
diff --git a/includes/policy/reference/bycat/policies-api-for-fhir.md b/includes/policy/reference/bycat/policies-api-for-fhir.md
index f09b5b890dc3e..fcc82d3bbeee8 100644
--- a/includes/policy/reference/bycat/policies-api-for-fhir.md
+++ b/includes/policy/reference/bycat/policies-api-for-fhir.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policies-api-management.md b/includes/policy/reference/bycat/policies-api-management.md
index e7a34508f6942..053e7ac689da3 100644
--- a/includes/policy/reference/bycat/policies-api-management.md
+++ b/includes/policy/reference/bycat/policies-api-management.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policies-app-configuration.md b/includes/policy/reference/bycat/policies-app-configuration.md
index 13a2c92f43bcf..fecfc5b4e3cb5 100644
--- a/includes/policy/reference/bycat/policies-app-configuration.md
+++ b/includes/policy/reference/bycat/policies-app-configuration.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policies-app-platform.md b/includes/policy/reference/bycat/policies-app-platform.md
index afac21bc56234..4a35102a6d2ff 100644
--- a/includes/policy/reference/bycat/policies-app-platform.md
+++ b/includes/policy/reference/bycat/policies-app-platform.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policies-app-service.md b/includes/policy/reference/bycat/policies-app-service.md
index db3a8927ba754..715b9a4c1f377 100644
--- a/includes/policy/reference/bycat/policies-app-service.md
+++ b/includes/policy/reference/bycat/policies-app-service.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policies-attestation.md b/includes/policy/reference/bycat/policies-attestation.md
index 04368054162ec..cca321644bb70 100644
--- a/includes/policy/reference/bycat/policies-attestation.md
+++ b/includes/policy/reference/bycat/policies-attestation.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policies-automanage.md b/includes/policy/reference/bycat/policies-automanage.md
index b1db3121dbc24..e1fc996113f06 100644
--- a/includes/policy/reference/bycat/policies-automanage.md
+++ b/includes/policy/reference/bycat/policies-automanage.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policies-automation.md b/includes/policy/reference/bycat/policies-automation.md
index 92317ac0f0fb6..5d8ff67ee7f2a 100644
--- a/includes/policy/reference/bycat/policies-automation.md
+++ b/includes/policy/reference/bycat/policies-automation.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policies-azure-active-directory.md b/includes/policy/reference/bycat/policies-azure-active-directory.md
index ea6e752c70b01..0d18b65edb471 100644
--- a/includes/policy/reference/bycat/policies-azure-active-directory.md
+++ b/includes/policy/reference/bycat/policies-azure-active-directory.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policies-azure-ai-services.md b/includes/policy/reference/bycat/policies-azure-ai-services.md
index 3e7834895f66c..49c1aa1d5cdc0 100644
--- a/includes/policy/reference/bycat/policies-azure-ai-services.md
+++ b/includes/policy/reference/bycat/policies-azure-ai-services.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
@@ -10,4 +10,5 @@ ms.custom: generated
|Name
(Azure portal) |Description |Effect(s) |Version
(GitHub) |
|---|---|---|---|
|[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: [https://aka.ms/AI/auth](https://aka.ms/AI/auth) |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/DisableLocalAuth_Audit.json) |
-|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) |
+|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) |
+|[Diagnostic logs in Azure AI services resources should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1b4d1c4e-934c-4703-944c-27c82c06bebb) |Enable logs for Azure AI services resources. This enables you to recreate activity trails for investigation purposes, when a security incident occurs or your network is compromised |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/DiagnosticLogs_Audit.json) |
diff --git a/includes/policy/reference/bycat/policies-azure-arc.md b/includes/policy/reference/bycat/policies-azure-arc.md
index a9f55e1e54fa9..b7f551dfc205d 100644
--- a/includes/policy/reference/bycat/policies-azure-arc.md
+++ b/includes/policy/reference/bycat/policies-azure-arc.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policies-azure-data-explorer.md b/includes/policy/reference/bycat/policies-azure-data-explorer.md
index 4317e8fc5e558..4a279f4070aa5 100644
--- a/includes/policy/reference/bycat/policies-azure-data-explorer.md
+++ b/includes/policy/reference/bycat/policies-azure-data-explorer.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policies-azure-databricks.md b/includes/policy/reference/bycat/policies-azure-databricks.md
index 6eca66c314ad3..ea5e2a41fe53a 100644
--- a/includes/policy/reference/bycat/policies-azure-databricks.md
+++ b/includes/policy/reference/bycat/policies-azure-databricks.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policies-azure-edge-hardware-center.md b/includes/policy/reference/bycat/policies-azure-edge-hardware-center.md
index 01917bbb9e532..f50103e9d186d 100644
--- a/includes/policy/reference/bycat/policies-azure-edge-hardware-center.md
+++ b/includes/policy/reference/bycat/policies-azure-edge-hardware-center.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policies-azure-load-testing.md b/includes/policy/reference/bycat/policies-azure-load-testing.md
index 39bb5d9553461..ea177cc5ab2e9 100644
--- a/includes/policy/reference/bycat/policies-azure-load-testing.md
+++ b/includes/policy/reference/bycat/policies-azure-load-testing.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policies-azure-purview.md b/includes/policy/reference/bycat/policies-azure-purview.md
index 472dc7be3ca40..7305095bcb2cb 100644
--- a/includes/policy/reference/bycat/policies-azure-purview.md
+++ b/includes/policy/reference/bycat/policies-azure-purview.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policies-azure-stack-edge.md b/includes/policy/reference/bycat/policies-azure-stack-edge.md
index 363dc1beb6cd6..2678839a14249 100644
--- a/includes/policy/reference/bycat/policies-azure-stack-edge.md
+++ b/includes/policy/reference/bycat/policies-azure-stack-edge.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policies-azure-update-manager.md b/includes/policy/reference/bycat/policies-azure-update-manager.md
index 5f42f81567635..710c58b76d9d4 100644
--- a/includes/policy/reference/bycat/policies-azure-update-manager.md
+++ b/includes/policy/reference/bycat/policies-azure-update-manager.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
@@ -10,6 +10,6 @@ ms.custom: generated
|Name
(Azure portal) |Description |Effect(s) |Version
(GitHub) |
|---|---|---|---|
|[Configure periodic checking for missing system updates on azure Arc-enabled servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fbfea026e-043f-4ff4-9d1b-bf301ca7ff46) |Configure auto-assessment (every 24 hours) for OS updates on Azure Arc-enabled servers. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: [https://aka.ms/computevm-windowspatchassessmentmode,](https://aka.ms/computevm-windowspatchassessmentmode,) for Linux: [https://aka.ms/computevm-linuxpatchassessmentmode](https://aka.ms/computevm-linuxpatchassessmentmode). |modify |[2.2.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Update%20Manager/AzUpdateMgmtCenter_HCRP_AutoAssessmentMode_Modify.json) |
-|[Configure periodic checking for missing system updates on azure virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F59efceea-0c96-497e-a4a1-4eb2290dac15) |Configure auto-assessment (every 24 hours) for OS updates on native Azure virtual machines. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: [https://aka.ms/computevm-windowspatchassessmentmode,](https://aka.ms/computevm-windowspatchassessmentmode,) for Linux: [https://aka.ms/computevm-linuxpatchassessmentmode](https://aka.ms/computevm-linuxpatchassessmentmode). |modify |[4.7.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Update%20Manager/AzUpdateMgmtCenter_CRP_AutoAssessmentMode_Modify.json) |
-|[Machines should be configured to periodically check for missing system updates](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fbd876905-5b84-4f73-ab2d-2e7a7c4568d9) |To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: [https://aka.ms/computevm-windowspatchassessmentmode,](https://aka.ms/computevm-windowspatchassessmentmode,) for Linux: [https://aka.ms/computevm-linuxpatchassessmentmode](https://aka.ms/computevm-linuxpatchassessmentmode). |Audit, Deny, Disabled |[3.6.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Update%20Manager/AzUpdateMgmtCenter_AutoAssessmentMode_Audit.json) |
+|[Configure periodic checking for missing system updates on azure virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F59efceea-0c96-497e-a4a1-4eb2290dac15) |Configure auto-assessment (every 24 hours) for OS updates on native Azure virtual machines. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: [https://aka.ms/computevm-windowspatchassessmentmode,](https://aka.ms/computevm-windowspatchassessmentmode,) for Linux: [https://aka.ms/computevm-linuxpatchassessmentmode](https://aka.ms/computevm-linuxpatchassessmentmode). |modify |[4.8.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Update%20Manager/AzUpdateMgmtCenter_CRP_AutoAssessmentMode_Modify.json) |
+|[Machines should be configured to periodically check for missing system updates](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fbd876905-5b84-4f73-ab2d-2e7a7c4568d9) |To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: [https://aka.ms/computevm-windowspatchassessmentmode,](https://aka.ms/computevm-windowspatchassessmentmode,) for Linux: [https://aka.ms/computevm-linuxpatchassessmentmode](https://aka.ms/computevm-linuxpatchassessmentmode). |Audit, Deny, Disabled |[3.7.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Update%20Manager/AzUpdateMgmtCenter_AutoAssessmentMode_Audit.json) |
|[Schedule recurring updates using Azure Update Manager](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba0df93e-e4ac-479a-aac2-134bbae39a1a) |You can use Azure Update Manager in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: [https://aka.ms/umc-scheduled-patching](https://aka.ms/umc-scheduled-patching) |DeployIfNotExists, Disabled |[3.10.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Update%20Manager/AzUpdateMgmtCenter_ScheduledPatching_DINE.json) |
diff --git a/includes/policy/reference/bycat/policies-backup.md b/includes/policy/reference/bycat/policies-backup.md
index fa7ab9ccd565a..2613fc60d79f8 100644
--- a/includes/policy/reference/bycat/policies-backup.md
+++ b/includes/policy/reference/bycat/policies-backup.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
@@ -13,6 +13,7 @@ ms.custom: generated
|[\[Preview\]: Azure Backup should be enabled for AKS clusters](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0b0434ec-2bad-4229-965f-bb7ae5a71257) |Ensure protection of your AKS Clusters by enabling Azure Backup. Azure Backup for AKS is a secure and cloud native data protection solution for AKS clusters. |AuditIfNotExists, Disabled |[1.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Backup/Kubernetes_EnableAzureBackup_Audit.json) |
|[\[Preview\]: Azure Backup should be enabled for Blobs in Storage Accounts](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4510daf9-5abc-4d7d-a11d-d84416b814f6) |Ensure protection of your Storage Accounts by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. |AuditIfNotExists, Disabled |[1.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Backup/StorageAccountBlobs_EnableAzureBackup_Audit.json) |
|[\[Preview\]: Azure Backup should be enabled for Managed Disks](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa25a41a7-a769-4271-841d-7ce0297be0c0) |Ensure protection of your Managed Disks by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. |AuditIfNotExists, Disabled |[1.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Backup/ManagedDisks_EnableAzureBackup_Audit.json) |
+|[\[Preview\]: Azure Backup Vaults should use customer-managed keys for encrypting backup data. Also an option to enforce Infra Encryption.](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd6588149-9f06-462c-a076-56aece45b5ba) |This policy follows the 'effect' if Encryption Settings are enabled for Backup vaults in the scope. Additionally, option to check if Backup Vault also has Infrastructure Encryption enabled. Learn more at [https://aka.ms/az-backup-vault-encryption-at-rest-with-cmk](https://aka.ms/az-backup-vault-encryption-at-rest-with-cmk). Please note that when 'Deny' effect is used, it would need you to enable Encryption Settings on the existing Backup Vaults in order to allow other update operations on the vault go through. |Audit, Deny, Disabled |[1.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Backup/AzBackupBackupVault_CMK_Audit.json) |
|[\[Preview\]: Azure Recovery Services vaults should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9ebbbba3-4d65-4da9-bb67-b22cfaaff090) |Disabling public network access improves security by ensuring that recovery services vault is not exposed on the public internet. Creating private endpoints can limit exposure of recovery services vault. Learn more at: [https://aka.ms/AB-PublicNetworkAccess-Deny](https://aka.ms/AB-PublicNetworkAccess-Deny). |Audit, Deny, Disabled |[1.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Backup/RecoveryServices_PublicNetworkAccess_AuditDeny.json) |
|[\[Preview\]: Azure Recovery Services vaults should use customer-managed keys for encrypting backup data](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2e94d99a-8a36-4563-bc77-810d8893b671) |Use customer-managed keys to manage the encryption at rest of your backup data. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/AB-CmkEncryption](https://aka.ms/AB-CmkEncryption). |Audit, Deny, Disabled |[1.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Backup/AzBackupRSVault_CMKEnabled_Audit.json) |
|[\[Preview\]: Azure Recovery Services vaults should use private link for backup](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdeeddb44-9f94-4903-9fa0-081d524406e3) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Recovery Services vaults, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/AB-PrivateEndpoints](https://aka.ms/AB-PrivateEndpoints). |Audit, Disabled |[2.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Backup/RecoveryServices_PrivateEndpoint_Audit.json) |
diff --git a/includes/policy/reference/bycat/policies-batch.md b/includes/policy/reference/bycat/policies-batch.md
index 381fd4020017e..ef65b5e7452ae 100644
--- a/includes/policy/reference/bycat/policies-batch.md
+++ b/includes/policy/reference/bycat/policies-batch.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policies-bot-service.md b/includes/policy/reference/bycat/policies-bot-service.md
index e3f51465d9fe0..b662981079b11 100644
--- a/includes/policy/reference/bycat/policies-bot-service.md
+++ b/includes/policy/reference/bycat/policies-bot-service.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policies-cache.md b/includes/policy/reference/bycat/policies-cache.md
index 0c5f246380851..16c145b0cf8f6 100644
--- a/includes/policy/reference/bycat/policies-cache.md
+++ b/includes/policy/reference/bycat/policies-cache.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
@@ -11,6 +11,7 @@ ms.custom: generated
|---|---|---|---|
|[Azure Cache for Redis should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F470baccb-7e51-4549-8b1a-3e5be069f663) |Disabling public network access improves security by ensuring that the Azure Cache for Redis isn't exposed on the public internet. You can limit exposure of your Azure Cache for Redis by creating private endpoints instead. Learn more at: [https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link](../../../../articles/azure-cache-for-redis/cache-private-link.md). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PublicNetworkAccess_AuditDeny.json) |
|[Azure Cache for Redis should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7803067c-7d34-46e3-8c79-0ca68fc4036d) |Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link](../../../../articles/azure-cache-for-redis/cache-private-link.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_AINE.json) |
+|[Configure Azure Cache for Redis to disable non SSL ports](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F766f5de3-c6c0-4327-9f4d-042ab8ae846c) |Enable SSL only connections to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking |Modify, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_EnableNonSSLPort_Modify.json) |
|[Configure Azure Cache for Redis to disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F30b3dfa5-a70d-4c8e-bed6-0083858f663d) |Disable public network access for your Azure Cache for Redis resource so that it's not accessible over the public internet. This helps protect the cache against data leakage risks. |Modify, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PublicNetworkAccess_Modify.json) |
|[Configure Azure Cache for Redis to use private DNS zones](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe016b22b-e0eb-436d-8fd7-160c4eaed6e2) |Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone can be linked to your virtual network to resolve to Azure Cache for Redis. Learn more at: [https://aka.ms/privatednszone](https://aka.ms/privatednszone). |DeployIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateDNSZone_DINE.json) |
|[Configure Azure Cache for Redis with private endpoints](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5d8094d7-7340-465a-b6fd-e60ab7e48920) |Private endpoints let you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis resources, you can reduce data leakage risks. Learn more at: [https://aka.ms/redis/privateendpoint](https://aka.ms/redis/privateendpoint). |DeployIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_DINE.json) |
diff --git a/includes/policy/reference/bycat/policies-cdn.md b/includes/policy/reference/bycat/policies-cdn.md
index fa24d08f19765..58cd8d7bba500 100644
--- a/includes/policy/reference/bycat/policies-cdn.md
+++ b/includes/policy/reference/bycat/policies-cdn.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policies-changetrackingandinventory.md b/includes/policy/reference/bycat/policies-changetrackingandinventory.md
index 81b9f781fe478..147a0fd4e3a8c 100644
--- a/includes/policy/reference/bycat/policies-changetrackingandinventory.md
+++ b/includes/policy/reference/bycat/policies-changetrackingandinventory.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policies-cognitive-services.md b/includes/policy/reference/bycat/policies-cognitive-services.md
index 93809eee52e19..5667a3d67c88a 100644
--- a/includes/policy/reference/bycat/policies-cognitive-services.md
+++ b/includes/policy/reference/bycat/policies-cognitive-services.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policies-compute.md b/includes/policy/reference/bycat/policies-compute.md
index 603bec887b116..6aa66617ab6fe 100644
--- a/includes/policy/reference/bycat/policies-compute.md
+++ b/includes/policy/reference/bycat/policies-compute.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policies-container-apps.md b/includes/policy/reference/bycat/policies-container-apps.md
index 2eecb0fdf7911..9354250f4b4d7 100644
--- a/includes/policy/reference/bycat/policies-container-apps.md
+++ b/includes/policy/reference/bycat/policies-container-apps.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policies-container-instance.md b/includes/policy/reference/bycat/policies-container-instance.md
index d4855094e094b..7f88604550abf 100644
--- a/includes/policy/reference/bycat/policies-container-instance.md
+++ b/includes/policy/reference/bycat/policies-container-instance.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policies-container-instances.md b/includes/policy/reference/bycat/policies-container-instances.md
index 9b20a213d119a..757d74b6f6658 100644
--- a/includes/policy/reference/bycat/policies-container-instances.md
+++ b/includes/policy/reference/bycat/policies-container-instances.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policies-container-registry.md b/includes/policy/reference/bycat/policies-container-registry.md
index 9ac79bff0d9cb..863b088275817 100644
--- a/includes/policy/reference/bycat/policies-container-registry.md
+++ b/includes/policy/reference/bycat/policies-container-registry.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policies-cosmos-db.md b/includes/policy/reference/bycat/policies-cosmos-db.md
index c552d94b81dcf..3ec9312ab176e 100644
--- a/includes/policy/reference/bycat/policies-cosmos-db.md
+++ b/includes/policy/reference/bycat/policies-cosmos-db.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policies-custom-provider.md b/includes/policy/reference/bycat/policies-custom-provider.md
index 713632b1ba9b5..b6916a8819540 100644
--- a/includes/policy/reference/bycat/policies-custom-provider.md
+++ b/includes/policy/reference/bycat/policies-custom-provider.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policies-data-box.md b/includes/policy/reference/bycat/policies-data-box.md
index c8585a68d3e7b..93fd6f5331673 100644
--- a/includes/policy/reference/bycat/policies-data-box.md
+++ b/includes/policy/reference/bycat/policies-data-box.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policies-data-factory.md b/includes/policy/reference/bycat/policies-data-factory.md
index 4df67187a4e69..2767f043b30c9 100644
--- a/includes/policy/reference/bycat/policies-data-factory.md
+++ b/includes/policy/reference/bycat/policies-data-factory.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policies-data-lake.md b/includes/policy/reference/bycat/policies-data-lake.md
index 309d130ee260e..c429c86486186 100644
--- a/includes/policy/reference/bycat/policies-data-lake.md
+++ b/includes/policy/reference/bycat/policies-data-lake.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policies-desktop-virtualization.md b/includes/policy/reference/bycat/policies-desktop-virtualization.md
index 30c59b266972f..050e20054b764 100644
--- a/includes/policy/reference/bycat/policies-desktop-virtualization.md
+++ b/includes/policy/reference/bycat/policies-desktop-virtualization.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policies-devcenter.md b/includes/policy/reference/bycat/policies-devcenter.md
new file mode 100644
index 0000000000000..f11e502f6ff75
--- /dev/null
+++ b/includes/policy/reference/bycat/policies-devcenter.md
@@ -0,0 +1,12 @@
+---
+author: davidsmatlak
+ms.service: azure-policy
+ms.topic: include
+ms.date: 03/18/2024
+ms.author: davidsmatlak
+ms.custom: generated
+---
+
+|Name
(Azure portal) |Description |Effect(s) |Version
(GitHub) |
+|---|---|---|---|
+|[\[Preview\]: Microsoft Dev Box Pools should not use Microsoft Hosted Networks.](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fece3c79b-2caf-470d-a5f5-66470c4fc649) |Disallows the use of Microsoft Hosted Networks when creating Pool resources. |Audit, Deny, Disabled |[1.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/DevCenter/MicrosoftHostedNetworks_Audit.json) |
diff --git a/includes/policy/reference/bycat/policies-elasticsan.md b/includes/policy/reference/bycat/policies-elasticsan.md
index ed773da75ff3f..cd14e0f2e3b94 100644
--- a/includes/policy/reference/bycat/policies-elasticsan.md
+++ b/includes/policy/reference/bycat/policies-elasticsan.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policies-event-grid.md b/includes/policy/reference/bycat/policies-event-grid.md
index 335741b446c76..6e245a65beb57 100644
--- a/includes/policy/reference/bycat/policies-event-grid.md
+++ b/includes/policy/reference/bycat/policies-event-grid.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policies-event-hub.md b/includes/policy/reference/bycat/policies-event-hub.md
index cb342c8748be1..d5ef7eac751f1 100644
--- a/includes/policy/reference/bycat/policies-event-hub.md
+++ b/includes/policy/reference/bycat/policies-event-hub.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policies-fluid-relay.md b/includes/policy/reference/bycat/policies-fluid-relay.md
index 65d3c76cc02c7..ac354230cc5e6 100644
--- a/includes/policy/reference/bycat/policies-fluid-relay.md
+++ b/includes/policy/reference/bycat/policies-fluid-relay.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policies-general.md b/includes/policy/reference/bycat/policies-general.md
index 34df852bc8c6a..540664b43cc7a 100644
--- a/includes/policy/reference/bycat/policies-general.md
+++ b/includes/policy/reference/bycat/policies-general.md
@@ -2,20 +2,20 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
|Name
(Azure portal) |Description |Effect(s) |Version
(GitHub) |
|---|---|---|---|
-|[\[Preview\]: Do not allow deletion of resource types](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F78460a36-508a-49a4-b2b2-2f5ec564f4bb) |This policy enables you to specify the resource types that your organization can protect from accidentals deletion by blocking delete calls using deny action effect. |DenyAction, Disabled |[1.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/ResourceType_denyActionDelete.json) |
|[Allowed locations](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe56962a6-4747-49cd-b67b-bf8b01975c4c) |This policy enables you to restrict the locations your organization can specify when deploying resources. Use to enforce your geo-compliance requirements. Excludes resource groups, Microsoft.AzureActiveDirectory/b2cDirectories, and resources that use the 'global' region. |deny |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/AllowedLocations_Deny.json) |
|[Allowed locations for resource groups](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe765b5de-1225-4ba3-bd56-1ac6695af988) |This policy enables you to restrict the locations your organization can create resource groups in. Use to enforce your geo-compliance requirements. |deny |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/ResourceGroupAllowedLocations_Deny.json) |
|[Allowed resource types](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa08ec900-254a-4555-9bf5-e42af04b5c5c) |This policy enables you to specify the resource types that your organization can deploy. Only resource types that support 'tags' and 'location' will be affected by this policy. To restrict all resources please duplicate this policy and change the 'mode' to 'All'. |deny |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/AllowedResourceTypes_Deny.json) |
|[Audit resource location matches resource group location](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0a914e76-4921-4c19-b460-a2d36003525a) |Audit that the resource location matches its resource group location |audit |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/ResourcesInResourceGroupLocation_Audit.json) |
|[Audit usage of custom RBAC roles](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa451c1ef-c6ca-483d-87ed-f49761e3ffb5) |Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/Subscription_AuditCustomRBACRoles_Audit.json) |
|[Configure subscriptions to set up preview features](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe624c84f-2923-4437-9fd9-4115c6da3888) |This policy evaluates existing subscription's preview features. Subscriptions can be remediated to register to a new preview feature. New subscriptions will not be automatically registered. |AuditIfNotExists, DeployIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/subscriptionFeatureRegistration-DINE.json) |
+|[Do not allow deletion of resource types](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F78460a36-508a-49a4-b2b2-2f5ec564f4bb) |This policy enables you to specify the resource types that your organization can protect from accidentals deletion by blocking delete calls using deny action effect. |DenyAction, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/ResourceType_denyActionDelete.json) |
|[Do Not Allow M365 resources](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F176b7c36-ac64-4f15-a296-50bd7fafab12) |Block creation of M365 resources. |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/NotAllowM365_Deny.json) |
|[Do Not Allow MCPP resources](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F335d919a-dc24-4a94-b7cb-9f81b1a8156f) |Block creation of MCPP resources. |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/NotAllowMCPP_Deny.json) |
|[Exclude Usage Costs Resources](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F16fabb5c-7379-4433-8009-042066fa3a16) |This policy enables you to exlcude Usage Costs Resources. Usage costs include things like metered storage and Azure resources which are billed based on usage. |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/ExcludeUsageCosts_Deny.json) |
diff --git a/includes/policy/reference/bycat/policies-guest-configuration.md b/includes/policy/reference/bycat/policies-guest-configuration.md
index 452582c620d6f..2c996957fa0f6 100644
--- a/includes/policy/reference/bycat/policies-guest-configuration.md
+++ b/includes/policy/reference/bycat/policies-guest-configuration.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policies-hdinsight.md b/includes/policy/reference/bycat/policies-hdinsight.md
index 4adfbfd965a6b..3035d52af6b48 100644
--- a/includes/policy/reference/bycat/policies-hdinsight.md
+++ b/includes/policy/reference/bycat/policies-hdinsight.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policies-health-bot.md b/includes/policy/reference/bycat/policies-health-bot.md
index e1df1f86ffb7b..1dac677afa120 100644
--- a/includes/policy/reference/bycat/policies-health-bot.md
+++ b/includes/policy/reference/bycat/policies-health-bot.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policies-health-data-services-workspace.md b/includes/policy/reference/bycat/policies-health-data-services-workspace.md
index eeadb2df3c691..ff9e09869cf31 100644
--- a/includes/policy/reference/bycat/policies-health-data-services-workspace.md
+++ b/includes/policy/reference/bycat/policies-health-data-services-workspace.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policies-healthcare-apis.md b/includes/policy/reference/bycat/policies-healthcare-apis.md
index a69f9be1326c1..3c6ca12ee707d 100644
--- a/includes/policy/reference/bycat/policies-healthcare-apis.md
+++ b/includes/policy/reference/bycat/policies-healthcare-apis.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policies-internet-of-things.md b/includes/policy/reference/bycat/policies-internet-of-things.md
index 09c973de3017e..8d7b3ec664d17 100644
--- a/includes/policy/reference/bycat/policies-internet-of-things.md
+++ b/includes/policy/reference/bycat/policies-internet-of-things.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policies-key-vault.md b/includes/policy/reference/bycat/policies-key-vault.md
index a7c7e0e7cc732..9abd7b9759766 100644
--- a/includes/policy/reference/bycat/policies-key-vault.md
+++ b/includes/policy/reference/bycat/policies-key-vault.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policies-kubernetes.md b/includes/policy/reference/bycat/policies-kubernetes.md
index 7ab9b54a87ead..231e0542f6a5d 100644
--- a/includes/policy/reference/bycat/policies-kubernetes.md
+++ b/includes/policy/reference/bycat/policies-kubernetes.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
@@ -11,16 +11,16 @@ ms.custom: generated
|---|---|---|---|
|[\[Preview\]: \[Image Integrity\] Kubernetes clusters should only use images signed by notation](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcf426bb8-b320-4321-8545-1b784a5df3a4) |Use images signed by notation to ensure that images come from trusted sources and will not be maliciously modified. For more info, visit [https://aka.ms/aks/image-integrity](https://aka.ms/aks/image-integrity) |Audit, Disabled |[1.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ImageIntegrityNotationVerification.json) |
|[\[Preview\]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8dfab9c4-fe7b-49ad-85e4-1e9be085358f) |Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in [https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc](../../../../articles/defender-for-cloud/defender-for-containers-enable.md). |AuditIfNotExists, Disabled |[6.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ASC_Azure_Defender_Arc_Extension_Audit.json) |
-|[\[Preview\]: Cannot Edit Individual Nodes](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F53a4a537-990c-495a-92e0-7c21a465442c) |Cannot Edit Individual Nodes. Users should not edit individual nodes. Please edit node pools. |Audit, Deny, Disabled |[1.1.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/CannotEditIndividualNodes.json) |
+|[\[Preview\]: Cannot Edit Individual Nodes](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F53a4a537-990c-495a-92e0-7c21a465442c) |Cannot Edit Individual Nodes. Users should not edit individual nodes. Please edit node pools. Modifying individual nodes can lead to inconsistent settings, operational challenges, and potential security risks. |Audit, Deny, Disabled |[1.1.1-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/CannotEditIndividualNodes.json) |
|[\[Preview\]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extension](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F708b60a6-d253-4fe0-9114-4be4c00f012c) |Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in [https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc](../../../../articles/defender-for-cloud/defender-for-containers-enable.md). |DeployIfNotExists, Disabled |[7.1.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ASC_Azure_Defender_Arc_Extension_DINE.json) |
|[\[Preview\]: Deploy Image Integrity on Azure Kubernetes Service](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5dc99dae-cfb2-42cc-8762-9aae02b74e27) |Deploy both Image Integrity and Policy Add-Ons Azure Kubernetes clusters. For more info, visit [https://aka.ms/aks/image-integrity](https://aka.ms/aks/image-integrity) |DeployIfNotExists, Disabled |[1.0.5-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AKS_ImageIntegrity_DINE.json) |
|[\[Preview\]: Kubernetes cluster containers should only pull images when image pull secrets are present](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F12db3749-7e03-4b9f-b443-d37d3fb9f8d9) |Restrict containers' image pulls to enforce the presence of ImagePullSecrets, ensuring secure and authorized access to images within a Kubernetes cluster |Audit, Deny, Disabled |[1.1.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerRestrictedImagePulls.json) |
-|[\[Preview\]: Kubernetes cluster services should use unique selectors](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb0fdedee-7b9e-4a17-9f5d-5e8e912d2f01) |Ensure that Services in a namespace have unique selectors. This policy relies on Gatekeeper data replication and syncs all ingress resources into OPA. Prior to applying this policy, please confirm that syncing ingress resources won't exceed your memory capacity. The policy parameters apply to specific namespaces, but it syncs all resources of that type across all namespaces. This policy is currently in preview for Kubernetes Service (AKS) |Audit, Deny, Disabled |[1.1.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/UniqueServiceSelectors.json) |
-|[\[Preview\]: Kubernetes cluster should implement accurate Pod Disruption Budgets](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd9e8f2c1-4c5a-4f5c-8b5a-2abf1e9f7b4d) |Prevents customers from applying bad Pod Disruption Budgets. This policy relies on Gatekeeper data replication, and all ingress resources scoped to this policy will be synced into OPA. Please verify that the ingresses resources being synced won't overwhelm your memory capacity prior to assigning this policy. The policy parameters will evaluate only certain namespaces, but all resources of that kind in all namespaces will get synced. This policy is in preview for Kubernetes Service (AKS). |Audit, Deny, Disabled |[1.1.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/DisallowedBadPodDisruptionBudgets.json) |
+|[\[Preview\]: Kubernetes cluster services should use unique selectors](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb0fdedee-7b9e-4a17-9f5d-5e8e912d2f01) |Ensure Services in a Namespace Have Unique Selectors. A unique service selector ensures that each service within a namespace is uniquely identifiable based on specific criteria. This policy syncs ingress resources into OPA via Gatekeeper. Before applying, verify Gatekeeper pods memory capacity won't be exceeded. Parameters apply to specific namespaces, but it syncs all resources of that type across all namespaces. Currently in preview for Kubernetes Service (AKS). |Audit, Deny, Disabled |[1.1.1-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/UniqueServiceSelectors.json) |
+|[\[Preview\]: Kubernetes cluster should implement accurate Pod Disruption Budgets](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd9e8f2c1-4c5a-4f5c-8b5a-2abf1e9f7b4d) |Prevents faulty Pod Disruption Budgets, ensuring a minimum number of operational pods. Refer to the official Kubernetes documentation for details. Relies on Gatekeeper data replication and syncs all ingress resources scoped to it into OPA. Before applying this policy, ensure that the synced ingress resources won't strain your memory capacity. Though parameters evaluate specific namespaces, all resources of that kind across namespaces will sync. Note: currently in preview for Kubernetes Service (AKS). |Audit, Deny, Disabled |[1.1.1-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/DisallowedBadPodDisruptionBudgets.json) |
|[\[Preview\]: Kubernetes clusters should restrict creation of given resource type](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb81f454c-eebb-4e4f-9dfe-dca060e8a8fd) |Given Kubernetes resource type should not be deployed in certain namespace. |Audit, Deny, Disabled |[2.2.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/BlockResource.json) |
-|[\[Preview\]: Must Have Anti Affinity Rules Set](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F34c88cd4-5d72-4dbb-bf77-12c3cafe8791) |Requires affinity rules to be set. |Audit, Deny, Disabled |[1.1.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/MustHaveAntiAffinityRulesSet.json) |
-|[\[Preview\]: No AKS Specific Labels](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa22123bd-b9da-4c86-9424-24903e91fd55) |Prevents customers from applying AKS specific labels |Audit, Deny, Disabled |[1.1.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/NoAKSSpecificLabels.json) |
-|[\[Preview\]: Reserved System Pool Taints](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F48940d92-ff05-449e-9111-e742d9280451) |Restricts the CriticalAddonsOnly taint to just the system pool |Audit, Deny, Disabled |[1.1.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ReservedSystemPoolTaints.json) |
+|[\[Preview\]: Must Have Anti Affinity Rules Set](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F34c88cd4-5d72-4dbb-bf77-12c3cafe8791) |This policy ensures that pods are scheduled on different nodes within the cluster. By enforcing anti-affinity rules, availability is maintained even if one of the nodes becomes unavailable. Pods will continue to run on other nodes, enhancing resilience. |Audit, Deny, Disabled |[1.1.1-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/MustHaveAntiAffinityRulesSet.json) |
+|[\[Preview\]: No AKS Specific Labels](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa22123bd-b9da-4c86-9424-24903e91fd55) |Prevents customers from applying AKS specific labels. AKS uses labels prefixed with `kubernetes.azure.com` to denote AKS owned components. The customer should not use these labels. |Audit, Deny, Disabled |[1.1.1-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/NoAKSSpecificLabels.json) |
+|[\[Preview\]: Reserved System Pool Taints](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F48940d92-ff05-449e-9111-e742d9280451) |Restricts the CriticalAddonsOnly taint to just the system pool. AKS uses the CriticalAddonsOnly taint to keep customer pods away from the system pool. It ensures a clear separation between AKS components and customer pods, as well as prevents customer pods from being evicted if they do not tolerate the CriticalAddonsOnly taint. |Audit, Deny, Disabled |[1.1.1-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ReservedSystemPoolTaints.json) |
|[Azure Arc enabled Kubernetes clusters should have the Azure Policy extension installed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6b2122c1-8120-4ff5-801b-17625a355590) |The Azure Policy extension for Azure Arc provides at-scale enforcements and safeguards on your Arc enabled Kubernetes clusters in a centralized, consistent manner. Learn more at [https://aka.ms/akspolicydoc](https://aka.ms/akspolicydoc). |AuditIfNotExists, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ArcPolicyExtension_Audit.json) |
|[Azure Arc-enabled Kubernetes clusters should have the Open Service Mesh extension installed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F73868911-4f4a-444f-adbd-5382bf70208a) |Open Service Mesh extension provides all standard service mesh capabilities for security, traffic management and observability of application services. Learn more here: [https://aka.ms/arc-osm-doc](https://aka.ms/arc-osm-doc) |DeployIfNotExists, AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ArcOpenServiceMeshExtension.json) |
|[Azure Arc-enabled Kubernetes clusters should have the Strimzi Kafka extension installed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa8e653d9-b5d4-48a0-afe6-14d881f9ee9a) |Strimzi Kafka extension provides the operators to install Kafka for building real-time data pipelines and streaming applications with security and observability capabilities. Learn more here: [https://aka.ms/arc-strimzikafka-doc](https://aka.ms/arc-strimzikafka-doc). |DeployIfNotExists, AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ArcStrimziKafkaExtension.json) |
@@ -52,10 +52,10 @@ ms.custom: generated
|[Configure Kubernetes clusters with specified GitOps configuration using HTTPS secrets](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa6f560f4-f582-4b67-b123-a37dcd1bf7ea) |Deploy a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined git repo. This definition requires HTTPS user and key secrets stored in Key Vault. For instructions, visit [https://aka.ms/K8sGitOpsPolicy](https://aka.ms/K8sGitOpsPolicy). |auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/Deploy-GitOps-to-Kubernetes-cluster-HTTPS-secrets_DINE.json) |
|[Configure Kubernetes clusters with specified GitOps configuration using no secrets](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1d61c4d2-aef2-432b-87fc-7f96b019b7e1) |Deploy a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined git repo. This definition requires no secrets. For instructions, visit [https://aka.ms/K8sGitOpsPolicy](https://aka.ms/K8sGitOpsPolicy). |auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/Deploy-GitOps-to-Kubernetes-cluster-no-secrets_DINE.json) |
|[Configure Kubernetes clusters with specified GitOps configuration using SSH secrets](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc050047b-b21b-4822-8a2d-c1e37c3c0c6a) |Deploy a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined git repo. This definition requires a SSH private key secret in Key Vault. For instructions, visit [https://aka.ms/K8sGitOpsPolicy](https://aka.ms/K8sGitOpsPolicy). |auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/Deploy-GitOps-to-Kubernetes-cluster-SSH-secrets_DINE.json) |
-|[Configure Microsoft Entra ID integrated Azure Kubernetes Service Clusters with required Admin Group Access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F36a27de4-199b-40fb-b336-945a8475d6c5) |Ensure to improve cluster security by centrally govern Administrator access to Microsoft Entra ID integrated AKS clusters. |DeployIfNotExists, Disabled |[2.0.4](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AKS_AAD_AdminGroup_DINE.json) |
+|[Configure Microsoft Entra ID integrated Azure Kubernetes Service Clusters with required Admin Group Access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F36a27de4-199b-40fb-b336-945a8475d6c5) |Ensure to improve cluster security by centrally govern Administrator access to Microsoft Entra ID integrated AKS clusters. |DeployIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AKS_AAD_AdminGroup_DINE.json) |
|[Configure Node OS Auto upgrade on Azure Kubernetes Cluster](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F40f1aee2-4db4-4b74-acb1-c6972e24cca8) |Use Node OS auto-upgrade to control node-level OS security updates of Azure Kubernetes Service (AKS) clusters. For more info, visit [https://learn.microsoft.com/en-us/azure/aks/auto-upgrade-node-image](../../../../articles/aks/auto-upgrade-node-image.md). |DeployIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AKS_Autoupgrade_NodeOS_DINE.json) |
|[Deploy - Configure diagnostic settings for Azure Kubernetes Service to Log Analytics workspace](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6c66c325-74c8-42fd-a286-a74b0e2939d8) |Deploys the diagnostic settings for Azure Kubernetes Service to stream resource logs to a Log Analytics workspace. |DeployIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/DataConnectorsAzureKubernetes_DINE.json) |
-|[Deploy Azure Policy Add-on to Azure Kubernetes Service clusters](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa8eff44f-8c92-45c3-a3fb-9880802d67a7) |Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see [https://aka.ms/akspolicydoc](https://aka.ms/akspolicydoc). |DeployIfNotExists, Disabled |[4.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AKS_AzurePolicyAddOn_DINE.json) |
+|[Deploy Azure Policy Add-on to Azure Kubernetes Service clusters](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa8eff44f-8c92-45c3-a3fb-9880802d67a7) |Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see [https://aka.ms/akspolicydoc](https://aka.ms/akspolicydoc). |DeployIfNotExists, Disabled |[4.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AKS_AzurePolicyAddOn_DINE.json) |
|[Deploy Image Cleaner on Azure Kubernetes Service](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7e49285c-4bed-4564-b26a-5225ccc311f3) |Deploy Image Cleaner on Azure Kubernetes clusters. For more info, visit [https://aka.ms/aks/image-cleaner](https://aka.ms/aks/image-cleaner) |DeployIfNotExists, Disabled |[1.0.4](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AKS_ImageCleaner_DINE.json) |
|[Deploy Planned Maintenance to schedule and control upgrades for your Azure Kubernetes Service (AKS) cluster](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe1352e44-d34d-4e4d-a22e-451a15f759a1) |Planned Maintenance allows you to schedule weekly maintenance windows to perform updates and minimize workload impact. Once scheduled, upgrades occur only during the window you selected. Learn more at: [https://aka.ms/aks/planned-maintenance](https://aka.ms/aks/planned-maintenance) |DeployIfNotExists, AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AKS_Maintenance_DINE.json) |
|[Disable Command Invoke on Azure Kubernetes Service clusters](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1b708b0a-3380-40e9-8b79-821f9fa224cc) |Disabling command invoke can enhance the security by rejecting invoke-command access to the cluster |DeployIfNotExists, Disabled |[1.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AKS_DisableRunCommand_DINE.json) |
diff --git a/includes/policy/reference/bycat/policies-lab-services.md b/includes/policy/reference/bycat/policies-lab-services.md
index e83b8efa20c9f..37a2609afa67d 100644
--- a/includes/policy/reference/bycat/policies-lab-services.md
+++ b/includes/policy/reference/bycat/policies-lab-services.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policies-lighthouse.md b/includes/policy/reference/bycat/policies-lighthouse.md
index 4b77b9421528e..da9b834031240 100644
--- a/includes/policy/reference/bycat/policies-lighthouse.md
+++ b/includes/policy/reference/bycat/policies-lighthouse.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policies-logic-apps.md b/includes/policy/reference/bycat/policies-logic-apps.md
index 8405184e57c24..f78571900100a 100644
--- a/includes/policy/reference/bycat/policies-logic-apps.md
+++ b/includes/policy/reference/bycat/policies-logic-apps.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policies-machine-learning.md b/includes/policy/reference/bycat/policies-machine-learning.md
index eb7d56e154612..178cf5b7e8870 100644
--- a/includes/policy/reference/bycat/policies-machine-learning.md
+++ b/includes/policy/reference/bycat/policies-machine-learning.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
@@ -13,13 +13,13 @@ ms.custom: generated
|[Azure Machine Learning Compute Instance should have idle shutdown.](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F679ddf89-ab8f-48a5-9029-e76054077449) |Having an idle shutdown schedule reduces cost by shutting down computes that are idle after a pre-determined period of activity. |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/IdleShutdown_Audit.json) |
|[Azure Machine Learning compute instances should be recreated to get the latest software updates](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff110a506-2dcb-422e-bcea-d533fc8c35e2) |Ensure Azure Machine Learning compute instances run on the latest available operating system. Security is improved and vulnerabilities reduced by running with the latest security patches. For more information, visit [https://aka.ms/azureml-ci-updates/](https://aka.ms/azureml-ci-updates/). |[parameters('effects')] |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/ComputeInstanceUpdates_Audit.json) |
|[Azure Machine Learning Computes should be in a virtual network](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7804b5c7-01dc-4723-969b-ae300cc07ff1) |Azure Virtual Networks provide enhanced security and isolation for your Azure Machine Learning Compute Clusters and Instances, as well as subnets, access control policies, and other features to further restrict access. When a compute is configured with a virtual network, it is not publicly addressable and can only be accessed from virtual machines and applications within the virtual network. |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Vnet_Audit.json) |
-|[Azure Machine Learning Computes should have local authentication methods disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe96a9a5f-07ca-471b-9bc5-6a0f33cbd68f) |Disabling local authentication methods improves security by ensuring that Machine Learning Computes require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/azure-ml-aad-policy](https://aka.ms/azure-ml-aad-policy). |Audit, Deny, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/DisableLocalAuth_Audit.json) |
+|[Azure Machine Learning Computes should have local authentication methods disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe96a9a5f-07ca-471b-9bc5-6a0f33cbd68f) |Disabling local authentication methods improves security by ensuring that Machine Learning Computes require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/azure-ml-aad-policy](https://aka.ms/azure-ml-aad-policy). |Audit, Deny, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/DisableLocalAuth_Audit.json) |
|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) |Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). |Audit, Deny, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json) |
|[Azure Machine Learning Workspaces should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F438c38d2-3772-465a-a9cc-7a6666a275ce) |Disabling public network access improves security by ensuring that the Machine Learning Workspaces aren't exposed on the public internet. You can control exposure of your workspaces by creating private endpoints instead. Learn more at: [https://learn.microsoft.com/azure/machine-learning/how-to-configure-private-link?view=azureml-api-2&tabs=azure-portal](../../../../articles/machine-learning/how-to-configure-private-link.md). |Audit, Deny, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_PublicNetworkAccessDisabled_Audit.json) |
|[Azure Machine Learning workspaces should enable V1LegacyMode to support network isolation backward compatibility](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe413671a-dd10-4cc1-a943-45b598596cb7) |Azure ML is making a transition to a new V2 API platform on Azure Resource Manager and you can control API platform version using V1LegacyMode parameter. Enabling the V1LegacyMode parameter will enable you to keep your workspaces in the same network isolation as V1, though you won't have use of the new V2 features. We recommend turning on V1 Legacy Mode only when you want to keep the AzureML control plane data inside your private networks. Learn more at: [https://aka.ms/V1LegacyMode](https://aka.ms/V1LegacyMode). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_EnableV1LegacyMode_Audit.json) |
|[Azure Machine Learning workspaces should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F45e05259-1eb5-4f70-9574-baf73e9d219b) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link](../../../../articles/machine-learning/how-to-configure-private-link.md). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_PrivateEndpoint_Audit_V2.json) |
|[Azure Machine Learning workspaces should use user-assigned managed identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0c7d88-c7de-45b8-ac49-db49e72eaa78) |Manange access to Azure ML workspace and associated resources, Azure Container Registry, KeyVault, Storage, and App Insights using user-assigned managed identity. By default, system-assigned managed identity is used by Azure ML workspace to access the associated resources. User-assigned managed identity allows you to create the identity as an Azure resource and maintain the life cycle of that identity. Learn more at [https://docs.microsoft.com/azure/machine-learning/how-to-use-managed-identities?tabs=python](../../../../articles/machine-learning/how-to-use-managed-identities.md). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_UAIEnabled_Audit.json) |
-|[Configure Azure Machine Learning Computes to disable local authentication methods](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa6f9a2d0-cff7-4855-83ad-4cd750666512) |Disable location authentication methods so that your Machine Learning Computes require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/azure-ml-aad-policy](https://aka.ms/azure-ml-aad-policy). |Modify, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/DisableLocalAuth_Modify.json) |
+|[Configure Azure Machine Learning Computes to disable local authentication methods](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa6f9a2d0-cff7-4855-83ad-4cd750666512) |Disable location authentication methods so that your Machine Learning Computes require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/azure-ml-aad-policy](https://aka.ms/azure-ml-aad-policy). |Modify, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/DisableLocalAuth_Modify.json) |
|[Configure Azure Machine Learning workspace to use private DNS zones](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fee40564d-486e-4f68-a5ca-7a621edae0fb) |Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Machine Learning workspaces. Learn more at: [https://docs.microsoft.com/azure/machine-learning/how-to-network-security-overview](../../../../articles/machine-learning/how-to-network-security-overview.md). |DeployIfNotExists, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_PrivateDnsZones_DINE.json) |
|[Configure Azure Machine Learning Workspaces to disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa10ee784-7409-4941-b091-663697637c0f) |Disable public network access for Azure Machine Learning Workspaces so that your workspaces aren't accessible over the public internet. This helps protect the workspaces against data leakage risks. You can control exposure of your workspaces by creating private endpoints instead. Learn more at: [https://learn.microsoft.com/azure/machine-learning/how-to-configure-private-link?view=azureml-api-2&tabs=azure-portal](../../../../articles/machine-learning/how-to-configure-private-link.md). |Modify, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_PublicNetworkAccessDisabled_Modify.json) |
|[Configure Azure Machine Learning workspaces with private endpoints](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7838fd83-5cbb-4b5d-888c-bfa240972597) |Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Machine Learning workspace, you can reduce data leakage risks. Learn more about private links at: [https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link](../../../../articles/machine-learning/how-to-configure-private-link.md). |DeployIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_PrivateEndpoint_DINE.json) |
diff --git a/includes/policy/reference/bycat/policies-managed-application.md b/includes/policy/reference/bycat/policies-managed-application.md
index 2dfe216e268da..213777edc604d 100644
--- a/includes/policy/reference/bycat/policies-managed-application.md
+++ b/includes/policy/reference/bycat/policies-managed-application.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policies-managed-grafana.md b/includes/policy/reference/bycat/policies-managed-grafana.md
index b4cb0c5c00b7d..f38b6284324b8 100644
--- a/includes/policy/reference/bycat/policies-managed-grafana.md
+++ b/includes/policy/reference/bycat/policies-managed-grafana.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policies-managed-identity.md b/includes/policy/reference/bycat/policies-managed-identity.md
index 622d0d390d2dc..f303cb27c82f1 100644
--- a/includes/policy/reference/bycat/policies-managed-identity.md
+++ b/includes/policy/reference/bycat/policies-managed-identity.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policies-maps.md b/includes/policy/reference/bycat/policies-maps.md
index e6f5844771c0a..7829701f257d4 100644
--- a/includes/policy/reference/bycat/policies-maps.md
+++ b/includes/policy/reference/bycat/policies-maps.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policies-media-services.md b/includes/policy/reference/bycat/policies-media-services.md
index 414088175d7c4..e47b1fe27ed10 100644
--- a/includes/policy/reference/bycat/policies-media-services.md
+++ b/includes/policy/reference/bycat/policies-media-services.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policies-migrate.md b/includes/policy/reference/bycat/policies-migrate.md
index fa018208a7f61..80b2dfad123ed 100644
--- a/includes/policy/reference/bycat/policies-migrate.md
+++ b/includes/policy/reference/bycat/policies-migrate.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policies-mobile-network.md b/includes/policy/reference/bycat/policies-mobile-network.md
index 7d51d5516109d..3a2b709a2a1cf 100644
--- a/includes/policy/reference/bycat/policies-mobile-network.md
+++ b/includes/policy/reference/bycat/policies-mobile-network.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policies-monitoring.md b/includes/policy/reference/bycat/policies-monitoring.md
index 94293f0230868..5803c51e2e8f4 100644
--- a/includes/policy/reference/bycat/policies-monitoring.md
+++ b/includes/policy/reference/bycat/policies-monitoring.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
@@ -48,26 +48,26 @@ ms.custom: generated
|[Configure Dependency agent on Azure Arc enabled Linux servers with Azure Monitoring Agent settings](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F08a4470f-b26d-428d-97f4-7e3e9c92b366) |Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension with Azure Monitoring Agent settings. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - [https://aka.ms/vminsightsdocs](https://aka.ms/vminsightsdocs). |DeployIfNotExists, Disabled |[1.1.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/DependencyAgentExtension_Linux_HybridVM_Deploy_AMA.json) |
|[Configure Dependency agent on Azure Arc enabled Windows servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F91cb9edd-cd92-4d2f-b2f2-bdd8d065a3d4) |Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - [https://aka.ms/vminsightsdocs](https://aka.ms/vminsightsdocs). |DeployIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/DependencyAgentExtension_Windows_HybridVM_DINE.json) |
|[Configure Dependency agent on Azure Arc enabled Windows servers with Azure Monitoring Agent settings](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F84cfed75-dfd4-421b-93df-725b479d356a) |Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension with Azure Monitoring Agent settings. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - [https://aka.ms/vminsightsdocs](https://aka.ms/vminsightsdocs). |DeployIfNotExists, Disabled |[1.1.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/DependencyAgentExtension_Windows_HybridVM_Deploy_AMA.json) |
-|[Configure Linux Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd5c37ce1-5f52-4523-b949-f19bf945b73a) |Deploy Association to link Linux Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations are updated over time as support is increased. |DeployIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_Arc_Linux_DINE.json) |
+|[Configure Linux Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd5c37ce1-5f52-4523-b949-f19bf945b73a) |Deploy Association to link Linux Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations are updated over time as support is increased. |DeployIfNotExists, Disabled |[2.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_Arc_Linux_DINE.json) |
|[Configure Linux Arc-enabled machines to run Azure Monitor Agent](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F845857af-0333-4c5d-bbbc-6076697da122) |Automate the deployment of Azure Monitor Agent extension on your Linux Arc-enabled machines for collecting telemetry data from the guest OS. This policy will install the extension if the region is supported. Learn more: [https://aka.ms/AMAOverview](https://aka.ms/AMAOverview). |DeployIfNotExists, Disabled |[2.3.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Linux_HybridVM_DINE.json) |
-|[Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2ea82cdd-f2e8-4500-af75-67a2e084ca74) |Deploy Association to link Linux virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. |DeployIfNotExists, Disabled |[6.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_Linux_DINE.json) |
-|[Configure Linux Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F050a90d5-7cce-483f-8f6c-0df462036dda) |Deploy Association to link Linux virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. |DeployIfNotExists, Disabled |[4.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_VMSS_Linux_DINE.json) |
+|[Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2ea82cdd-f2e8-4500-af75-67a2e084ca74) |Deploy Association to link Linux virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. |DeployIfNotExists, Disabled |[6.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_Linux_DINE.json) |
+|[Configure Linux Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F050a90d5-7cce-483f-8f6c-0df462036dda) |Deploy Association to link Linux virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. |DeployIfNotExists, Disabled |[4.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_VMSS_Linux_DINE.json) |
|[Configure Linux virtual machine scale sets to run Azure Monitor Agent with system-assigned managed identity-based authentication](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F56a3e4f8-649b-4fac-887e-5564d11e8d3a) |Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: [https://aka.ms/AMAOverview](https://aka.ms/AMAOverview). |DeployIfNotExists, Disabled |[3.4.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Linux_VMSS_DINE.json) |
|[Configure Linux virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F59c3d93f-900b-4827-a8bd-562e7b956e7c) |Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: [https://aka.ms/AMAOverview](https://aka.ms/AMAOverview). |DeployIfNotExists, Disabled |[3.5.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Linux_VMSS_UAI_DINE.json) |
-|[Configure Linux Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F58e891b9-ce13-4ac3-86e4-ac3e1f20cb07) |Deploy Association to link Linux virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. |DeployIfNotExists, Disabled |[4.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_VM_Linux_DINE.json) |
+|[Configure Linux Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F58e891b9-ce13-4ac3-86e4-ac3e1f20cb07) |Deploy Association to link Linux virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. |DeployIfNotExists, Disabled |[4.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_VM_Linux_DINE.json) |
|[Configure Linux virtual machines to run Azure Monitor Agent with system-assigned managed identity-based authentication](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa4034bc6-ae50-406d-bf76-50f4ee5a7811) |Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: [https://aka.ms/AMAOverview](https://aka.ms/AMAOverview). |DeployIfNotExists, Disabled |[3.4.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Linux_VM_DINE.json) |
|[Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fae8a10e6-19d6-44a3-a02d-a2bdfc707742) |Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: [https://aka.ms/AMAOverview](https://aka.ms/AMAOverview). |DeployIfNotExists, Disabled |[3.5.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Linux_VM_UAI_DINE.json) |
|[Configure Log Analytics extension on Azure Arc enabled Linux servers. See deprecation notice below](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9d2b61b4-1d14-4a63-be30-d4498e7ad2cf) |Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Log Analytics virtual machine extension. VM insights uses the Log Analytics agent to collect the guest OS performance data, and provides insights into their performance. See more - [https://aka.ms/vminsightsdocs](https://aka.ms/vminsightsdocs). Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date |DeployIfNotExists, Disabled |[2.1.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalyticsExtension_Linux_HybridVM_DINE.json) |
|[Configure Log Analytics extension on Azure Arc enabled Windows servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F69af7d4a-7b18-4044-93a9-2651498ef203) |Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Log Analytics virtual machine extension. VM insights uses the Log Analytics agent to collect the guest OS performance data, and provides insights into their performance. See more - [https://aka.ms/vminsightsdocs](https://aka.ms/vminsightsdocs). Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. |DeployIfNotExists, Disabled |[2.1.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalyticsExtension_Windows_HybridVM_DINE.json) |
|[Configure Log Analytics workspace and automation account to centralize logs and monitoring](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8e3e61b3-0b32-22d5-4edf-55f87fdb5955) |Deploy resource group containing Log Analytics workspace and linked automation account to centralize logs and monitoring. The automation account is aprerequisite for solutions like Updates and Change Tracking. |DeployIfNotExists, AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalyticsWorkspaces_DefaultWorkspace_DINE.json) |
-|[Configure Windows Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc24c537f-2516-4c2f-aac5-2cd26baa3d26) |Deploy Association to link Windows Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations are updated over time as support is increased. |DeployIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_Arc_Windows_DINE.json) |
-|[Configure Windows Arc-enabled machines to run Azure Monitor Agent](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F94f686d6-9a24-4e19-91f1-de937dc171a4) |Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: [https://aka.ms/AMAOverview](https://aka.ms/AMAOverview). |DeployIfNotExists, Disabled |[2.3.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Windows_HybridVM_DINE.json) |
-|[Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Feab1f514-22e3-42e3-9a1f-e1dc9199355c) |Deploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. |DeployIfNotExists, Disabled |[4.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_Windows_DINE.json) |
-|[Configure Windows Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0a3b9bf4-d30e-424a-af6b-9a93f6f78792) |Deploy Association to link Windows virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. |DeployIfNotExists, Disabled |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_VMSS_Windows_DINE.json) |
-|[Configure Windows virtual machine scale sets to run Azure Monitor Agent using system-assigned managed identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4efbd9d8-6bc6-45f6-9be2-7fe9dd5d89ff) |Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: [https://aka.ms/AMAOverview](https://aka.ms/AMAOverview). |DeployIfNotExists, Disabled |[3.3.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Windows_VMSS_DINE.json) |
+|[Configure Windows Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc24c537f-2516-4c2f-aac5-2cd26baa3d26) |Deploy Association to link Windows Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations are updated over time as support is increased. |DeployIfNotExists, Disabled |[2.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_Arc_Windows_DINE.json) |
+|[Configure Windows Arc-enabled machines to run Azure Monitor Agent](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F94f686d6-9a24-4e19-91f1-de937dc171a4) |Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: [https://aka.ms/AMAOverview](https://aka.ms/AMAOverview). |DeployIfNotExists, Disabled |[2.4.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Windows_HybridVM_DINE.json) |
+|[Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Feab1f514-22e3-42e3-9a1f-e1dc9199355c) |Deploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. |DeployIfNotExists, Disabled |[4.3.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_Windows_DINE.json) |
+|[Configure Windows Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0a3b9bf4-d30e-424a-af6b-9a93f6f78792) |Deploy Association to link Windows virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. |DeployIfNotExists, Disabled |[3.3.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_VMSS_Windows_DINE.json) |
+|[Configure Windows virtual machine scale sets to run Azure Monitor Agent using system-assigned managed identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4efbd9d8-6bc6-45f6-9be2-7fe9dd5d89ff) |Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: [https://aka.ms/AMAOverview](https://aka.ms/AMAOverview). |DeployIfNotExists, Disabled |[3.4.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Windows_VMSS_DINE.json) |
|[Configure Windows virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F98569e20-8f32-4f31-bf34-0e91590ae9d3) |Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: [https://aka.ms/AMAOverview](https://aka.ms/AMAOverview). |DeployIfNotExists, Disabled |[1.4.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Windows_VMSS_UAI_DINE.json) |
-|[Configure Windows Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F244efd75-0d92-453c-b9a3-7d73ca36ed52) |Deploy Association to link Windows virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. |DeployIfNotExists, Disabled |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_VM_Windows_DINE.json) |
-|[Configure Windows virtual machines to run Azure Monitor Agent using system-assigned managed identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca817e41-e85a-4783-bc7f-dc532d36235e) |Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: [https://aka.ms/AMAOverview](https://aka.ms/AMAOverview). |DeployIfNotExists, Disabled |[4.3.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Windows_VM_DINE.json) |
+|[Configure Windows Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F244efd75-0d92-453c-b9a3-7d73ca36ed52) |Deploy Association to link Windows virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. |DeployIfNotExists, Disabled |[3.3.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_VM_Windows_DINE.json) |
+|[Configure Windows virtual machines to run Azure Monitor Agent using system-assigned managed identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca817e41-e85a-4783-bc7f-dc532d36235e) |Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: [https://aka.ms/AMAOverview](https://aka.ms/AMAOverview). |DeployIfNotExists, Disabled |[4.4.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Windows_VM_DINE.json) |
|[Configure Windows virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F637125fd-7c39-4b94-bb0a-d331faf333a9) |Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: [https://aka.ms/AMAOverview](https://aka.ms/AMAOverview). |DeployIfNotExists, Disabled |[1.4.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Windows_VM_UAI_DINE.json) |
|[Dependency agent should be enabled for listed virtual machine images](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F11ac78e3-31bc-4f0c-8434-37ab963cea07) |Reports virtual machines as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. The list of OS images is updated over time as support is updated. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/DependencyAgent_OSImage_Audit.json) |
|[Dependency agent should be enabled in virtual machine scale sets for listed virtual machine images](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe2dd799a-a932-4e9d-ac17-d473bc3c6c10) |Reports virtual machine scale sets as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. The list of OS images is updated over time as support is updated. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/DependencyAgent_OSImage_VMSS_Audit.json) |
@@ -229,7 +229,7 @@ ms.custom: generated
|[The Log Analytics extension should be installed on Virtual Machine Scale Sets](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fefbde977-ba53-4479-b8e9-10b957924fbf) |This policy audits any Windows/Linux Virtual Machine Scale Sets if the Log Analytics extension is not installed. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/VMSS_LogAnalyticsAgent_AINE.json) |
|[Virtual machines should be connected to a specified workspace](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff47b5582-33ec-4c5c-87c0-b010a6b2e917) |Reports virtual machines as non-compliant if they aren't logging to the Log Analytics workspace specified in the policy/initiative assignment. |AuditIfNotExists, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalytics_WorkspaceMismatch_VM_Audit.json) |
|[Virtual machines should have the Log Analytics extension installed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa70ca396-0a34-413a-88e1-b956c1e683be) |This policy audits any Windows/Linux virtual machines if the Log Analytics extension is not installed. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/VirtualMachines_LogAnalyticsAgent_AINE.json) |
-|[Windows Arc-enabled machines should have Azure Monitor Agent installed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fec621e21-8b48-403d-a549-fc9023d4747f) |Windows Arc-enabled machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Windows Arc-enabled machines in supported regions are monitored for Azure Monitor Agent deployment. Learn more: [https://aka.ms/AMAOverview](https://aka.ms/AMAOverview). |AuditIfNotExists, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Windows_HybridVM_Audit.json) |
-|[Windows virtual machine scale sets should have Azure Monitor Agent installed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3672e6f7-a74d-4763-b138-fcf332042f8f) |Windows virtual machine scale sets should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Virtual machine scale sets with supported OS and in supported regions are monitored for Azure Monitor Agent deployment. Learn more: [https://aka.ms/AMAOverview](https://aka.ms/AMAOverview). |AuditIfNotExists, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Windows_VMSS_Audit.json) |
-|[Windows virtual machines should have Azure Monitor Agent installed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc02729e5-e5e7-4458-97fa-2b5ad0661f28) |Windows virtual machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Windows virtual machines with supported OS and in supported regions are monitored for Azure Monitor Agent deployment. Learn more: [https://aka.ms/AMAOverview](https://aka.ms/AMAOverview). |AuditIfNotExists, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Windows_VM_Audit.json) |
+|[Windows Arc-enabled machines should have Azure Monitor Agent installed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fec621e21-8b48-403d-a549-fc9023d4747f) |Windows Arc-enabled machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Windows Arc-enabled machines in supported regions are monitored for Azure Monitor Agent deployment. Learn more: [https://aka.ms/AMAOverview](https://aka.ms/AMAOverview). |AuditIfNotExists, Disabled |[1.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Windows_HybridVM_Audit.json) |
+|[Windows virtual machine scale sets should have Azure Monitor Agent installed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3672e6f7-a74d-4763-b138-fcf332042f8f) |Windows virtual machine scale sets should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Virtual machine scale sets with supported OS and in supported regions are monitored for Azure Monitor Agent deployment. Learn more: [https://aka.ms/AMAOverview](https://aka.ms/AMAOverview). |AuditIfNotExists, Disabled |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Windows_VMSS_Audit.json) |
+|[Windows virtual machines should have Azure Monitor Agent installed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc02729e5-e5e7-4458-97fa-2b5ad0661f28) |Windows virtual machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Windows virtual machines with supported OS and in supported regions are monitored for Azure Monitor Agent deployment. Learn more: [https://aka.ms/AMAOverview](https://aka.ms/AMAOverview). |AuditIfNotExists, Disabled |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Windows_VM_Audit.json) |
|[Workbooks should be saved to storage accounts that you control](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6fc8115b-2008-441f-8c61-9b722c1e537f) |With bring your own storage (BYOS), your workbooks are uploaded into a storage account that you control. That means you control the encryption-at-rest policy, the lifetime management policy, and network access. You will, however, be responsible for the costs associated with that storage account. For more information, visit [https://aka.ms/workbooksByos](https://aka.ms/workbooksByos) |deny, Deny, audit, Audit, disabled, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/Workbooks_BYOSEnabled_Audit.json) |
diff --git a/includes/policy/reference/bycat/policies-network.md b/includes/policy/reference/bycat/policies-network.md
index e8982d2227627..0e8e65fd5a7df 100644
--- a/includes/policy/reference/bycat/policies-network.md
+++ b/includes/policy/reference/bycat/policies-network.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policies-portal.md b/includes/policy/reference/bycat/policies-portal.md
index d01d305f4e17d..53a764dc244cc 100644
--- a/includes/policy/reference/bycat/policies-portal.md
+++ b/includes/policy/reference/bycat/policies-portal.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policies-resilience.md b/includes/policy/reference/bycat/policies-resilience.md
index 40a406ac31fac..892362abf6cdd 100644
--- a/includes/policy/reference/bycat/policies-resilience.md
+++ b/includes/policy/reference/bycat/policies-resilience.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policies-search.md b/includes/policy/reference/bycat/policies-search.md
index 5c95f438c7067..9c1c50d34adb8 100644
--- a/includes/policy/reference/bycat/policies-search.md
+++ b/includes/policy/reference/bycat/policies-search.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policies-security-center---granular-pricing.md b/includes/policy/reference/bycat/policies-security-center---granular-pricing.md
index 00a7caf95e5b7..e9e193c3cac33 100644
--- a/includes/policy/reference/bycat/policies-security-center---granular-pricing.md
+++ b/includes/policy/reference/bycat/policies-security-center---granular-pricing.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policies-security-center.md b/includes/policy/reference/bycat/policies-security-center.md
index b0971e84c3227..bd32d90564df9 100644
--- a/includes/policy/reference/bycat/policies-security-center.md
+++ b/includes/policy/reference/bycat/policies-security-center.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
@@ -81,10 +81,8 @@ ms.custom: generated
|[Azure Defender for SQL servers on machines should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6581d072-105e-4418-827f-bd446d56421b) |Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedDataSecurityOnSqlServerVirtualMachines_Audit.json) |
|[Azure Defender for SQL should be enabled for unprotected PostgreSQL flexible servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd38668f5-d155-42c7-ab3d-9b57b50f8fbf) |Audit PostgreSQL flexible servers without Advanced Data Security |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/PostgreSQL_FlexibleServers_DefenderForSQL_Audit.json) |
|[Azure registry container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F090c7b07-b4ed-4561-ad20-e9075f3ccaff) |Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. Resolving vulnerabilities can greatly improve your security posture, ensuring images are safe to use prior to deployment. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_AzureContainerRegistryVulnerabilityAssessment_Audit.json) |
-|[Azure registry container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0f936f-2f01-4bf5-b6be-d423792fa562) |Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. |AuditIfNotExists, Disabled |[2.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json) |
|[Azure Role-Based Access Control (RBAC) should be used on Kubernetes Services](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fac4a19c2-fa67-49b4-8ae5-0b2e78c49457) |To provide granular filtering on the actions that users can perform, use Azure Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. |Audit, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableRBAC_KubernetesService_Audit.json) |
|[Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F17f4b1cc-c55c-4d94-b1f9-2978f6ac2957) |Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. This recommendation provides visibility to vulnerable images currently running in your Kubernetes clusters. Remediating vulnerabilities in container images that are currently running is key to improving your security posture, significantly reducing the attack surface for your containerized workloads. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_K8sRuningImagesVulnerabilityAssessmentBasedOnMDVM_Audit.json) |
-|[Azure running container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0fc39691-5a3f-4e3e-94ee-2e6447309ad9) |Container image vulnerability assessment scans container images running on your Kubernetes clusters for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_KuberenetesRuningImagesVulnerabilityAssessment_Audit.json) |
|[Blocked accounts with owner permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0cfea604-3201-4e14-88fc-fae4c427a6c5) |Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveBlockedAccountsWithOwnerPermissions_Audit.json) |
|[Blocked accounts with read and write permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8d7e1fde-fe26-4b5f-8108-f8e432cbc2be) |Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveBlockedAccountsWithReadWritePermissions_Audit.json) |
|[Cloud Services (extended support) role instances should be configured securely](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa0c11ca4-5828-4384-a2f2-fd7444dd5b4d) |Protect your Cloud Service (extended support) role instances from attacks by ensuring they are not expolosed to any OS vulnerabilities. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_CsesOSVulnerabilities_Audit.json) |
diff --git a/includes/policy/reference/bycat/policies-service-bus.md b/includes/policy/reference/bycat/policies-service-bus.md
index c8d9fc0d6e2ab..68408454bd687 100644
--- a/includes/policy/reference/bycat/policies-service-bus.md
+++ b/includes/policy/reference/bycat/policies-service-bus.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policies-service-fabric.md b/includes/policy/reference/bycat/policies-service-fabric.md
index 5430228a3af00..2d183344e81b8 100644
--- a/includes/policy/reference/bycat/policies-service-fabric.md
+++ b/includes/policy/reference/bycat/policies-service-fabric.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policies-signalr.md b/includes/policy/reference/bycat/policies-signalr.md
index dd056c3ab51ad..c855599d54d59 100644
--- a/includes/policy/reference/bycat/policies-signalr.md
+++ b/includes/policy/reference/bycat/policies-signalr.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policies-site-recovery.md b/includes/policy/reference/bycat/policies-site-recovery.md
index 1d7f00d56992c..6e5c82f769255 100644
--- a/includes/policy/reference/bycat/policies-site-recovery.md
+++ b/includes/policy/reference/bycat/policies-site-recovery.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policies-sql-managed-instance.md b/includes/policy/reference/bycat/policies-sql-managed-instance.md
index 959be47637b6f..56337b5e16043 100644
--- a/includes/policy/reference/bycat/policies-sql-managed-instance.md
+++ b/includes/policy/reference/bycat/policies-sql-managed-instance.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policies-sql-server.md b/includes/policy/reference/bycat/policies-sql-server.md
index 2ddcd5172da22..ba3dd818ad26c 100644
--- a/includes/policy/reference/bycat/policies-sql-server.md
+++ b/includes/policy/reference/bycat/policies-sql-server.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policies-sql.md b/includes/policy/reference/bycat/policies-sql.md
index b6b7a0ac37f09..ee1ba08f1d8ff 100644
--- a/includes/policy/reference/bycat/policies-sql.md
+++ b/includes/policy/reference/bycat/policies-sql.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policies-stack-hci.md b/includes/policy/reference/bycat/policies-stack-hci.md
index 03959a7e9b2c9..96a6ace06a2a4 100644
--- a/includes/policy/reference/bycat/policies-stack-hci.md
+++ b/includes/policy/reference/bycat/policies-stack-hci.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policies-storage.md b/includes/policy/reference/bycat/policies-storage.md
index adea12d8a7f5e..9dfa0eccc2886 100644
--- a/includes/policy/reference/bycat/policies-storage.md
+++ b/includes/policy/reference/bycat/policies-storage.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policies-stream-analytics.md b/includes/policy/reference/bycat/policies-stream-analytics.md
index a889127ebbe23..bf4e9a1846d25 100644
--- a/includes/policy/reference/bycat/policies-stream-analytics.md
+++ b/includes/policy/reference/bycat/policies-stream-analytics.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policies-synapse.md b/includes/policy/reference/bycat/policies-synapse.md
index 751ca826fbce8..04c8b84e9b970 100644
--- a/includes/policy/reference/bycat/policies-synapse.md
+++ b/includes/policy/reference/bycat/policies-synapse.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policies-system-policy.md b/includes/policy/reference/bycat/policies-system-policy.md
index 07227f9fe4c19..0be50f538dc20 100644
--- a/includes/policy/reference/bycat/policies-system-policy.md
+++ b/includes/policy/reference/bycat/policies-system-policy.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policies-tags.md b/includes/policy/reference/bycat/policies-tags.md
index 9c1f2c7c50834..2a4d6eab69968 100644
--- a/includes/policy/reference/bycat/policies-tags.md
+++ b/includes/policy/reference/bycat/policies-tags.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policies-trusted-launch.md b/includes/policy/reference/bycat/policies-trusted-launch.md
new file mode 100644
index 0000000000000..4866569479ae0
--- /dev/null
+++ b/includes/policy/reference/bycat/policies-trusted-launch.md
@@ -0,0 +1,13 @@
+---
+author: davidsmatlak
+ms.service: azure-policy
+ms.topic: include
+ms.date: 03/18/2024
+ms.author: davidsmatlak
+ms.custom: generated
+---
+
+|Name
(Azure portal) |Description |Effect(s) |Version
(GitHub) |
+|---|---|---|---|
+|[Disks and OS image should support TrustedLaunch](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb03bb370-5249-4ea4-9fce-2552e87e45fa) |TrustedLaunch improves security of a Virtual Machine which requires OS Disk & OS Image to support it (Gen 2). To learn more about TrustedLaunch, visit [https://aka.ms/trustedlaunch](https://aka.ms/trustedlaunch) |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Trusted%20Launch/Disks_and_OS_Should_Support_TrustedLaunch.json) |
+|[Virtual Machine should have TrustedLaunch enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc95b54ad-0614-4633-ab29-104b01235cbf) |Enable TrustedLaunch on Virtual Machine for enhanced security, use VM SKU (Gen 2) that supports TrustedLaunch. To learn more about TrustedLaunch, visit [https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch](../../../../articles/virtual-machines/trusted-launch.md) |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Trusted%20Launch/VirtualMachine_Should_Have_TrustedLaunch%20enabled.json) |
diff --git a/includes/policy/reference/bycat/policies-virtualenclaves.md b/includes/policy/reference/bycat/policies-virtualenclaves.md
index 9dc245a9fdcb3..ee149bfe970c8 100644
--- a/includes/policy/reference/bycat/policies-virtualenclaves.md
+++ b/includes/policy/reference/bycat/policies-virtualenclaves.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policies-vm-image-builder.md b/includes/policy/reference/bycat/policies-vm-image-builder.md
index 04312a8d9a294..2557679358ee4 100644
--- a/includes/policy/reference/bycat/policies-vm-image-builder.md
+++ b/includes/policy/reference/bycat/policies-vm-image-builder.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policies-web-pubsub.md b/includes/policy/reference/bycat/policies-web-pubsub.md
index c671d9a44f031..7b6293336fa41 100644
--- a/includes/policy/reference/bycat/policies-web-pubsub.md
+++ b/includes/policy/reference/bycat/policies-web-pubsub.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policysets-automanage.md b/includes/policy/reference/bycat/policysets-automanage.md
index e9e1181abe31a..8dcf2552f0732 100644
--- a/includes/policy/reference/bycat/policysets-automanage.md
+++ b/includes/policy/reference/bycat/policysets-automanage.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policysets-changetrackingandinventory.md b/includes/policy/reference/bycat/policysets-changetrackingandinventory.md
index dfb2c915c87f2..fb01ada994c76 100644
--- a/includes/policy/reference/bycat/policysets-changetrackingandinventory.md
+++ b/includes/policy/reference/bycat/policysets-changetrackingandinventory.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policysets-cosmos-db.md b/includes/policy/reference/bycat/policysets-cosmos-db.md
index a923b10d4f8b5..855d9a5679262 100644
--- a/includes/policy/reference/bycat/policysets-cosmos-db.md
+++ b/includes/policy/reference/bycat/policysets-cosmos-db.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policysets-general.md b/includes/policy/reference/bycat/policysets-general.md
index c580bb500e828..12909565d4e89 100644
--- a/includes/policy/reference/bycat/policysets-general.md
+++ b/includes/policy/reference/bycat/policysets-general.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policysets-guest-configuration.md b/includes/policy/reference/bycat/policysets-guest-configuration.md
index d16b32fc89645..b15b3d9742f6c 100644
--- a/includes/policy/reference/bycat/policysets-guest-configuration.md
+++ b/includes/policy/reference/bycat/policysets-guest-configuration.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policysets-kubernetes.md b/includes/policy/reference/bycat/policysets-kubernetes.md
index c52e67ced7d75..3d364efab3d19 100644
--- a/includes/policy/reference/bycat/policysets-kubernetes.md
+++ b/includes/policy/reference/bycat/policysets-kubernetes.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policysets-managed-identity.md b/includes/policy/reference/bycat/policysets-managed-identity.md
index 717c44afac95c..9ac3ca164e3a3 100644
--- a/includes/policy/reference/bycat/policysets-managed-identity.md
+++ b/includes/policy/reference/bycat/policysets-managed-identity.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policysets-monitoring.md b/includes/policy/reference/bycat/policysets-monitoring.md
index f423d6ac908a4..fb20f9654e9ac 100644
--- a/includes/policy/reference/bycat/policysets-monitoring.md
+++ b/includes/policy/reference/bycat/policysets-monitoring.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policysets-network.md b/includes/policy/reference/bycat/policysets-network.md
index 2bb7f1439b521..7ebe08060e480 100644
--- a/includes/policy/reference/bycat/policysets-network.md
+++ b/includes/policy/reference/bycat/policysets-network.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policysets-regulatory-compliance.md b/includes/policy/reference/bycat/policysets-regulatory-compliance.md
index 702fa36d2b43c..09c530c8f650f 100644
--- a/includes/policy/reference/bycat/policysets-regulatory-compliance.md
+++ b/includes/policy/reference/bycat/policysets-regulatory-compliance.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
@@ -10,10 +10,10 @@ ms.custom: generated
|Name |Description |Policies |Version |
|---|---|---|---|
|[\[Preview\]: Australian Government ISM PROTECTED](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policySetDefinitions/Regulatory%20Compliance/IRAP_Audit.json) |This initiative includes policies that address a subset of Australian Government Information Security Manual (ISM) controls. Additional policies will be added in upcoming releases. For more information, visit [https://aka.ms/auism-initiative](https://aka.ms/auism-initiative). |54 |8.2.2-preview |
-|[\[Preview\]: CMMC 2.0 Level 2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policySetDefinitions/Regulatory%20Compliance/CMMC_2_0_L2.json) |This initiative includes policies that address a subset of CMMC 2.0 Level 2 practices. Additional policies will be added in upcoming releases. For more information, visit [https://aka.ms/cmmc2l2-initiative](https://aka.ms/cmmc2l2-initiative). |249 |2.8.0-preview |
+|[\[Preview\]: CMMC 2.0 Level 2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policySetDefinitions/Regulatory%20Compliance/CMMC_2_0_L2.json) |This initiative includes policies that address a subset of CMMC 2.0 Level 2 practices. Additional policies will be added in upcoming releases. For more information, visit [https://aka.ms/cmmc2l2-initiative](https://aka.ms/cmmc2l2-initiative). |248 |2.9.0-preview |
|[\[Preview\]: Motion Picture Association of America (MPAA)](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policySetDefinitions/Regulatory%20Compliance/Media_audit.json) |This initiative includes audit and virtual machine extension deployment policies that address a subset of Motion Picture Association of America (MPAA) security and guidelines controls. Additional policies will be added in upcoming releases. For more information, visit [https://aka.ms/mpaa-init](https://aka.ms/mpaa-init). |36 |4.1.0-preview |
-|[\[Preview\]: Reserve Bank of India - IT Framework for Banks](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policySetDefinitions/Regulatory%20Compliance/RBI_ITF_Banks_v2016.json) |This initiative includes policies that address a subset of Reserve Bank of India IT Framework for Banks controls. Additional policies will be added in upcoming releases. For more information, visit [https://aka.ms/rbiitfbanks-initiative](https://aka.ms/rbiitfbanks-initiative). |174 |1.8.0-preview |
-|[\[Preview\]: Reserve Bank of India - IT Framework for NBFC](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policySetDefinitions/Regulatory%20Compliance/RBI_ITF_NBFC_v2017.json) |This initiative includes policies that address a subset of Reserve Bank of India IT Framework for Non-Banking Financial Companies (NBFC) controls. Additional policies will be added in upcoming releases. For more information, visit [https://aka.ms/rbiitfnbfc-initiative](https://aka.ms/rbiitfnbfc-initiative). |136 |2.7.0-preview |
+|[\[Preview\]: Reserve Bank of India - IT Framework for Banks](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policySetDefinitions/Regulatory%20Compliance/RBI_ITF_Banks_v2016.json) |This initiative includes policies that address a subset of Reserve Bank of India IT Framework for Banks controls. Additional policies will be added in upcoming releases. For more information, visit [https://aka.ms/rbiitfbanks-initiative](https://aka.ms/rbiitfbanks-initiative). |172 |1.9.0-preview |
+|[\[Preview\]: Reserve Bank of India - IT Framework for NBFC](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policySetDefinitions/Regulatory%20Compliance/RBI_ITF_NBFC_v2017.json) |This initiative includes policies that address a subset of Reserve Bank of India IT Framework for Non-Banking Financial Companies (NBFC) controls. Additional policies will be added in upcoming releases. For more information, visit [https://aka.ms/rbiitfnbfc-initiative](https://aka.ms/rbiitfnbfc-initiative). |134 |2.8.0-preview |
|[\[Preview\]: Sovereignty Baseline - Confidential Policies](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policySetDefinitions/Regulatory%20Compliance/MCfS_Sovereignty_Baseline_Confidential_Policies.json) |The Microsoft Cloud for Sovereignty recommends confidential policies to help organizations achieve their sovereignty goals by default denying the creation of resources outside of approved regions, denying resources that are not backed by Azure Confidential Computing, and denying data storage resources that are not using Customer-Managed Keys. More details can be found here: [https://aka.ms/SovereigntyBaselinePolicies](https://aka.ms/SovereigntyBaselinePolicies) |17 |1.0.0-preview |
|[\[Preview\]: Sovereignty Baseline - Global Policies](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policySetDefinitions/Regulatory%20Compliance/MCfS_Sovereignty_Baseline_Global_Policies.json) |The Microsoft Cloud for Sovereignty recommends global policies to help organizations achieve their sovereignty goals by default denying the creation of resources outside of approved regions. More details can be found here: [https://aka.ms/SovereigntyBaselinePolicies](https://aka.ms/SovereigntyBaselinePolicies) |3 |1.0.0-preview |
|[\[Preview\]: SWIFT CSP-CSCF v2020](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policySetDefinitions/Regulatory%20Compliance/SWIFTv2020_audit.json) |This initiative includes audit and virtual machine extension deployment policies that address a subset of SWIFT CSP-CSCF v2020 controls. Additional policies will be added in upcoming releases. For more information, visit [https://aka.ms/swift2020-init](https://aka.ms/swift2020-init). |59 |6.1.0-preview |
@@ -24,21 +24,19 @@ ms.custom: generated
|[CIS Microsoft Azure Foundations Benchmark v1.3.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policySetDefinitions/Regulatory%20Compliance/CISv1_3_0.json) |The Center for Internet Security (CIS) is a nonprofit entity whose mission is to 'identify, develop, validate, promote, and sustain best practice solutions for cyberdefense.' CIS benchmarks are configuration baselines and best practices for securely configuring a system. These policies address a subset of CIS Microsoft Azure Foundations Benchmark v1.3.0 controls. For more information, visit [https://aka.ms/cisazure130-initiative](https://aka.ms/cisazure130-initiative) |176 |8.6.0 |
|[CIS Microsoft Azure Foundations Benchmark v1.4.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policySetDefinitions/Regulatory%20Compliance/CISv1_4_0.json) |The Center for Internet Security (CIS) is a nonprofit entity whose mission is to 'identify, develop, validate, promote, and sustain best practice solutions for cyberdefense.' CIS benchmarks are configuration baselines and best practices for securely configuring a system. These policies address a subset of CIS Microsoft Azure Foundations Benchmark v1.4.0 controls. For more information, visit [https://aka.ms/cisazure140-initiative](https://aka.ms/cisazure140-initiative) |175 |1.7.0 |
|[CIS Microsoft Azure Foundations Benchmark v2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policySetDefinitions/Regulatory%20Compliance/CISv2_0_0.json) |The Center for Internet Security (CIS) is a nonprofit entity whose mission is to 'identify, develop, validate, promote, and sustain best practice solutions for cyberdefense.' CIS benchmarks are configuration baselines and best practices for securely configuring a system. These policies address a subset of CIS Microsoft Azure Foundations Benchmark v2.0.0 controls. For more information, visit [https://aka.ms/cisazure200-initiative](https://aka.ms/cisazure200-initiative) |211 |1.1.0 |
-|[CMMC Level 3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policySetDefinitions/Regulatory%20Compliance/CMMC_L3.json) |This initiative includes policies that address a subset of Cybersecurity Maturity Model Certification (CMMC) Level 3 requirements. Additional policies will be added in upcoming releases. For more information, visit [https://aka.ms/cmmc-initiative](https://aka.ms/cmmc-initiative). |164 |11.4.0 |
-|[FedRAMP High](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policySetDefinitions/Regulatory%20Compliance/FedRAMP_H_audit.json) |FedRAMP is a US government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud-based products and services. FedRAMP defines a set of controls for Low, Moderate, or High security impact level systems based on NIST baseline controls. These policies address a subset of FedRAMP (High) controls. For more information, visit [https://docs.microsoft.com/azure/compliance/offerings/offering-fedramp](/azure/compliance/offerings/offering-fedramp) |734 |17.9.0 |
-|[FedRAMP Moderate](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policySetDefinitions/Regulatory%20Compliance/FedRAMP_M_audit.json) |FedRAMP is a U.S. government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud-based products and services. FedRAMP defines a set of controls for Low, Moderate, or High security impact level systems based on NIST baseline controls. These policies address a subset of FedRAMP (Moderate) controls. Additional policies will be added in upcoming releases. For more information, visit [https://www.fedramp.gov/documents-templates/](https://www.fedramp.gov/documents-templates/) |665 |17.8.0 |
+|[CMMC Level 3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policySetDefinitions/Regulatory%20Compliance/CMMC_L3.json) |This initiative includes policies that address a subset of Cybersecurity Maturity Model Certification (CMMC) Level 3 requirements. Additional policies will be added in upcoming releases. For more information, visit [https://aka.ms/cmmc-initiative](https://aka.ms/cmmc-initiative). |163 |11.5.0 |
+|[FedRAMP High](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policySetDefinitions/Regulatory%20Compliance/FedRAMP_H_audit.json) |FedRAMP is a US government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud-based products and services. FedRAMP defines a set of controls for Low, Moderate, or High security impact level systems based on NIST baseline controls. These policies address a subset of FedRAMP (High) controls. For more information, visit [https://docs.microsoft.com/azure/compliance/offerings/offering-fedramp](/azure/compliance/offerings/offering-fedramp) |733 |17.10.0 |
+|[FedRAMP Moderate](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policySetDefinitions/Regulatory%20Compliance/FedRAMP_M_audit.json) |FedRAMP is a U.S. government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud-based products and services. FedRAMP defines a set of controls for Low, Moderate, or High security impact level systems based on NIST baseline controls. These policies address a subset of FedRAMP (Moderate) controls. Additional policies will be added in upcoming releases. For more information, visit [https://www.fedramp.gov/documents-templates/](https://www.fedramp.gov/documents-templates/) |664 |17.9.0 |
|[HITRUST/HIPAA](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policySetDefinitions/Regulatory%20Compliance/HIPAA_HITRUST_audit.json) |Health Information Trust Alliance (HITRUST) helps organizations from all sectors-but especially healthcare-effectively manage data, information risk, and compliance. HITRUST certification means that the organization has undergone a thorough assessment of the information security program. These policies address a subset of HITRUST controls. For more information, visit [https://docs.microsoft.com/azure/governance/policy/samples/hipaa-hitrust-9-2](../../../../articles/governance/policy/samples/hipaa-hitrust-9-2.md) |610 |14.3.0 |
|[IRS1075 September 2016](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policySetDefinitions/Regulatory%20Compliance/IRS1075_audit.json) |This initiative includes policies that address a subset of IRS1075 September 2016 controls. Additional policies will be added in upcoming releases. For more information, visit [https://aka.ms/irs1075-init](https://aka.ms/irs1075-init). |60 |8.1.0 |
|[ISO 27001:2013](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policySetDefinitions/Regulatory%20Compliance/ISO27001_2013_audit.json) |The International Organization for Standardization (ISO) 27001 standard provides requirements for establishing, implementing, maintaining, and continuously improving an Information Security Management System (ISMS). These policies address a subset of ISO 27001:2013 controls. Additional policies will be added in upcoming releases. For more information, visit [https://aka.ms/iso27001-init](https://aka.ms/iso27001-init) |460 |8.1.0 |
-|[New Zealand ISM Restricted](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policySetDefinitions/Regulatory%20Compliance/nz_ism.json) |This initiative includes policies that address a subset of New Zealand Information Security Manual controls. Additional policies will be added in upcoming releases. For more information, visit [https://aka.ms/nzism-initiative](https://aka.ms/nzism-initiative). |127 |11.6.2-deprecated |
-|[New Zealand ISM Restricted v3.5](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policySetDefinitions/Regulatory%20Compliance/NZ_ISM_Restricted_v3_5.json) |This initiative includes policies that address a subset of New Zealand Information Security Manual v3.5 controls. Additional policies will be added in upcoming releases. For more information, visit [https://aka.ms/nzism-initiative](https://aka.ms/nzism-initiative). |164 |2.8.1-deprecated |
-|[NIST SP 800-171 Rev. 2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policySetDefinitions/Regulatory%20Compliance/NIST_SP_800-171_R2.json) |The US National Institute of Standards and Technology (NIST) promotes and maintains measurement standards and guidelines to help protect the information and information systems of federal agencies. In response to Executive Order 13556 on managing controlled unclassified information (CUI), it published NIST SP 800-171. These policies address a subset of NIST SP 800-171 Rev. 2 controls. For more information, visit [https://docs.microsoft.com/azure/compliance/offerings/offering-nist-800-171](/azure/compliance/offerings/offering-nist-800-171) |464 |15.8.0 |
-|[NIST SP 800-53 Rev. 4](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policySetDefinitions/Regulatory%20Compliance/NIST_SP_800-53_R4.json) |National Institute of Standards and Technology (NIST) SP 800-53 R4 provides a standardized approach for assessing, monitoring and authorizing cloud computing products and services to manage information security risk.These policies address a subset of NIST SP 800-53 R4 controls. Additional policies will be added in upcoming releases. For more information, visit [https://aka.ms/nist800-53r4-initiative](https://aka.ms/nist800-53r4-initiative) |735 |17.8.0 |
-|[NIST SP 800-53 Rev. 5](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policySetDefinitions/Regulatory%20Compliance/NIST_SP_800-53_R5.json) |National Institute of Standards and Technology (NIST) SP 800-53 Rev. 5 provides a standardized approach for assessing, monitoring and authorizing cloud computing products and services to manage information security risk. These policies address a subset of NIST SP 800-53 R5 controls. Additional policies will be added in upcoming releases. For more information, visit [https://aka.ms/nist800-53r5-initiative](https://aka.ms/nist800-53r5-initiative) |720 |14.8.0 |
-|[NL BIO Cloud Theme](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policySetDefinitions/Regulatory%20Compliance/NL_BIO_Cloud_Theme.json) |This initiative includes policies that address the Dutch Baseline Informatiebeveiliging (BIO) controls specifically for the 'thema-uitwerking Clouddiensten' and include policies covered under the SOC2 and ISO 27001:2013 controls. |249 |1.1.1 |
+|[NIST SP 800-171 Rev. 2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policySetDefinitions/Regulatory%20Compliance/NIST_SP_800-171_R2.json) |The US National Institute of Standards and Technology (NIST) promotes and maintains measurement standards and guidelines to help protect the information and information systems of federal agencies. In response to Executive Order 13556 on managing controlled unclassified information (CUI), it published NIST SP 800-171. These policies address a subset of NIST SP 800-171 Rev. 2 controls. For more information, visit [https://docs.microsoft.com/azure/compliance/offerings/offering-nist-800-171](/azure/compliance/offerings/offering-nist-800-171) |463 |15.9.0 |
+|[NIST SP 800-53 Rev. 4](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policySetDefinitions/Regulatory%20Compliance/NIST_SP_800-53_R4.json) |National Institute of Standards and Technology (NIST) SP 800-53 R4 provides a standardized approach for assessing, monitoring and authorizing cloud computing products and services to manage information security risk.These policies address a subset of NIST SP 800-53 R4 controls. Additional policies will be added in upcoming releases. For more information, visit [https://aka.ms/nist800-53r4-initiative](https://aka.ms/nist800-53r4-initiative) |734 |17.9.0 |
+|[NIST SP 800-53 Rev. 5](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policySetDefinitions/Regulatory%20Compliance/NIST_SP_800-53_R5.json) |National Institute of Standards and Technology (NIST) SP 800-53 Rev. 5 provides a standardized approach for assessing, monitoring and authorizing cloud computing products and services to manage information security risk. These policies address a subset of NIST SP 800-53 R5 controls. Additional policies will be added in upcoming releases. For more information, visit [https://aka.ms/nist800-53r5-initiative](https://aka.ms/nist800-53r5-initiative) |719 |14.9.0 |
+|[NL BIO Cloud Theme](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policySetDefinitions/Regulatory%20Compliance/NL_BIO_Cloud_Theme.json) |This initiative includes policies that address the Dutch Baseline Informatiebeveiliging (BIO) controls specifically for the 'thema-uitwerking Clouddiensten' and include policies covered under the SOC2 and ISO 27001:2013 controls. |247 |1.2.0 |
|[PCI DSS v4](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policySetDefinitions/Regulatory%20Compliance/PCI_DSS_V4.0.json) |The Payment Card Industry (PCI) Data Security Standards (DSS) is a global information security standard designed to prevent fraud through increased control of credit card data. Compliance with PCI DSS is required for any organization that stores, processes, or transmits payment and cardholder data. These policies address a subset of PCI-DSS v4 controls. For more information, visit [https://docs.microsoft.com/azure/governance/policy/samples/pci-dss-3-2-1](../../../../articles/governance/policy/samples/pci-dss-3-2-1.md) |277 |1.1.0 |
|[PCI v3.2.1:2018](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policySetDefinitions/Regulatory%20Compliance/PCIv3_2_1_2018_audit.json) |This initiative includes policies that address a subset of PCI v3.2.1:2018 controls. Additional policies will be added in upcoming releases. For more information, visit [https://aka.ms/pciv321-init](https://aka.ms/pciv321-init). |36 |6.1.0 |
-|[RMIT Malaysia](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policySetDefinitions/Regulatory%20Compliance/RMIT_Malaysia.json) |This initiative includes policies that address a subset of RMIT requirements. Additional policies will be added in upcoming releases. For more information, visit aka.ms/rmit-initiative. |209 |9.6.0 |
+|[RMIT Malaysia](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policySetDefinitions/Regulatory%20Compliance/RMIT_Malaysia.json) |This initiative includes policies that address a subset of RMIT requirements. Additional policies will be added in upcoming releases. For more information, visit aka.ms/rmit-initiative. |208 |9.7.0 |
|[SOC 2 Type 2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policySetDefinitions/Regulatory%20Compliance/SOC_2.json) |A System and Organization Controls (SOC) 2 is a report based on the Trust Service Principles and Criteria established by the American Institute of Certified Public Accountants (AICPA). The Report evaluates an organization's information system relevant to the following principles: security, availability, processing integrity, confidentiality and privacy. These policies address a subset of SOC 2 Type 2 controls. For more information, visit [https://docs.microsoft.com/azure/compliance/offerings/offering-soc-2](/azure/compliance/offerings/offering-soc-2) |319 |1.6.0 |
|[SWIFT CSP-CSCF v2022](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policySetDefinitions/Regulatory%20Compliance/SWIFT_CSP-CSCF_v2022.json) |SWIFT's Customer Security Programme (CSP) helps financial institutions ensure their defences against cyberattacks are up to date and effective, to protect the integrity of the wider financial network. Users compare the security measures they have implemented with those detailed in the Customer Security Controls Framework (CSCF). These policies address a subset of SWIFT controls. For more information, visit [https://docs.microsoft.com/azure/governance/policy/samples/swift-cscf-v2021](../../../../articles/governance/policy/samples/swift-cscf-v2021.md) |343 |2.3.0 |
|[UK OFFICIAL and UK NHS](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policySetDefinitions/Regulatory%20Compliance/ukofficial_audit.json) |This initiative includes audit and virtual machine extension deployment policies that address a subset of UK OFFICIAL and UK NHS controls. Additional policies will be added in upcoming releases. For more information, visit [https://aka.ms/ukofficial-init](https://aka.ms/ukofficial-init) and [https://aka.ms/uknhs-init](https://aka.ms/uknhs-init). |57 |9.1.0 |
diff --git a/includes/policy/reference/bycat/policysets-resilience.md b/includes/policy/reference/bycat/policysets-resilience.md
index 5bc33e56610d8..7829360a0fbae 100644
--- a/includes/policy/reference/bycat/policysets-resilience.md
+++ b/includes/policy/reference/bycat/policysets-resilience.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policysets-sdn.md b/includes/policy/reference/bycat/policysets-sdn.md
index 06610dda0fd4d..46da85e8ffb33 100644
--- a/includes/policy/reference/bycat/policysets-sdn.md
+++ b/includes/policy/reference/bycat/policysets-sdn.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policysets-security-center.md b/includes/policy/reference/bycat/policysets-security-center.md
index 7c60bcd932245..d4479c1464122 100644
--- a/includes/policy/reference/bycat/policysets-security-center.md
+++ b/includes/policy/reference/bycat/policysets-security-center.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
@@ -17,4 +17,4 @@ ms.custom: generated
|[Configure multiple Microsoft Defender for Endpoint integration settings with Microsoft Defender for Cloud](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policySetDefinitions/Security%20Center/MDC_MDE_WDATP_Settings_DINE.json) |Configure the multiple Microsoft Defender for Endpoint integration settings with Microsoft Defender for Cloud (WDATP, WDATP_EXCLUDE_LINUX_PUBLIC_PREVIEW, WDATP_UNIFIED_SOLUTION etc.). See: [https://learn.microsoft.com/azure/defender-for-cloud/integration-defender-for-endpoint](../../../../articles/defender-for-cloud/integration-defender-for-endpoint.md) for more information. |3 |1.0.0 |
|[Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a LA workspace](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policySetDefinitions/Security%20Center/MDC_DfSQL_AMA_DefaultWorkspace.json) |Microsoft Defender for SQL collects events from the agents and uses them to provide security alerts and tailored hardening tasks (recommendations). Creates a resource group and a Data Collection Rule and Log Analytics workspace in the same region as the machine. |9 |1.2.1 |
|[Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LA workspace](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policySetDefinitions/Security%20Center/MDC_DfSQL_AMA_UserWorkspace.json) |Microsoft Defender for SQL collects events from the agents and uses them to provide security alerts and tailored hardening tasks (recommendations). Creates a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. |8 |1.1.1 |
-|[Microsoft cloud security benchmark](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policySetDefinitions/Security%20Center/AzureSecurityCenter.json) |The Microsoft cloud security benchmark initiative represents the policies and controls implementing security recommendations defined in Microsoft cloud security benchmark, see [https://aka.ms/azsecbm](https://aka.ms/azsecbm). This also serves as the Microsoft Defender for Cloud default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Microsoft Defender for Cloud. |244 |57.33.0 |
+|[Microsoft cloud security benchmark](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policySetDefinitions/Security%20Center/AzureSecurityCenter.json) |The Microsoft cloud security benchmark initiative represents the policies and controls implementing security recommendations defined in Microsoft cloud security benchmark, see [https://aka.ms/azsecbm](https://aka.ms/azsecbm). This also serves as the Microsoft Defender for Cloud default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Microsoft Defender for Cloud. |242 |57.35.0 |
diff --git a/includes/policy/reference/bycat/policysets-sql.md b/includes/policy/reference/bycat/policysets-sql.md
index 379d4f257da76..1d7abd901f941 100644
--- a/includes/policy/reference/bycat/policysets-sql.md
+++ b/includes/policy/reference/bycat/policysets-sql.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policysets-synapse.md b/includes/policy/reference/bycat/policysets-synapse.md
index d19a12108a73b..98a472dc21e17 100644
--- a/includes/policy/reference/bycat/policysets-synapse.md
+++ b/includes/policy/reference/bycat/policysets-synapse.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policysets-tags.md b/includes/policy/reference/bycat/policysets-tags.md
index ff28bc355bce2..92fa56fa0dce0 100644
--- a/includes/policy/reference/bycat/policysets-tags.md
+++ b/includes/policy/reference/bycat/policysets-tags.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policysets-trusted-launch.md b/includes/policy/reference/bycat/policysets-trusted-launch.md
index 2d7631b702497..363006698c53f 100644
--- a/includes/policy/reference/bycat/policysets-trusted-launch.md
+++ b/includes/policy/reference/bycat/policysets-trusted-launch.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/bycat/policysets-virtualenclaves.md b/includes/policy/reference/bycat/policysets-virtualenclaves.md
index 13f872849f8f8..fde90b8bf450c 100644
--- a/includes/policy/reference/bycat/policysets-virtualenclaves.md
+++ b/includes/policy/reference/bycat/policysets-virtualenclaves.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/identity.userassignedidentities.md b/includes/policy/reference/byrp/identity.userassignedidentities.md
index 2bf1489ad0a80..5f67b5a37d2c5 100644
--- a/includes/policy/reference/byrp/identity.userassignedidentities.md
+++ b/includes/policy/reference/byrp/identity.userassignedidentities.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.aad.md b/includes/policy/reference/byrp/microsoft.aad.md
index d070f15a59730..6abed4656df80 100644
--- a/includes/policy/reference/byrp/microsoft.aad.md
+++ b/includes/policy/reference/byrp/microsoft.aad.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.aadiam.md b/includes/policy/reference/byrp/microsoft.aadiam.md
index ae1d87533d24a..87d0f1547e7c1 100644
--- a/includes/policy/reference/byrp/microsoft.aadiam.md
+++ b/includes/policy/reference/byrp/microsoft.aadiam.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.agfoodplatform.md b/includes/policy/reference/byrp/microsoft.agfoodplatform.md
index abefbde14f94e..3bfdf7ad4c016 100644
--- a/includes/policy/reference/byrp/microsoft.agfoodplatform.md
+++ b/includes/policy/reference/byrp/microsoft.agfoodplatform.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.apimanagement.md b/includes/policy/reference/byrp/microsoft.apimanagement.md
index f55feb3ba6eab..995e18f73b8f4 100644
--- a/includes/policy/reference/byrp/microsoft.apimanagement.md
+++ b/includes/policy/reference/byrp/microsoft.apimanagement.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.app.md b/includes/policy/reference/byrp/microsoft.app.md
index 8ca257de464e5..ecfede45ae3eb 100644
--- a/includes/policy/reference/byrp/microsoft.app.md
+++ b/includes/policy/reference/byrp/microsoft.app.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.appconfiguration.md b/includes/policy/reference/byrp/microsoft.appconfiguration.md
index bb8b1206f2f4f..e23ee061c0db1 100644
--- a/includes/policy/reference/byrp/microsoft.appconfiguration.md
+++ b/includes/policy/reference/byrp/microsoft.appconfiguration.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.appplatform.md b/includes/policy/reference/byrp/microsoft.appplatform.md
index afac21bc56234..4a35102a6d2ff 100644
--- a/includes/policy/reference/byrp/microsoft.appplatform.md
+++ b/includes/policy/reference/byrp/microsoft.appplatform.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.attestation.md b/includes/policy/reference/byrp/microsoft.attestation.md
index 45747fd56a1b7..f7175dbbe8e46 100644
--- a/includes/policy/reference/byrp/microsoft.attestation.md
+++ b/includes/policy/reference/byrp/microsoft.attestation.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.authorization.md b/includes/policy/reference/byrp/microsoft.authorization.md
index 873972ed1c798..a3c682e3f4f88 100644
--- a/includes/policy/reference/byrp/microsoft.authorization.md
+++ b/includes/policy/reference/byrp/microsoft.authorization.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.automanage.md b/includes/policy/reference/byrp/microsoft.automanage.md
index 66ec5724caaef..2d8b5a2f47ed7 100644
--- a/includes/policy/reference/byrp/microsoft.automanage.md
+++ b/includes/policy/reference/byrp/microsoft.automanage.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.automation.md b/includes/policy/reference/byrp/microsoft.automation.md
index 2fdd76f206e13..30e69caa16535 100644
--- a/includes/policy/reference/byrp/microsoft.automation.md
+++ b/includes/policy/reference/byrp/microsoft.automation.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.avs.md b/includes/policy/reference/byrp/microsoft.avs.md
index 805030608cf09..f46372df0d635 100644
--- a/includes/policy/reference/byrp/microsoft.avs.md
+++ b/includes/policy/reference/byrp/microsoft.avs.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.azurearcdata.md b/includes/policy/reference/byrp/microsoft.azurearcdata.md
index 7d3f3d152513e..7805d119a283c 100644
--- a/includes/policy/reference/byrp/microsoft.azurearcdata.md
+++ b/includes/policy/reference/byrp/microsoft.azurearcdata.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.azurestackhci.md b/includes/policy/reference/byrp/microsoft.azurestackhci.md
index a67236024edb8..bd6a1bb0ae1e4 100644
--- a/includes/policy/reference/byrp/microsoft.azurestackhci.md
+++ b/includes/policy/reference/byrp/microsoft.azurestackhci.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.batch.md b/includes/policy/reference/byrp/microsoft.batch.md
index 59c895a35335e..cf5dbdac1143f 100644
--- a/includes/policy/reference/byrp/microsoft.batch.md
+++ b/includes/policy/reference/byrp/microsoft.batch.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.botservice.md b/includes/policy/reference/byrp/microsoft.botservice.md
index 8fbf761aa126a..07930741e1cf5 100644
--- a/includes/policy/reference/byrp/microsoft.botservice.md
+++ b/includes/policy/reference/byrp/microsoft.botservice.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.cache.md b/includes/policy/reference/byrp/microsoft.cache.md
index a24a1c8a078e7..4c7a8b7107385 100644
--- a/includes/policy/reference/byrp/microsoft.cache.md
+++ b/includes/policy/reference/byrp/microsoft.cache.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
@@ -13,6 +13,7 @@ ms.custom: generated
|[\[Preview\]: Azure Cache for Redis should be Zone Redundant](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1bf67da8-b100-45bf-b89d-e4669fc54411) |Azure Cache for Redis can be configured to be Zone Redundant or not. Azure Cache for Redis instances with fewer than 2 entries in their zones array are not Zone Redundant. This policy identifies Azure Cache for Redis instances lacking the redundancy needed to withstand a zone outage. |Audit, Deny, Disabled |[1.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Resilience/Cache_Redis_ZoneRedundant_Audit.json) |
|[Azure Cache for Redis should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F470baccb-7e51-4549-8b1a-3e5be069f663) |Disabling public network access improves security by ensuring that the Azure Cache for Redis isn't exposed on the public internet. You can limit exposure of your Azure Cache for Redis by creating private endpoints instead. Learn more at: [https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link](../../../../articles/azure-cache-for-redis/cache-private-link.md). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PublicNetworkAccess_AuditDeny.json) |
|[Azure Cache for Redis should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7803067c-7d34-46e3-8c79-0ca68fc4036d) |Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link](../../../../articles/azure-cache-for-redis/cache-private-link.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_AINE.json) |
+|[Configure Azure Cache for Redis to disable non SSL ports](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F766f5de3-c6c0-4327-9f4d-042ab8ae846c) |Enable SSL only connections to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking |Modify, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_EnableNonSSLPort_Modify.json) |
|[Configure Azure Cache for Redis to disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F30b3dfa5-a70d-4c8e-bed6-0083858f663d) |Disable public network access for your Azure Cache for Redis resource so that it's not accessible over the public internet. This helps protect the cache against data leakage risks. |Modify, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PublicNetworkAccess_Modify.json) |
|[Configure Azure Cache for Redis with private endpoints](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5d8094d7-7340-465a-b6fd-e60ab7e48920) |Private endpoints let you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis resources, you can reduce data leakage risks. Learn more at: [https://aka.ms/redis/privateendpoint](https://aka.ms/redis/privateendpoint). |DeployIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_DINE.json) |
|[Enable logging by category group for Azure Cache for Redis (microsoft.cache/redis) to Event Hub](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa142867f-3142-4ac6-b952-ab950a29fca5) |Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Cache for Redis (microsoft.cache/redis). |DeployIfNotExists, AuditIfNotExists, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/DiagSettings_eventHub_cache-redis_DINE.json) |
diff --git a/includes/policy/reference/byrp/microsoft.cdn.md b/includes/policy/reference/byrp/microsoft.cdn.md
index 2eb8e817b8bbe..349db810f816e 100644
--- a/includes/policy/reference/byrp/microsoft.cdn.md
+++ b/includes/policy/reference/byrp/microsoft.cdn.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.classiccompute.md b/includes/policy/reference/byrp/microsoft.classiccompute.md
index 0b677902d6ab0..1e95b3af538d0 100644
--- a/includes/policy/reference/byrp/microsoft.classiccompute.md
+++ b/includes/policy/reference/byrp/microsoft.classiccompute.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.classicstorage.md b/includes/policy/reference/byrp/microsoft.classicstorage.md
index 37a75516f4855..7134372acea8f 100644
--- a/includes/policy/reference/byrp/microsoft.classicstorage.md
+++ b/includes/policy/reference/byrp/microsoft.classicstorage.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.cloudpartnerprogram.md b/includes/policy/reference/byrp/microsoft.cloudpartnerprogram.md
index 93da81568d1da..566e25f3885bb 100644
--- a/includes/policy/reference/byrp/microsoft.cloudpartnerprogram.md
+++ b/includes/policy/reference/byrp/microsoft.cloudpartnerprogram.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.cognitiveservices.md b/includes/policy/reference/byrp/microsoft.cognitiveservices.md
index 3e152daef8cc7..bea7b249c4f64 100644
--- a/includes/policy/reference/byrp/microsoft.cognitiveservices.md
+++ b/includes/policy/reference/byrp/microsoft.cognitiveservices.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
@@ -10,7 +10,7 @@ ms.custom: generated
|Name
(Azure portal) |Description |Effect(s) |Version
(GitHub) |
|---|---|---|---|
|[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: [https://aka.ms/AI/auth](https://aka.ms/AI/auth) |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/DisableLocalAuth_Audit.json) |
-|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) |
+|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) |
|[Cognitive Services accounts should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks. |Audit, Deny, Disabled |[3.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/DisablePublicNetworkAccess_Audit.json) |
|[Cognitive Services accounts should enable data encryption with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F67121cc7-ff39-4ab8-b7e3-95b84dab487d) |Customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about customer-managed keys at [https://go.microsoft.com/fwlink/?linkid=2121321](https://go.microsoft.com/fwlink/?linkid=2121321). |Audit, Deny, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CustomerManagedKey_Audit.json) |
|[Cognitive Services accounts should use a managed identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffe3fd216-4f83-4fc1-8984-2bbec80a3418) |Assigning a managed identity to your Cognitive Service account helps ensure secure authentication. This identity is used by this Cognitive service account to communicate with other Azure services, like Azure Key Vault, in a secure way without you having to manage any credentials. |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/ManagedIdentity_Audit.json) |
@@ -19,6 +19,7 @@ ms.custom: generated
|[Configure Cognitive Services accounts to disable local authentication methods](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F14de9e63-1b31-492e-a5a3-c3f7fd57f555) |Disable local authentication methods so that your Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/cs/auth](https://aka.ms/cs/auth). |Modify, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/DisableLocalAuth_Modify.json) |
|[Configure Cognitive Services accounts to disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F47ba1dd7-28d9-4b07-a8d5-9813bed64e0c) |Disable public network access for your Cognitive Services resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). |Disabled, Modify |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/DisablePublicNetworkAccess_Modify.json) |
|[Configure Cognitive Services accounts with private endpoints](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdb630ad5-52e9-4f4d-9c44-53912fe40053) |Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage. Learn more about private links at: [https://go.microsoft.com/fwlink/?linkid=2129800](https://go.microsoft.com/fwlink/?linkid=2129800). |DeployIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/EnablePrivateEndpoints_DINE.json) |
+|[Diagnostic logs in Azure AI services resources should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1b4d1c4e-934c-4703-944c-27c82c06bebb) |Enable logs for Azure AI services resources. This enables you to recreate activity trails for investigation purposes, when a security incident occurs or your network is compromised |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/DiagnosticLogs_Audit.json) |
|[Enable logging by category group for Cognitive Services (microsoft.cognitiveservices/accounts) to Event Hub](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0628b917-d4b4-4af5-bc2b-b4f87cd173ab) |Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Cognitive Services (microsoft.cognitiveservices/accounts). |DeployIfNotExists, AuditIfNotExists, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/DiagSettings_eventHub_cognitiveservices-accounts_DINE.json) |
|[Enable logging by category group for Cognitive Services (microsoft.cognitiveservices/accounts) to Log Analytics](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F55d1f543-d1b0-4811-9663-d6d0dbc6326d) |Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Cognitive Services (microsoft.cognitiveservices/accounts). |DeployIfNotExists, AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/DiagSettings_logAnalytics_cognitiveservices-accounts_DINE.json) |
|[Enable logging by category group for Cognitive Services (microsoft.cognitiveservices/accounts) to Storage](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F14e81583-c89c-47db-af0d-f9ddddcccd9f) |Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Cognitive Services (microsoft.cognitiveservices/accounts). |DeployIfNotExists, AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/DiagSettings_storage_cognitiveservices-accounts_DINE.json) |
diff --git a/includes/policy/reference/byrp/microsoft.compute.md b/includes/policy/reference/byrp/microsoft.compute.md
index 96b0b010a4cc0..5d8bf15bcfce1 100644
--- a/includes/policy/reference/byrp/microsoft.compute.md
+++ b/includes/policy/reference/byrp/microsoft.compute.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
@@ -132,17 +132,17 @@ ms.custom: generated
|[Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F09ce66bc-1220-4153-8104-e3f51c936913) |Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See [https://aka.ms/AzureVMCentralBackupExcludeTag](https://aka.ms/AzureVMCentralBackupExcludeTag). |auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |[9.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Backup/VirtualMachineBackup_DINE.json) |
|[Configure disaster recovery on virtual machines by enabling replication via Azure Site Recovery](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fac34a73f-9fa5-4067-9247-a3ecae514468) |Virtual machines without disaster recovery configurations are vulnerable to outages and other disruptions. If the virtual machine does not already have disaster recovery configured, this would initiate the same by enabling replication using preset configurations to facilitate business continuity. You can optionally include/exclude virtual machines containing a specified tag to control the scope of assignment. To learn more about disaster recovery, visit [https://aka.ms/asr-doc](https://aka.ms/asr-doc). |DeployIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/VirtualMachineReplication_AzureSiteRecovery_DINE.json) |
|[Configure disk access resources with private endpoints](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F582bd7a6-a5f6-4dc6-b9dc-9cb81fe0d4c5) |Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to disk access resources, you can reduce data leakage risks. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |DeployIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_DINE.json) |
-|[Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2ea82cdd-f2e8-4500-af75-67a2e084ca74) |Deploy Association to link Linux virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. |DeployIfNotExists, Disabled |[6.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_Linux_DINE.json) |
+|[Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2ea82cdd-f2e8-4500-af75-67a2e084ca74) |Deploy Association to link Linux virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. |DeployIfNotExists, Disabled |[6.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_Linux_DINE.json) |
|[Configure Linux Server to disable local users.](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcd22fc48-f2c9-4b86-98d3-ec1268b46a8a) |Creates a Guest Configuration assignment to configure disabling local users on Linux Server. This ensures that Linux Servers can only be accessed by AAD (Azure Active Directory) account or a list of explicitly allowed users by this policy, improving overall security posture. |DeployIfNotExists, Disabled |[1.3.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/AADDisableLocalAuth_Linux_DINE.json) |
-|[Configure Linux Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F050a90d5-7cce-483f-8f6c-0df462036dda) |Deploy Association to link Linux virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. |DeployIfNotExists, Disabled |[4.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_VMSS_Linux_DINE.json) |
+|[Configure Linux Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F050a90d5-7cce-483f-8f6c-0df462036dda) |Deploy Association to link Linux virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. |DeployIfNotExists, Disabled |[4.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_VMSS_Linux_DINE.json) |
|[Configure Linux virtual machine scale sets to run Azure Monitor Agent with system-assigned managed identity-based authentication](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F56a3e4f8-649b-4fac-887e-5564d11e8d3a) |Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: [https://aka.ms/AMAOverview](https://aka.ms/AMAOverview). |DeployIfNotExists, Disabled |[3.4.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Linux_VMSS_DINE.json) |
|[Configure Linux virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F59c3d93f-900b-4827-a8bd-562e7b956e7c) |Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: [https://aka.ms/AMAOverview](https://aka.ms/AMAOverview). |DeployIfNotExists, Disabled |[3.5.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Linux_VMSS_UAI_DINE.json) |
-|[Configure Linux Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F58e891b9-ce13-4ac3-86e4-ac3e1f20cb07) |Deploy Association to link Linux virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. |DeployIfNotExists, Disabled |[4.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_VM_Linux_DINE.json) |
+|[Configure Linux Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F58e891b9-ce13-4ac3-86e4-ac3e1f20cb07) |Deploy Association to link Linux virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. |DeployIfNotExists, Disabled |[4.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_VM_Linux_DINE.json) |
|[Configure Linux virtual machines to run Azure Monitor Agent with system-assigned managed identity-based authentication](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa4034bc6-ae50-406d-bf76-50f4ee5a7811) |Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: [https://aka.ms/AMAOverview](https://aka.ms/AMAOverview). |DeployIfNotExists, Disabled |[3.4.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Linux_VM_DINE.json) |
|[Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fae8a10e6-19d6-44a3-a02d-a2bdfc707742) |Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: [https://aka.ms/AMAOverview](https://aka.ms/AMAOverview). |DeployIfNotExists, Disabled |[3.5.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Linux_VM_UAI_DINE.json) |
|[Configure machines to receive a vulnerability assessment provider](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F13ce0167-8ca6-4048-8e6b-f996402e3c1b) |Azure Defender includes vulnerability scanning for your machines at no extra cost. You don't need a Qualys license or even a Qualys account - everything's handled seamlessly inside Security Center. When you enable this policy, Azure Defender automatically deploys the Qualys vulnerability assessment provider to all supported machines that don't already have it installed. |DeployIfNotExists, Disabled |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VulnerabilityAssessment_ProvisionQualysAgent_DINE.json) |
|[Configure managed disks to disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8426280e-b5be-43d9-979e-653d12a08638) |Disable public network access for your managed disk resource so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |Modify, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/AddDiskAccessToDisk_Modify.json) |
-|[Configure periodic checking for missing system updates on azure virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F59efceea-0c96-497e-a4a1-4eb2290dac15) |Configure auto-assessment (every 24 hours) for OS updates on native Azure virtual machines. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: [https://aka.ms/computevm-windowspatchassessmentmode,](https://aka.ms/computevm-windowspatchassessmentmode,) for Linux: [https://aka.ms/computevm-linuxpatchassessmentmode](https://aka.ms/computevm-linuxpatchassessmentmode). |modify |[4.7.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Update%20Manager/AzUpdateMgmtCenter_CRP_AutoAssessmentMode_Modify.json) |
+|[Configure periodic checking for missing system updates on azure virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F59efceea-0c96-497e-a4a1-4eb2290dac15) |Configure auto-assessment (every 24 hours) for OS updates on native Azure virtual machines. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: [https://aka.ms/computevm-windowspatchassessmentmode,](https://aka.ms/computevm-windowspatchassessmentmode,) for Linux: [https://aka.ms/computevm-linuxpatchassessmentmode](https://aka.ms/computevm-linuxpatchassessmentmode). |modify |[4.8.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Update%20Manager/AzUpdateMgmtCenter_CRP_AutoAssessmentMode_Modify.json) |
|[Configure secure communication protocols(TLS 1.1 or TLS 1.2) on Windows machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F828ba269-bf7f-4082-83dd-633417bc391d) |Creates a Guest Configuration assignment to configure specified secure protocol version(TLS 1.1 or TLS 1.2) on Windows machine. |DeployIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/SetSecureProtocol_DINE.json) |
|[Configure SQL Virtual Machines to automatically install Azure Monitor Agent](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff91991d1-5383-4c95-8ee5-5ac423dd8bb1) |Automate the deployment of Azure Monitor Agent extension on your Windows SQL Virtual Machines. Learn more: [https://aka.ms/AMAOverview](https://aka.ms/AMAOverview). |DeployIfNotExists, Disabled |[1.3.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_DfSQL_DeployWindowsAMA_VM.json) |
|[Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce) |Configure Windows SQL Virtual Machines to automatically install the Microsoft Defender for SQL extension. Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). |DeployIfNotExists, Disabled |[1.3.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_DfSQL_DeployMicrosoftDefenderForSQLWindowsAgent_VM.json) |
@@ -152,12 +152,12 @@ ms.custom: generated
|[Configure time zone on Windows machines.](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6141c932-9384-44c6-a395-59e4c057d7c9) |This policy creates a Guest Configuration assignment to set specified time zone on Windows virtual machines. |deployIfNotExists |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/SetWindowsTimeZone_DINE.json) |
|[Configure virtual machines to be onboarded to Azure Automanage](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff889cab7-da27-4c41-a3b0-de1f6f87c550) |Azure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage to your selected scope. |AuditIfNotExists, DeployIfNotExists, Disabled |[2.4.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Automanage/Deployv2.json) |
|[Configure virtual machines to be onboarded to Azure Automanage with Custom Configuration Profile](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb025cfb4-3702-47c2-9110-87fe0cfcc99b) |Azure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage with your own customized Configuration Profile to your selected scope. |AuditIfNotExists, DeployIfNotExists, Disabled |[1.4.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Automanage/DeployUserCreatedProfile.json) |
-|[Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Feab1f514-22e3-42e3-9a1f-e1dc9199355c) |Deploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. |DeployIfNotExists, Disabled |[4.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_Windows_DINE.json) |
-|[Configure Windows Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0a3b9bf4-d30e-424a-af6b-9a93f6f78792) |Deploy Association to link Windows virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. |DeployIfNotExists, Disabled |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_VMSS_Windows_DINE.json) |
-|[Configure Windows virtual machine scale sets to run Azure Monitor Agent using system-assigned managed identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4efbd9d8-6bc6-45f6-9be2-7fe9dd5d89ff) |Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: [https://aka.ms/AMAOverview](https://aka.ms/AMAOverview). |DeployIfNotExists, Disabled |[3.3.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Windows_VMSS_DINE.json) |
+|[Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Feab1f514-22e3-42e3-9a1f-e1dc9199355c) |Deploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. |DeployIfNotExists, Disabled |[4.3.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_Windows_DINE.json) |
+|[Configure Windows Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0a3b9bf4-d30e-424a-af6b-9a93f6f78792) |Deploy Association to link Windows virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. |DeployIfNotExists, Disabled |[3.3.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_VMSS_Windows_DINE.json) |
+|[Configure Windows virtual machine scale sets to run Azure Monitor Agent using system-assigned managed identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4efbd9d8-6bc6-45f6-9be2-7fe9dd5d89ff) |Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: [https://aka.ms/AMAOverview](https://aka.ms/AMAOverview). |DeployIfNotExists, Disabled |[3.4.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Windows_VMSS_DINE.json) |
|[Configure Windows virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F98569e20-8f32-4f31-bf34-0e91590ae9d3) |Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: [https://aka.ms/AMAOverview](https://aka.ms/AMAOverview). |DeployIfNotExists, Disabled |[1.4.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Windows_VMSS_UAI_DINE.json) |
-|[Configure Windows Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F244efd75-0d92-453c-b9a3-7d73ca36ed52) |Deploy Association to link Windows virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. |DeployIfNotExists, Disabled |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_VM_Windows_DINE.json) |
-|[Configure Windows virtual machines to run Azure Monitor Agent using system-assigned managed identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca817e41-e85a-4783-bc7f-dc532d36235e) |Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: [https://aka.ms/AMAOverview](https://aka.ms/AMAOverview). |DeployIfNotExists, Disabled |[4.3.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Windows_VM_DINE.json) |
+|[Configure Windows Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F244efd75-0d92-453c-b9a3-7d73ca36ed52) |Deploy Association to link Windows virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. |DeployIfNotExists, Disabled |[3.3.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_VM_Windows_DINE.json) |
+|[Configure Windows virtual machines to run Azure Monitor Agent using system-assigned managed identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca817e41-e85a-4783-bc7f-dc532d36235e) |Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: [https://aka.ms/AMAOverview](https://aka.ms/AMAOverview). |DeployIfNotExists, Disabled |[4.4.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Windows_VM_DINE.json) |
|[Configure Windows virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F637125fd-7c39-4b94-bb0a-d331faf333a9) |Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: [https://aka.ms/AMAOverview](https://aka.ms/AMAOverview). |DeployIfNotExists, Disabled |[1.4.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Windows_VM_UAI_DINE.json) |
|[Create and assign a built-in user-assigned managed identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F09963c90-6ee7-4215-8d26-1cc660a1682f) |Create and assign a built-in user-assigned managed identity at scale to SQL virtual machines. |AuditIfNotExists, DeployIfNotExists, Disabled |[1.4.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_DfSQL_AddUserAssignedIdentity_VM.json) |
|[Dependency agent should be enabled for listed virtual machine images](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F11ac78e3-31bc-4f0c-8434-37ab963cea07) |Reports virtual machines as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. The list of OS images is updated over time as support is updated. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/DependencyAgent_OSImage_Audit.json) |
@@ -178,6 +178,7 @@ ms.custom: generated
|[Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F331e8ea8-378a-410f-a2e5-ae22f38bb0da) |This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/DeployExtensionLinux_Prerequisite.json) |
|[Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F385f5831-96d4-41db-9a3c-cd3af78aaae6) |This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[1.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/DeployExtensionWindows_Prerequisite.json) |
|[Disk access resources should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff39f5f49-4abf-44de-8c70-0756997bfb51) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced. Learn more about private links at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DiskAccesses_PrivateEndpoints_Audit.json) |
+|[Disks and OS image should support TrustedLaunch](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb03bb370-5249-4ea4-9fce-2552e87e45fa) |TrustedLaunch improves security of a Virtual Machine which requires OS Disk & OS Image to support it (Gen 2). To learn more about TrustedLaunch, visit [https://aka.ms/trustedlaunch](https://aka.ms/trustedlaunch) |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Trusted%20Launch/Disks_and_OS_Should_Support_TrustedLaunch.json) |
|[Endpoint protection health issues should be resolved on your machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2) |Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - [https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions](../../../../articles/security-center/security-center-services.md#supported-endpoint-protection-solutions). Endpoint protection assessment is documented here - [https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection](../../../../articles/security-center/security-center-endpoint-protection.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EndpointProtectionHealthIssues_Audit.json) |
|[Endpoint protection should be installed on your machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f7c564c-0a90-4d44-b7e1-9d456cffaee8) |To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EndpointProtectionShouldBeInstalledOnYourMachines_Audit.json) |
|[Endpoint protection solution should be installed on virtual machine scale sets](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F26a828e1-e88f-464e-bbb3-c134a282b9de) |Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VmssMissingEndpointProtection_Audit.json) |
@@ -195,7 +196,7 @@ ms.custom: generated
|[Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa4fe33eb-e377-4efb-ab31-0784311bc499) |This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_InstallLaAgentOnVm.json) |
|[Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa3a6ea0c-e018-4933-9ef0-5aaa1501449b) |Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_InstallLaAgentOnVmss.json) |
|[Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138) |Reports virtual machine scale sets as non-compliant if the virtual machine image is not in the list defined and the extension is not installed. |AuditIfNotExists, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalytics_OSImage_VMSS_Audit.json) |
-|[Machines should be configured to periodically check for missing system updates](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fbd876905-5b84-4f73-ab2d-2e7a7c4568d9) |To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: [https://aka.ms/computevm-windowspatchassessmentmode,](https://aka.ms/computevm-windowspatchassessmentmode,) for Linux: [https://aka.ms/computevm-linuxpatchassessmentmode](https://aka.ms/computevm-linuxpatchassessmentmode). |Audit, Deny, Disabled |[3.6.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Update%20Manager/AzUpdateMgmtCenter_AutoAssessmentMode_Audit.json) |
+|[Machines should be configured to periodically check for missing system updates](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fbd876905-5b84-4f73-ab2d-2e7a7c4568d9) |To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: [https://aka.ms/computevm-windowspatchassessmentmode,](https://aka.ms/computevm-windowspatchassessmentmode,) for Linux: [https://aka.ms/computevm-linuxpatchassessmentmode](https://aka.ms/computevm-linuxpatchassessmentmode). |Audit, Deny, Disabled |[3.7.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Update%20Manager/AzUpdateMgmtCenter_AutoAssessmentMode_Audit.json) |
|[Machines should have secret findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3ac7c827-eea2-4bde-acc7-9568cd320efa) |Audits virtual machines to detect whether they contain secret findings from the secret scanning solutions on your virtual machines. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerSecretAssessment_Audit.json) |
|[Managed disks should be double encrypted with both platform-managed and customer-managed keys](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca91455f-eace-4f96-be59-e6e2c35b4816) |High security sensitive customers who are concerned of the risk associated with any particular encryption algorithm, implementation, or key being compromised can opt for additional layer of encryption using a different encryption algorithm/mode at the infrastructure layer using platform managed encryption keys. The disk encryption sets are required to use double encryption. Learn more at [https://aka.ms/disks-doubleEncryption](https://aka.ms/disks-doubleEncryption). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/DoubleEncryptionRequired_Deny.json) |
|[Managed disks should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8405fdab-1faf-48aa-b702-999c9c172094) |Disabling public network access improves security by ensuring that a managed disk isn't exposed on the public internet. Creating private endpoints can limit exposure of managed disks. Learn more at: [https://aka.ms/disksprivatelinksdoc](https://aka.ms/disksprivatelinksdoc). |Audit, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/Disks_ExportLimitNetworkAccess_Audit.json) |
@@ -220,6 +221,7 @@ ms.custom: generated
|[The legacy Log Analytics extension should not be installed on virtual machine scale sets](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba6881f9-ab93-498b-8bad-bb91b1d755bf) |Automatically prevent installation of the legacy Log Analytics Agent as the final step of migrating from legacy agents to Azure Monitor Agent. After you have uninstalled existing legacy extensions, this policy will deny all future installations of the legacy agent extension on Windows virtual machine scale sets. Learn more: [https://aka.ms/migratetoAMA](https://aka.ms/migratetoAMA) |Deny, Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalyticsExtension_Windows_VMSS_Deny.json) |
|[The legacy Log Analytics extension should not be installed on virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd2185817-5b7e-473c-aadd-9de6ac114280) |Automatically prevent installation of the legacy Log Analytics Agent as the final step of migrating from legacy agents to Azure Monitor Agent. After you have uninstalled existing legacy extensions, this policy will deny all future installations of the legacy agent extension on Windows virtual machines. Learn more: [https://aka.ms/migratetoAMA](https://aka.ms/migratetoAMA) |Deny, Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalyticsExtension_Windows_VM_Deny.json) |
|[The Log Analytics extension should be installed on Virtual Machine Scale Sets](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fefbde977-ba53-4479-b8e9-10b957924fbf) |This policy audits any Windows/Linux Virtual Machine Scale Sets if the Log Analytics extension is not installed. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/VMSS_LogAnalyticsAgent_AINE.json) |
+|[Virtual Machine should have TrustedLaunch enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc95b54ad-0614-4633-ab29-104b01235cbf) |Enable TrustedLaunch on Virtual Machine for enhanced security, use VM SKU (Gen 2) that supports TrustedLaunch. To learn more about TrustedLaunch, visit [https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch](../../../../articles/virtual-machines/trusted-launch.md) |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Trusted%20Launch/VirtualMachine_Should_Have_TrustedLaunch%20enabled.json) |
|[Virtual machines and virtual machine scale sets should have encryption at host enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffc4d8e41-e223-45ea-9bf5-eada37891d87) |Use encryption at host to get end-to-end encryption for your virtual machine and virtual machine scale set data. Encryption at host enables encryption at rest for your temporary disk and OS/data disk caches. Temporary and ephemeral OS disks are encrypted with platform-managed keys when encryption at host is enabled. OS/data disk caches are encrypted at rest with either customer-managed or platform-managed key, depending on the encryption type selected on the disk. Learn more at [https://aka.ms/vm-hbe](https://aka.ms/vm-hbe). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/HostBasedEncryptionRequired_Deny.json) |
|[Virtual machines should be connected to a specified workspace](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff47b5582-33ec-4c5c-87c0-b010a6b2e917) |Reports virtual machines as non-compliant if they aren't logging to the Log Analytics workspace specified in the policy/initiative assignment. |AuditIfNotExists, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalytics_WorkspaceMismatch_VM_Audit.json) |
|[Virtual machines should be migrated to new Azure Resource Manager resources](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1d84d5fb-01f6-4d12-ba4f-4a26081d403d) |Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/ClassicCompute_Audit.json) |
@@ -266,5 +268,5 @@ ms.custom: generated
|[Windows machines should only have local accounts that are allowed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff79fef0d-0050-4c18-a303-5babb9c14ac7) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). This definition is not supported on Windows Server 2012 or 2012 R2. Managing user accounts using Azure Active Directory is a best practice for management of identities. Reducing local machine accounts helps prevent the proliferation of identities managed outside a central system. Machines are non-compliant if local user accounts exist that are enabled and not listed in the policy parameter. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/LocalUsers_Windows_AINE.json) |
|[Windows machines should schedule Windows Defender to perform a scheduled scan every day](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3810e389-1d92-4f77-9267-33bdcf0bd225) |To ensure prompt detection of malware and minimize its impact on your system, it is recommended that Windows machines with Windows Defender schedule a daily scan. Please make sure Windows Defender is supported, preinstalled on the device, and Guest Configuration prerequisites are deployed. Failure to meet these requirements may lead to inaccurate evaluation results. Learn more about Guest Configuration at [https://aka.ms/gcpol](https://aka.ms/gcpol). |AuditIfNotExists, Disabled |[1.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/ACAT_WindowsDefenderScanScheduleDaily_AINE.json) |
|[Windows machines should use the default NTP server](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2454bbee-dc19-442f-83fc-7f3114cafd91) |Setup the 'time.windows.com' as the default NTP Server for all Windows machines to ensure logs across all systems have system clocks that are all in sync. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/ACAT_%20InternetTimeDefaultNtpServer_AINE.json) |
-|[Windows virtual machine scale sets should have Azure Monitor Agent installed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3672e6f7-a74d-4763-b138-fcf332042f8f) |Windows virtual machine scale sets should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Virtual machine scale sets with supported OS and in supported regions are monitored for Azure Monitor Agent deployment. Learn more: [https://aka.ms/AMAOverview](https://aka.ms/AMAOverview). |AuditIfNotExists, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Windows_VMSS_Audit.json) |
-|[Windows virtual machines should have Azure Monitor Agent installed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc02729e5-e5e7-4458-97fa-2b5ad0661f28) |Windows virtual machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Windows virtual machines with supported OS and in supported regions are monitored for Azure Monitor Agent deployment. Learn more: [https://aka.ms/AMAOverview](https://aka.ms/AMAOverview). |AuditIfNotExists, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Windows_VM_Audit.json) |
+|[Windows virtual machine scale sets should have Azure Monitor Agent installed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3672e6f7-a74d-4763-b138-fcf332042f8f) |Windows virtual machine scale sets should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Virtual machine scale sets with supported OS and in supported regions are monitored for Azure Monitor Agent deployment. Learn more: [https://aka.ms/AMAOverview](https://aka.ms/AMAOverview). |AuditIfNotExists, Disabled |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Windows_VMSS_Audit.json) |
+|[Windows virtual machines should have Azure Monitor Agent installed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc02729e5-e5e7-4458-97fa-2b5ad0661f28) |Windows virtual machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Windows virtual machines with supported OS and in supported regions are monitored for Azure Monitor Agent deployment. Learn more: [https://aka.ms/AMAOverview](https://aka.ms/AMAOverview). |AuditIfNotExists, Disabled |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Windows_VM_Audit.json) |
diff --git a/includes/policy/reference/byrp/microsoft.connectedvmwarevsphere.md b/includes/policy/reference/byrp/microsoft.connectedvmwarevsphere.md
index 885c76d23350e..83abb21737f8a 100644
--- a/includes/policy/reference/byrp/microsoft.connectedvmwarevsphere.md
+++ b/includes/policy/reference/byrp/microsoft.connectedvmwarevsphere.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.containerinstance.md b/includes/policy/reference/byrp/microsoft.containerinstance.md
index 652a51ff9827f..f321eb6758cfa 100644
--- a/includes/policy/reference/byrp/microsoft.containerinstance.md
+++ b/includes/policy/reference/byrp/microsoft.containerinstance.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.containerregistry.md b/includes/policy/reference/byrp/microsoft.containerregistry.md
index e1dde6566c4bd..434cd4a727d2d 100644
--- a/includes/policy/reference/byrp/microsoft.containerregistry.md
+++ b/includes/policy/reference/byrp/microsoft.containerregistry.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
@@ -12,7 +12,6 @@ ms.custom: generated
|[\[Preview\]: Container Registry should be Zone Redundant](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9d2b0a20-57d6-474c-9d12-44a4a20999c6) |Container Registry can be configured to be Zone Redundant or not. When the zoneRedundancy property for a Container Registry is set to 'Disabled', it means the registry is not Zone Redundant. Enforcing this policy helps ensure that your Container Registry is appropriately configured for zone resilience, reducing the risk of downtime during zone outages. |Audit, Deny, Disabled |[1.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Resilience/ContainerRegistry_registries_ZoneRedundant_Audit.json) |
|[\[Preview\]: Container Registry should use a virtual network service endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc4857be7-912a-4c75-87e6-e30292bcdf78) |This policy audits any Container Registry not configured to use a virtual network service endpoint. |Audit, Disabled |[1.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_ContainerRegistry_Audit.json) |
|[Azure registry container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F090c7b07-b4ed-4561-ad20-e9075f3ccaff) |Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. Resolving vulnerabilities can greatly improve your security posture, ensuring images are safe to use prior to deployment. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_AzureContainerRegistryVulnerabilityAssessment_Audit.json) |
-|[Azure registry container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0f936f-2f01-4bf5-b6be-d423792fa562) |Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. |AuditIfNotExists, Disabled |[2.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json) |
|[Configure container registries to disable anonymous authentication.](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcced2946-b08a-44fe-9fd9-e4ed8a779897) |Disable anonymous pull for your registry so that data not accessible by unauthenticated user. Disabling local authentication methods like admin user, repository scoped access tokens and anonymous pull improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: [https://aka.ms/acr/authentication](https://aka.ms/acr/authentication). |Modify, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_AnonymousPullDisabled_Modify.json) |
|[Configure container registries to disable ARM audience token authentication.](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F785596ed-054f-41bc-aaec-7f3d0ba05725) |Disable Azure Active Directory ARM audience tokens for authentication to your registry. Only Azure Container Registry (ACR) audience tokens will be used for authentication. This will ensure only tokens meant for usage on the registry can be used for authentication. Disabling ARM audience tokens does not affect admin user's or scoped access tokens' authentication. Learn more at: [https://aka.ms/acr/authentication](https://aka.ms/acr/authentication). |Modify, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_AADAuthenticationAsArmDisabled_Modify.json) |
|[Configure container registries to disable local admin account.](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F79fdfe03-ffcb-4e55-b4d0-b925b8241759) |Disable admin account for your registry so that it is not accessible by local admin. Disabling local authentication methods like admin user, repository scoped access tokens and anonymous pull improves security by ensuring that container registries exclusively require Azure Active Directory identities for authentication. Learn more at: [https://aka.ms/acr/authentication](https://aka.ms/acr/authentication). |Modify, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_AdminAccountDisabled_Modify.json) |
diff --git a/includes/policy/reference/byrp/microsoft.containerservice.md b/includes/policy/reference/byrp/microsoft.containerservice.md
index 74c98b951e266..4b04692cb29ec 100644
--- a/includes/policy/reference/byrp/microsoft.containerservice.md
+++ b/includes/policy/reference/byrp/microsoft.containerservice.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
@@ -13,15 +13,15 @@ ms.custom: generated
|[\[Preview\]: Azure Backup Extension should be installed in AKS clusters](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffda9cd0b-094c-4cd5-ac2a-5e06e5277c45) |Ensure protection installation of backup extension in your AKS Clusters to leverage Azure Backup. Azure Backup for AKS is a secure and cloud native data protection solution for AKS clusters |AuditIfNotExists, Disabled |[1.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Backup/Kubernetes_InstallAzureBackupExtension_Audit.json) |
|[\[Preview\]: Azure Backup should be enabled for AKS clusters](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0b0434ec-2bad-4229-965f-bb7ae5a71257) |Ensure protection of your AKS Clusters by enabling Azure Backup. Azure Backup for AKS is a secure and cloud native data protection solution for AKS clusters. |AuditIfNotExists, Disabled |[1.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Backup/Kubernetes_EnableAzureBackup_Audit.json) |
|[\[Preview\]: Azure Kubernetes Service Managed Clusters should be Zone Redundant](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2dec5f47-bc40-40d1-8c7d-a39d9d6808d1) |Azure Kubernetes Service Managed Clusters can be configured to be Zone Redundant or not. The policy checks the node pools in the cluster and ensures that avaialbilty zones are set for all the node pools. |Audit, Deny, Disabled |[1.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Resilience/ContainerService_managedclusters_ZoneRedundant_Audit.json) |
-|[\[Preview\]: Cannot Edit Individual Nodes](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F53a4a537-990c-495a-92e0-7c21a465442c) |Cannot Edit Individual Nodes. Users should not edit individual nodes. Please edit node pools. |Audit, Deny, Disabled |[1.1.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/CannotEditIndividualNodes.json) |
+|[\[Preview\]: Cannot Edit Individual Nodes](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F53a4a537-990c-495a-92e0-7c21a465442c) |Cannot Edit Individual Nodes. Users should not edit individual nodes. Please edit node pools. Modifying individual nodes can lead to inconsistent settings, operational challenges, and potential security risks. |Audit, Deny, Disabled |[1.1.1-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/CannotEditIndividualNodes.json) |
|[\[Preview\]: Deploy Image Integrity on Azure Kubernetes Service](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5dc99dae-cfb2-42cc-8762-9aae02b74e27) |Deploy both Image Integrity and Policy Add-Ons Azure Kubernetes clusters. For more info, visit [https://aka.ms/aks/image-integrity](https://aka.ms/aks/image-integrity) |DeployIfNotExists, Disabled |[1.0.5-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AKS_ImageIntegrity_DINE.json) |
|[\[Preview\]: Kubernetes cluster containers should only pull images when image pull secrets are present](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F12db3749-7e03-4b9f-b443-d37d3fb9f8d9) |Restrict containers' image pulls to enforce the presence of ImagePullSecrets, ensuring secure and authorized access to images within a Kubernetes cluster |Audit, Deny, Disabled |[1.1.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerRestrictedImagePulls.json) |
-|[\[Preview\]: Kubernetes cluster services should use unique selectors](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb0fdedee-7b9e-4a17-9f5d-5e8e912d2f01) |Ensure that Services in a namespace have unique selectors. This policy relies on Gatekeeper data replication and syncs all ingress resources into OPA. Prior to applying this policy, please confirm that syncing ingress resources won't exceed your memory capacity. The policy parameters apply to specific namespaces, but it syncs all resources of that type across all namespaces. This policy is currently in preview for Kubernetes Service (AKS) |Audit, Deny, Disabled |[1.1.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/UniqueServiceSelectors.json) |
-|[\[Preview\]: Kubernetes cluster should implement accurate Pod Disruption Budgets](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd9e8f2c1-4c5a-4f5c-8b5a-2abf1e9f7b4d) |Prevents customers from applying bad Pod Disruption Budgets. This policy relies on Gatekeeper data replication, and all ingress resources scoped to this policy will be synced into OPA. Please verify that the ingresses resources being synced won't overwhelm your memory capacity prior to assigning this policy. The policy parameters will evaluate only certain namespaces, but all resources of that kind in all namespaces will get synced. This policy is in preview for Kubernetes Service (AKS). |Audit, Deny, Disabled |[1.1.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/DisallowedBadPodDisruptionBudgets.json) |
+|[\[Preview\]: Kubernetes cluster services should use unique selectors](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb0fdedee-7b9e-4a17-9f5d-5e8e912d2f01) |Ensure Services in a Namespace Have Unique Selectors. A unique service selector ensures that each service within a namespace is uniquely identifiable based on specific criteria. This policy syncs ingress resources into OPA via Gatekeeper. Before applying, verify Gatekeeper pods memory capacity won't be exceeded. Parameters apply to specific namespaces, but it syncs all resources of that type across all namespaces. Currently in preview for Kubernetes Service (AKS). |Audit, Deny, Disabled |[1.1.1-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/UniqueServiceSelectors.json) |
+|[\[Preview\]: Kubernetes cluster should implement accurate Pod Disruption Budgets](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd9e8f2c1-4c5a-4f5c-8b5a-2abf1e9f7b4d) |Prevents faulty Pod Disruption Budgets, ensuring a minimum number of operational pods. Refer to the official Kubernetes documentation for details. Relies on Gatekeeper data replication and syncs all ingress resources scoped to it into OPA. Before applying this policy, ensure that the synced ingress resources won't strain your memory capacity. Though parameters evaluate specific namespaces, all resources of that kind across namespaces will sync. Note: currently in preview for Kubernetes Service (AKS). |Audit, Deny, Disabled |[1.1.1-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/DisallowedBadPodDisruptionBudgets.json) |
|[\[Preview\]: Kubernetes clusters should restrict creation of given resource type](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb81f454c-eebb-4e4f-9dfe-dca060e8a8fd) |Given Kubernetes resource type should not be deployed in certain namespace. |Audit, Deny, Disabled |[2.2.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/BlockResource.json) |
-|[\[Preview\]: Must Have Anti Affinity Rules Set](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F34c88cd4-5d72-4dbb-bf77-12c3cafe8791) |Requires affinity rules to be set. |Audit, Deny, Disabled |[1.1.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/MustHaveAntiAffinityRulesSet.json) |
-|[\[Preview\]: No AKS Specific Labels](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa22123bd-b9da-4c86-9424-24903e91fd55) |Prevents customers from applying AKS specific labels |Audit, Deny, Disabled |[1.1.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/NoAKSSpecificLabels.json) |
-|[\[Preview\]: Reserved System Pool Taints](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F48940d92-ff05-449e-9111-e742d9280451) |Restricts the CriticalAddonsOnly taint to just the system pool |Audit, Deny, Disabled |[1.1.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ReservedSystemPoolTaints.json) |
+|[\[Preview\]: Must Have Anti Affinity Rules Set](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F34c88cd4-5d72-4dbb-bf77-12c3cafe8791) |This policy ensures that pods are scheduled on different nodes within the cluster. By enforcing anti-affinity rules, availability is maintained even if one of the nodes becomes unavailable. Pods will continue to run on other nodes, enhancing resilience. |Audit, Deny, Disabled |[1.1.1-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/MustHaveAntiAffinityRulesSet.json) |
+|[\[Preview\]: No AKS Specific Labels](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa22123bd-b9da-4c86-9424-24903e91fd55) |Prevents customers from applying AKS specific labels. AKS uses labels prefixed with `kubernetes.azure.com` to denote AKS owned components. The customer should not use these labels. |Audit, Deny, Disabled |[1.1.1-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/NoAKSSpecificLabels.json) |
+|[\[Preview\]: Reserved System Pool Taints](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F48940d92-ff05-449e-9111-e742d9280451) |Restricts the CriticalAddonsOnly taint to just the system pool. AKS uses the CriticalAddonsOnly taint to keep customer pods away from the system pool. It ensures a clear separation between AKS components and customer pods, as well as prevents customer pods from being evicted if they do not tolerate the CriticalAddonsOnly taint. |Audit, Deny, Disabled |[1.1.1-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ReservedSystemPoolTaints.json) |
|[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) |
|[Azure Kubernetes Clusters should enable Container Storage Interface(CSI)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc5110b6e-5272-4989-9935-59ad06fdf341) |The Container Storage Interface (CSI) is a standard for exposing arbitrary block and file storage systems to containerized workloads on Azure Kubernetes Service. To learn more, [https://aka.ms/aks-csi-driver](https://aka.ms/aks-csi-driver) |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AKS_CSI.json) |
|[Azure Kubernetes Clusters should enable Key Management Service (KMS)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdbbdc317-9734-4dd8-9074-993b29c69008) |Use Key Management Service (KMS) to encrypt secret data at rest in etcd for Kubernetes cluster security. Learn more at: [https://aka.ms/aks/kmsetcdencryption](https://aka.ms/aks/kmsetcdencryption). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AKS_EnableKMS.json) |
@@ -39,7 +39,6 @@ ms.custom: generated
|[Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0a15ec92-a229-4763-bb14-0ea34a568f8d) |Azure Policy Add-on for Kubernetes service (AKS) extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. |Audit, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AKS_AzurePolicyAddOn_Audit.json) |
|[Azure Role-Based Access Control (RBAC) should be used on Kubernetes Services](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fac4a19c2-fa67-49b4-8ae5-0b2e78c49457) |To provide granular filtering on the actions that users can perform, use Azure Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. |Audit, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableRBAC_KubernetesService_Audit.json) |
|[Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F17f4b1cc-c55c-4d94-b1f9-2978f6ac2957) |Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. This recommendation provides visibility to vulnerable images currently running in your Kubernetes clusters. Remediating vulnerabilities in container images that are currently running is key to improving your security posture, significantly reducing the attack surface for your containerized workloads. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_K8sRuningImagesVulnerabilityAssessmentBasedOnMDVM_Audit.json) |
-|[Azure running container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0fc39691-5a3f-4e3e-94ee-2e6447309ad9) |Container image vulnerability assessment scans container images running on your Kubernetes clusters for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_KuberenetesRuningImagesVulnerabilityAssessment_Audit.json) |
|[Both operating systems and data disks in Azure Kubernetes Service clusters should be encrypted by customer-managed keys](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7d7be79c-23ba-4033-84dd-45e2a5ccdd67) |Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards. |Audit, Deny, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AKS_CMK_Deny.json) |
|[Configure Azure Kubernetes Service clusters to enable Defender profile](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F64def556-fbad-4622-930e-72d1d5589bf5) |Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.Defender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: [https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks](../../../../articles/defender-for-cloud/defender-for-containers-introduction.md). |DeployIfNotExists, Disabled |[4.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ASC_Azure_Defender_AKS_SecurityProfile_DINE.json) |
|[Configure installation of Flux extension on Kubernetes cluster](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9175d5f-abc8-1dc3-bd3c-5d7476ada3d1) |Install Flux extension on Kubernetes cluster to enable deployment of 'fluxconfigurations' in the cluster |DeployIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/Deploy-GitOps-Flux2-Extension-to-Kubernetes-cluster_DINE.json) |
@@ -53,10 +52,10 @@ ms.custom: generated
|[Configure Kubernetes clusters with specified GitOps configuration using HTTPS secrets](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa6f560f4-f582-4b67-b123-a37dcd1bf7ea) |Deploy a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined git repo. This definition requires HTTPS user and key secrets stored in Key Vault. For instructions, visit [https://aka.ms/K8sGitOpsPolicy](https://aka.ms/K8sGitOpsPolicy). |auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/Deploy-GitOps-to-Kubernetes-cluster-HTTPS-secrets_DINE.json) |
|[Configure Kubernetes clusters with specified GitOps configuration using no secrets](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1d61c4d2-aef2-432b-87fc-7f96b019b7e1) |Deploy a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined git repo. This definition requires no secrets. For instructions, visit [https://aka.ms/K8sGitOpsPolicy](https://aka.ms/K8sGitOpsPolicy). |auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/Deploy-GitOps-to-Kubernetes-cluster-no-secrets_DINE.json) |
|[Configure Kubernetes clusters with specified GitOps configuration using SSH secrets](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc050047b-b21b-4822-8a2d-c1e37c3c0c6a) |Deploy a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined git repo. This definition requires a SSH private key secret in Key Vault. For instructions, visit [https://aka.ms/K8sGitOpsPolicy](https://aka.ms/K8sGitOpsPolicy). |auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/Deploy-GitOps-to-Kubernetes-cluster-SSH-secrets_DINE.json) |
-|[Configure Microsoft Entra ID integrated Azure Kubernetes Service Clusters with required Admin Group Access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F36a27de4-199b-40fb-b336-945a8475d6c5) |Ensure to improve cluster security by centrally govern Administrator access to Microsoft Entra ID integrated AKS clusters. |DeployIfNotExists, Disabled |[2.0.4](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AKS_AAD_AdminGroup_DINE.json) |
+|[Configure Microsoft Entra ID integrated Azure Kubernetes Service Clusters with required Admin Group Access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F36a27de4-199b-40fb-b336-945a8475d6c5) |Ensure to improve cluster security by centrally govern Administrator access to Microsoft Entra ID integrated AKS clusters. |DeployIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AKS_AAD_AdminGroup_DINE.json) |
|[Configure Node OS Auto upgrade on Azure Kubernetes Cluster](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F40f1aee2-4db4-4b74-acb1-c6972e24cca8) |Use Node OS auto-upgrade to control node-level OS security updates of Azure Kubernetes Service (AKS) clusters. For more info, visit [https://learn.microsoft.com/en-us/azure/aks/auto-upgrade-node-image](../../../../articles/aks/auto-upgrade-node-image.md). |DeployIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AKS_Autoupgrade_NodeOS_DINE.json) |
|[Deploy - Configure diagnostic settings for Azure Kubernetes Service to Log Analytics workspace](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6c66c325-74c8-42fd-a286-a74b0e2939d8) |Deploys the diagnostic settings for Azure Kubernetes Service to stream resource logs to a Log Analytics workspace. |DeployIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/DataConnectorsAzureKubernetes_DINE.json) |
-|[Deploy Azure Policy Add-on to Azure Kubernetes Service clusters](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa8eff44f-8c92-45c3-a3fb-9880802d67a7) |Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see [https://aka.ms/akspolicydoc](https://aka.ms/akspolicydoc). |DeployIfNotExists, Disabled |[4.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AKS_AzurePolicyAddOn_DINE.json) |
+|[Deploy Azure Policy Add-on to Azure Kubernetes Service clusters](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa8eff44f-8c92-45c3-a3fb-9880802d67a7) |Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see [https://aka.ms/akspolicydoc](https://aka.ms/akspolicydoc). |DeployIfNotExists, Disabled |[4.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AKS_AzurePolicyAddOn_DINE.json) |
|[Deploy Image Cleaner on Azure Kubernetes Service](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7e49285c-4bed-4564-b26a-5225ccc311f3) |Deploy Image Cleaner on Azure Kubernetes clusters. For more info, visit [https://aka.ms/aks/image-cleaner](https://aka.ms/aks/image-cleaner) |DeployIfNotExists, Disabled |[1.0.4](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AKS_ImageCleaner_DINE.json) |
|[Deploy Planned Maintenance to schedule and control upgrades for your Azure Kubernetes Service (AKS) cluster](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe1352e44-d34d-4e4d-a22e-451a15f759a1) |Planned Maintenance allows you to schedule weekly maintenance windows to perform updates and minimize workload impact. Once scheduled, upgrades occur only during the window you selected. Learn more at: [https://aka.ms/aks/planned-maintenance](https://aka.ms/aks/planned-maintenance) |DeployIfNotExists, AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AKS_Maintenance_DINE.json) |
|[Disable Command Invoke on Azure Kubernetes Service clusters](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1b708b0a-3380-40e9-8b79-821f9fa224cc) |Disabling command invoke can enhance the security by rejecting invoke-command access to the cluster |DeployIfNotExists, Disabled |[1.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AKS_DisableRunCommand_DINE.json) |
diff --git a/includes/policy/reference/byrp/microsoft.customproviders.md b/includes/policy/reference/byrp/microsoft.customproviders.md
index c176114dd22ba..3ab3beba410c8 100644
--- a/includes/policy/reference/byrp/microsoft.customproviders.md
+++ b/includes/policy/reference/byrp/microsoft.customproviders.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.dashboard.md b/includes/policy/reference/byrp/microsoft.dashboard.md
index 6c3db73ed3712..39744b6bde0aa 100644
--- a/includes/policy/reference/byrp/microsoft.dashboard.md
+++ b/includes/policy/reference/byrp/microsoft.dashboard.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.databox.md b/includes/policy/reference/byrp/microsoft.databox.md
index 716a11cf20651..263b75368ff1e 100644
--- a/includes/policy/reference/byrp/microsoft.databox.md
+++ b/includes/policy/reference/byrp/microsoft.databox.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.databoxedge.md b/includes/policy/reference/byrp/microsoft.databoxedge.md
index 363dc1beb6cd6..2678839a14249 100644
--- a/includes/policy/reference/byrp/microsoft.databoxedge.md
+++ b/includes/policy/reference/byrp/microsoft.databoxedge.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.databricks.md b/includes/policy/reference/byrp/microsoft.databricks.md
index d82b508cd0658..d9abc510d9104 100644
--- a/includes/policy/reference/byrp/microsoft.databricks.md
+++ b/includes/policy/reference/byrp/microsoft.databricks.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.datafactory.data.md b/includes/policy/reference/byrp/microsoft.datafactory.data.md
index f274be624a27b..094d74d0786e9 100644
--- a/includes/policy/reference/byrp/microsoft.datafactory.data.md
+++ b/includes/policy/reference/byrp/microsoft.datafactory.data.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.datafactory.md b/includes/policy/reference/byrp/microsoft.datafactory.md
index da8dd161facc9..5f0a2b1e9737b 100644
--- a/includes/policy/reference/byrp/microsoft.datafactory.md
+++ b/includes/policy/reference/byrp/microsoft.datafactory.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.datalakeanalytics.md b/includes/policy/reference/byrp/microsoft.datalakeanalytics.md
index 40152fde13111..8fdbe127834c7 100644
--- a/includes/policy/reference/byrp/microsoft.datalakeanalytics.md
+++ b/includes/policy/reference/byrp/microsoft.datalakeanalytics.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.datalakestore.md b/includes/policy/reference/byrp/microsoft.datalakestore.md
index a399999871dcf..6919a1bdbf6b4 100644
--- a/includes/policy/reference/byrp/microsoft.datalakestore.md
+++ b/includes/policy/reference/byrp/microsoft.datalakestore.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.dataprotection.md b/includes/policy/reference/byrp/microsoft.dataprotection.md
index a7c80566307a3..fce6ab71933e1 100644
--- a/includes/policy/reference/byrp/microsoft.dataprotection.md
+++ b/includes/policy/reference/byrp/microsoft.dataprotection.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
@@ -12,6 +12,7 @@ ms.custom: generated
|[\[Preview\]: Azure Backup should be enabled for AKS clusters](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0b0434ec-2bad-4229-965f-bb7ae5a71257) |Ensure protection of your AKS Clusters by enabling Azure Backup. Azure Backup for AKS is a secure and cloud native data protection solution for AKS clusters. |AuditIfNotExists, Disabled |[1.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Backup/Kubernetes_EnableAzureBackup_Audit.json) |
|[\[Preview\]: Azure Backup should be enabled for Blobs in Storage Accounts](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4510daf9-5abc-4d7d-a11d-d84416b814f6) |Ensure protection of your Storage Accounts by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. |AuditIfNotExists, Disabled |[1.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Backup/StorageAccountBlobs_EnableAzureBackup_Audit.json) |
|[\[Preview\]: Azure Backup should be enabled for Managed Disks](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa25a41a7-a769-4271-841d-7ce0297be0c0) |Ensure protection of your Managed Disks by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. |AuditIfNotExists, Disabled |[1.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Backup/ManagedDisks_EnableAzureBackup_Audit.json) |
+|[\[Preview\]: Azure Backup Vaults should use customer-managed keys for encrypting backup data. Also an option to enforce Infra Encryption.](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd6588149-9f06-462c-a076-56aece45b5ba) |This policy follows the 'effect' if Encryption Settings are enabled for Backup vaults in the scope. Additionally, option to check if Backup Vault also has Infrastructure Encryption enabled. Learn more at [https://aka.ms/az-backup-vault-encryption-at-rest-with-cmk](https://aka.ms/az-backup-vault-encryption-at-rest-with-cmk). Please note that when 'Deny' effect is used, it would need you to enable Encryption Settings on the existing Backup Vaults in order to allow other update operations on the vault go through. |Audit, Deny, Disabled |[1.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Backup/AzBackupBackupVault_CMK_Audit.json) |
|[\[Preview\]: Backup Vaults should be Zone Redundant](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4bd1f3c0-9443-49ad-b8bc-7c17a92b5924) |Backup Vaults can be configured to be Zone Redundant or not. Backup Vaults are Zone Redundant if it's storage settings type is set to 'ZoneRedundant' and they are considered to be resilient. Geo Redundant or Locally Redundant Backup Vaults are not considered resilient. Enforcing this policy helps ensure that Backup Vaults are appropriately configured for zone resilience, reducing the risk of downtime during zone outages. |Audit, Deny, Disabled |[1.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Resilience/DataProtection_BackupVaults_ZoneRedundant_Audit.json) |
|[\[Preview\]: Disable Cross Subscription Restore for Backup Vaults](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4d479a11-f2b5-4f0a-bb1e-d2332aa95cda) |Disable or PermanentlyDisable Cross Subscription Restore for your Backup vault so that restore targets cannot be in different subscription from the vault subscription. Learn more at: [https://aka.ms/csrstatechange](https://aka.ms/csrstatechange). |Modify, Disabled |[1.1.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Backup/Vaults_CrossSubscriptionRestore_Modify.json) |
|[\[Preview\]: Immutability must be enabled for backup vaults](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2514263b-bc0d-4b06-ac3e-f262c0979018) |This policy audits if the immutable vaults property is enabled for Backup vaults in the scope. This helps protect your backup data from being deleted before its intended expiry. Learn more at [https://aka.ms/AB-ImmutableVaults](https://aka.ms/AB-ImmutableVaults). |Audit, Disabled |[1.0.1-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Backup/Vaults_Immutability_Audit.json) |
diff --git a/includes/policy/reference/byrp/microsoft.dbformariadb.md b/includes/policy/reference/byrp/microsoft.dbformariadb.md
index 7ea78283fa475..93a0ffdf2232d 100644
--- a/includes/policy/reference/byrp/microsoft.dbformariadb.md
+++ b/includes/policy/reference/byrp/microsoft.dbformariadb.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.dbformysql.md b/includes/policy/reference/byrp/microsoft.dbformysql.md
index 15564a8d69db6..e4cd1bf40602f 100644
--- a/includes/policy/reference/byrp/microsoft.dbformysql.md
+++ b/includes/policy/reference/byrp/microsoft.dbformysql.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.dbforpostgresql.md b/includes/policy/reference/byrp/microsoft.dbforpostgresql.md
index 2f5e9c9d5808d..76f9493a59ca5 100644
--- a/includes/policy/reference/byrp/microsoft.dbforpostgresql.md
+++ b/includes/policy/reference/byrp/microsoft.dbforpostgresql.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.desktopvirtualization.md b/includes/policy/reference/byrp/microsoft.desktopvirtualization.md
index 3129bf12e3f6b..692e2d33837b5 100644
--- a/includes/policy/reference/byrp/microsoft.desktopvirtualization.md
+++ b/includes/policy/reference/byrp/microsoft.desktopvirtualization.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.devcenter.md b/includes/policy/reference/byrp/microsoft.devcenter.md
new file mode 100644
index 0000000000000..f11e502f6ff75
--- /dev/null
+++ b/includes/policy/reference/byrp/microsoft.devcenter.md
@@ -0,0 +1,12 @@
+---
+author: davidsmatlak
+ms.service: azure-policy
+ms.topic: include
+ms.date: 03/18/2024
+ms.author: davidsmatlak
+ms.custom: generated
+---
+
+|Name
(Azure portal) |Description |Effect(s) |Version
(GitHub) |
+|---|---|---|---|
+|[\[Preview\]: Microsoft Dev Box Pools should not use Microsoft Hosted Networks.](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fece3c79b-2caf-470d-a5f5-66470c4fc649) |Disallows the use of Microsoft Hosted Networks when creating Pool resources. |Audit, Deny, Disabled |[1.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/DevCenter/MicrosoftHostedNetworks_Audit.json) |
diff --git a/includes/policy/reference/byrp/microsoft.devices.md b/includes/policy/reference/byrp/microsoft.devices.md
index c4d0141bd469b..fa10b69ecb5ae 100644
--- a/includes/policy/reference/byrp/microsoft.devices.md
+++ b/includes/policy/reference/byrp/microsoft.devices.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.deviceupdate.md b/includes/policy/reference/byrp/microsoft.deviceupdate.md
index 78c60f4291bb6..a2c76f64c3b0c 100644
--- a/includes/policy/reference/byrp/microsoft.deviceupdate.md
+++ b/includes/policy/reference/byrp/microsoft.deviceupdate.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.documentdb.md b/includes/policy/reference/byrp/microsoft.documentdb.md
index 28c22b3a52a2f..66f3b6d650f1a 100644
--- a/includes/policy/reference/byrp/microsoft.documentdb.md
+++ b/includes/policy/reference/byrp/microsoft.documentdb.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.edgeorder.md b/includes/policy/reference/byrp/microsoft.edgeorder.md
index 01917bbb9e532..f50103e9d186d 100644
--- a/includes/policy/reference/byrp/microsoft.edgeorder.md
+++ b/includes/policy/reference/byrp/microsoft.edgeorder.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.elasticsan.md b/includes/policy/reference/byrp/microsoft.elasticsan.md
index ed773da75ff3f..cd14e0f2e3b94 100644
--- a/includes/policy/reference/byrp/microsoft.elasticsan.md
+++ b/includes/policy/reference/byrp/microsoft.elasticsan.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.eventgrid.md b/includes/policy/reference/byrp/microsoft.eventgrid.md
index 4c5a65ea8d603..c391de6dba0c3 100644
--- a/includes/policy/reference/byrp/microsoft.eventgrid.md
+++ b/includes/policy/reference/byrp/microsoft.eventgrid.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.eventhub.md b/includes/policy/reference/byrp/microsoft.eventhub.md
index 59cb13105d2eb..9d555039ada9c 100644
--- a/includes/policy/reference/byrp/microsoft.eventhub.md
+++ b/includes/policy/reference/byrp/microsoft.eventhub.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.features.md b/includes/policy/reference/byrp/microsoft.features.md
index 29bd2218b7a9a..181f7a704b50a 100644
--- a/includes/policy/reference/byrp/microsoft.features.md
+++ b/includes/policy/reference/byrp/microsoft.features.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.fluidrelay.md b/includes/policy/reference/byrp/microsoft.fluidrelay.md
index 65d3c76cc02c7..ac354230cc5e6 100644
--- a/includes/policy/reference/byrp/microsoft.fluidrelay.md
+++ b/includes/policy/reference/byrp/microsoft.fluidrelay.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.guestconfiguration.md b/includes/policy/reference/byrp/microsoft.guestconfiguration.md
index 4ed4da8f07004..f880c9975b3f0 100644
--- a/includes/policy/reference/byrp/microsoft.guestconfiguration.md
+++ b/includes/policy/reference/byrp/microsoft.guestconfiguration.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.hdinsight.md b/includes/policy/reference/byrp/microsoft.hdinsight.md
index 38e22549a2a76..8ccd54c321194 100644
--- a/includes/policy/reference/byrp/microsoft.hdinsight.md
+++ b/includes/policy/reference/byrp/microsoft.hdinsight.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.healthbot.md b/includes/policy/reference/byrp/microsoft.healthbot.md
index e1df1f86ffb7b..1dac677afa120 100644
--- a/includes/policy/reference/byrp/microsoft.healthbot.md
+++ b/includes/policy/reference/byrp/microsoft.healthbot.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.healthcareapis.md b/includes/policy/reference/byrp/microsoft.healthcareapis.md
index 04bf18652dc65..23ddf656328fa 100644
--- a/includes/policy/reference/byrp/microsoft.healthcareapis.md
+++ b/includes/policy/reference/byrp/microsoft.healthcareapis.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.hybridcompute.md b/includes/policy/reference/byrp/microsoft.hybridcompute.md
index 658d970cb1828..917a4b1e9a00e 100644
--- a/includes/policy/reference/byrp/microsoft.hybridcompute.md
+++ b/includes/policy/reference/byrp/microsoft.hybridcompute.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
@@ -90,9 +90,9 @@ ms.custom: generated
|[Configure Dependency agent on Azure Arc enabled Linux servers with Azure Monitoring Agent settings](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F08a4470f-b26d-428d-97f4-7e3e9c92b366) |Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension with Azure Monitoring Agent settings. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - [https://aka.ms/vminsightsdocs](https://aka.ms/vminsightsdocs). |DeployIfNotExists, Disabled |[1.1.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/DependencyAgentExtension_Linux_HybridVM_Deploy_AMA.json) |
|[Configure Dependency agent on Azure Arc enabled Windows servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F91cb9edd-cd92-4d2f-b2f2-bdd8d065a3d4) |Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - [https://aka.ms/vminsightsdocs](https://aka.ms/vminsightsdocs). |DeployIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/DependencyAgentExtension_Windows_HybridVM_DINE.json) |
|[Configure Dependency agent on Azure Arc enabled Windows servers with Azure Monitoring Agent settings](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F84cfed75-dfd4-421b-93df-725b479d356a) |Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension with Azure Monitoring Agent settings. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - [https://aka.ms/vminsightsdocs](https://aka.ms/vminsightsdocs). |DeployIfNotExists, Disabled |[1.1.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/DependencyAgentExtension_Windows_HybridVM_Deploy_AMA.json) |
-|[Configure Linux Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd5c37ce1-5f52-4523-b949-f19bf945b73a) |Deploy Association to link Linux Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations are updated over time as support is increased. |DeployIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_Arc_Linux_DINE.json) |
+|[Configure Linux Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd5c37ce1-5f52-4523-b949-f19bf945b73a) |Deploy Association to link Linux Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations are updated over time as support is increased. |DeployIfNotExists, Disabled |[2.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_Arc_Linux_DINE.json) |
|[Configure Linux Arc-enabled machines to run Azure Monitor Agent](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F845857af-0333-4c5d-bbbc-6076697da122) |Automate the deployment of Azure Monitor Agent extension on your Linux Arc-enabled machines for collecting telemetry data from the guest OS. This policy will install the extension if the region is supported. Learn more: [https://aka.ms/AMAOverview](https://aka.ms/AMAOverview). |DeployIfNotExists, Disabled |[2.3.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Linux_HybridVM_DINE.json) |
-|[Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2ea82cdd-f2e8-4500-af75-67a2e084ca74) |Deploy Association to link Linux virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. |DeployIfNotExists, Disabled |[6.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_Linux_DINE.json) |
+|[Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2ea82cdd-f2e8-4500-af75-67a2e084ca74) |Deploy Association to link Linux virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. |DeployIfNotExists, Disabled |[6.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_Linux_DINE.json) |
|[Configure Linux Server to disable local users.](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcd22fc48-f2c9-4b86-98d3-ec1268b46a8a) |Creates a Guest Configuration assignment to configure disabling local users on Linux Server. This ensures that Linux Servers can only be accessed by AAD (Azure Active Directory) account or a list of explicitly allowed users by this policy, improving overall security posture. |DeployIfNotExists, Disabled |[1.3.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/AADDisableLocalAuth_Linux_DINE.json) |
|[Configure Log Analytics extension on Azure Arc enabled Linux servers. See deprecation notice below](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9d2b61b4-1d14-4a63-be30-d4498e7ad2cf) |Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Log Analytics virtual machine extension. VM insights uses the Log Analytics agent to collect the guest OS performance data, and provides insights into their performance. See more - [https://aka.ms/vminsightsdocs](https://aka.ms/vminsightsdocs). Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date |DeployIfNotExists, Disabled |[2.1.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalyticsExtension_Linux_HybridVM_DINE.json) |
|[Configure Log Analytics extension on Azure Arc enabled Windows servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F69af7d4a-7b18-4044-93a9-2651498ef203) |Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Log Analytics virtual machine extension. VM insights uses the Log Analytics agent to collect the guest OS performance data, and provides insights into their performance. See more - [https://aka.ms/vminsightsdocs](https://aka.ms/vminsightsdocs). Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. |DeployIfNotExists, Disabled |[2.1.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalyticsExtension_Windows_HybridVM_DINE.json) |
@@ -103,9 +103,9 @@ ms.custom: generated
|[Configure time zone on Windows machines.](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6141c932-9384-44c6-a395-59e4c057d7c9) |This policy creates a Guest Configuration assignment to set specified time zone on Windows virtual machines. |deployIfNotExists |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/SetWindowsTimeZone_DINE.json) |
|[Configure virtual machines to be onboarded to Azure Automanage](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff889cab7-da27-4c41-a3b0-de1f6f87c550) |Azure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage to your selected scope. |AuditIfNotExists, DeployIfNotExists, Disabled |[2.4.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Automanage/Deployv2.json) |
|[Configure virtual machines to be onboarded to Azure Automanage with Custom Configuration Profile](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb025cfb4-3702-47c2-9110-87fe0cfcc99b) |Azure Automanage enrolls, configures, and monitors virtual machines with best practice as defined in the Microsoft Cloud Adoption Framework for Azure. Use this policy to apply Automanage with your own customized Configuration Profile to your selected scope. |AuditIfNotExists, DeployIfNotExists, Disabled |[1.4.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Automanage/DeployUserCreatedProfile.json) |
-|[Configure Windows Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc24c537f-2516-4c2f-aac5-2cd26baa3d26) |Deploy Association to link Windows Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations are updated over time as support is increased. |DeployIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_Arc_Windows_DINE.json) |
-|[Configure Windows Arc-enabled machines to run Azure Monitor Agent](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F94f686d6-9a24-4e19-91f1-de937dc171a4) |Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: [https://aka.ms/AMAOverview](https://aka.ms/AMAOverview). |DeployIfNotExists, Disabled |[2.3.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Windows_HybridVM_DINE.json) |
-|[Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Feab1f514-22e3-42e3-9a1f-e1dc9199355c) |Deploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. |DeployIfNotExists, Disabled |[4.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_Windows_DINE.json) |
+|[Configure Windows Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc24c537f-2516-4c2f-aac5-2cd26baa3d26) |Deploy Association to link Windows Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations are updated over time as support is increased. |DeployIfNotExists, Disabled |[2.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_Arc_Windows_DINE.json) |
+|[Configure Windows Arc-enabled machines to run Azure Monitor Agent](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F94f686d6-9a24-4e19-91f1-de937dc171a4) |Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: [https://aka.ms/AMAOverview](https://aka.ms/AMAOverview). |DeployIfNotExists, Disabled |[2.4.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Windows_HybridVM_DINE.json) |
+|[Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Feab1f514-22e3-42e3-9a1f-e1dc9199355c) |Deploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. |DeployIfNotExists, Disabled |[4.3.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_Windows_DINE.json) |
|[Endpoint protection health issues should be resolved on your machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2) |Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - [https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions](../../../../articles/security-center/security-center-services.md#supported-endpoint-protection-solutions). Endpoint protection assessment is documented here - [https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection](../../../../articles/security-center/security-center-endpoint-protection.md). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EndpointProtectionHealthIssues_Audit.json) |
|[Endpoint protection should be installed on your machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f7c564c-0a90-4d44-b7e1-9d456cffaee8) |To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EndpointProtectionShouldBeInstalledOnYourMachines_Audit.json) |
|[Linux Arc-enabled machines should have Azure Monitor Agent installed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff17d891d-ff20-46f2-bad3-9e0a5403a4d3) |Linux Arc-enabled machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit Arc-enabled machines in supported regions. Learn more: [https://aka.ms/AMAOverview](https://aka.ms/AMAOverview). |AuditIfNotExists, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Linux_HybridVM_Audit.json) |
@@ -114,13 +114,13 @@ ms.custom: generated
|[Linux machines should only have local accounts that are allowed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F73db37c4-f180-4b0f-ab2c-8ee96467686b) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Managing user accounts using Azure Active Directory is a best practice for management of identities. Reducing local machine accounts helps prevent the proliferation of identities managed outside a central system. Machines are non-compliant if local user accounts exist that are enabled and not listed in the policy parameter. |AuditIfNotExists, Disabled |[2.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/LocalUsers_Linux_AINE.json) |
|[Local authentication methods should be disabled on Linux machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffad40cac-a972-4db0-b204-f1b15cced89a) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if Linux servers don't have local authentication methods disabled. This is to validate that Linux Servers can only be accessed by AAD (Azure Active Directory) account or a list of explicitly allowed users by this policy, improving overall security posture. |AuditIfNotExists, Disabled |[1.2.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/AADDisableLocalAuth_Linux_AINE.json) |
|[Local authentication methods should be disabled on Windows Servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5fe81c49-16b6-4870-9cee-45d13bf902ce) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if Windows servers don't have local authentication methods disabled. This is to validate that Windows Servers can only be accessed by AAD (Azure Active Directory) account or a list of explicitly allowed users by this policy, improving overall security posture. |AuditIfNotExists, Disabled |[1.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/AADDisableLocalAuth_AINE.json) |
-|[Machines should be configured to periodically check for missing system updates](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fbd876905-5b84-4f73-ab2d-2e7a7c4568d9) |To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: [https://aka.ms/computevm-windowspatchassessmentmode,](https://aka.ms/computevm-windowspatchassessmentmode,) for Linux: [https://aka.ms/computevm-linuxpatchassessmentmode](https://aka.ms/computevm-linuxpatchassessmentmode). |Audit, Deny, Disabled |[3.6.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Update%20Manager/AzUpdateMgmtCenter_AutoAssessmentMode_Audit.json) |
+|[Machines should be configured to periodically check for missing system updates](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fbd876905-5b84-4f73-ab2d-2e7a7c4568d9) |To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: [https://aka.ms/computevm-windowspatchassessmentmode,](https://aka.ms/computevm-windowspatchassessmentmode,) for Linux: [https://aka.ms/computevm-linuxpatchassessmentmode](https://aka.ms/computevm-linuxpatchassessmentmode). |Audit, Deny, Disabled |[3.7.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Update%20Manager/AzUpdateMgmtCenter_AutoAssessmentMode_Audit.json) |
|[Schedule recurring updates using Azure Update Manager](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba0df93e-e4ac-479a-aac2-134bbae39a1a) |You can use Azure Update Manager in Azure to save recurring deployment schedules to install operating system updates for your Windows Server and Linux machines in Azure, in on-premises environments, and in other cloud environments connected using Azure Arc-enabled servers. This policy will also change the patch mode for the Azure Virtual Machine to 'AutomaticByPlatform'. See more: [https://aka.ms/umc-scheduled-patching](https://aka.ms/umc-scheduled-patching) |DeployIfNotExists, Disabled |[3.10.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Update%20Manager/AzUpdateMgmtCenter_ScheduledPatching_DINE.json) |
|[SQL servers on machines should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6ba6d016-e7c3-4842-b8f2-4992ebc0d72d) |SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerSQLVulnerabilityAssessment_Audit.json) |
|[Subscribe eligible Arc-enabled SQL Servers instances to Extended Security Updates.](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff692cc79-76fb-4c61-8861-467e454ac6f8) |Subscribe eligible Arc-enabled SQL Servers instances with License Type set to Paid or PAYG to Extended Security Updates. More on extended security updates [https://go.microsoft.com/fwlink/?linkid=2239401](https://go.microsoft.com/fwlink/?linkid=2239401). |DeployIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL%20Server/ArcEnabledSQLServer_SubscribeESU_DINE.json) |
|[The legacy Log Analytics extension should not be installed on Azure Arc enabled Linux servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fbd58d393-162c-4134-bcd6-a6a5484a37a1) |Automatically prevent installation of the legacy Log Analytics Agent as the final step of migrating from legacy agents to Azure Monitor Agent. After you have uninstalled existing legacy extensions, this policy will deny all future installations of the legacy agent extension on Azure Arc enabled Linux servers. Learn more: [https://aka.ms/migratetoAMA](https://aka.ms/migratetoAMA) |Deny, Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalyticsExtension_Linux_HybridVM_Deny.json) |
|[The legacy Log Analytics extension should not be installed on Azure Arc enabled Windows servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdf441472-4dae-4e4e-87b9-9205ba46be16) |Automatically prevent installation of the legacy Log Analytics Agent as the final step of migrating from legacy agents to Azure Monitor Agent. After you have uninstalled existing legacy extensions, this policy will deny all future installations of the legacy agent extension on Azure Arc enabled Windows servers. Learn more: [https://aka.ms/migratetoAMA](https://aka.ms/migratetoAMA) |Deny, Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalyticsExtension_Windows_HybridVM_Deny.json) |
-|[Windows Arc-enabled machines should have Azure Monitor Agent installed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fec621e21-8b48-403d-a549-fc9023d4747f) |Windows Arc-enabled machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Windows Arc-enabled machines in supported regions are monitored for Azure Monitor Agent deployment. Learn more: [https://aka.ms/AMAOverview](https://aka.ms/AMAOverview). |AuditIfNotExists, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Windows_HybridVM_Audit.json) |
+|[Windows Arc-enabled machines should have Azure Monitor Agent installed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fec621e21-8b48-403d-a549-fc9023d4747f) |Windows Arc-enabled machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Windows Arc-enabled machines in supported regions are monitored for Azure Monitor Agent deployment. Learn more: [https://aka.ms/AMAOverview](https://aka.ms/AMAOverview). |AuditIfNotExists, Disabled |[1.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Windows_HybridVM_Audit.json) |
|[Windows Defender Exploit Guard should be enabled on your machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fbed48b13-6647-468e-aa2f-1af1d3f4dd40) |Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/WindowsDefenderExploitGuard_AINE.json) |
|[Windows machines should be configured to use secure communication protocols](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5752e6d6-1206-46d8-8ab1-ecc2f71a8112) |To protect the privacy of information communicated over the Internet, your machines should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by encrypting a connection between machines. |AuditIfNotExists, Disabled |[4.1.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/SecureWebProtocol_AINE.json) |
|[Windows machines should configure Windows Defender to update protection signatures within one day](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd96163de-dbe0-45ac-b803-0e9ca0f5764e) |To provide adequate protection against newly released malware, Windows Defender protection signatures need to be updated regularly to account for newly released malware. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/ACAT_%20UpdateDefenderSignatureDaily_AINE.json) |
diff --git a/includes/policy/reference/byrp/microsoft.insights.md b/includes/policy/reference/byrp/microsoft.insights.md
index 628836e2aac44..e24d51d1fda44 100644
--- a/includes/policy/reference/byrp/microsoft.insights.md
+++ b/includes/policy/reference/byrp/microsoft.insights.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
@@ -54,16 +54,16 @@ ms.custom: generated
|[Configure diagnostic settings for Queue Services to Log Analytics workspace](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7bd000e3-37c7-4928-9f31-86c4b77c5c45) |Deploys the diagnostic settings for Queue Services to stream resource logs to a Log Analytics workspace when any queue Service which is missing this diagnostic settings is created or updated. Note: This policy is not triggered upon Storage Account creation and requires creation of a remediation task in order to update for the account. |DeployIfNotExists, AuditIfNotExists, Disabled |[4.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/QueueServicesLogsToWorkspace_DINE.json) |
|[Configure diagnostic settings for Storage Accounts to Log Analytics workspace](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F59759c62-9a22-4cdf-ae64-074495983fef) |Deploys the diagnostic settings for Storage accounts to stream resource logs to a Log Analytics workspace when any storage accounts which is missing this diagnostic settings is created or updated. |DeployIfNotExists, AuditIfNotExists, Disabled |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/AccountStorageLogsToWorkspace_DINE.json) |
|[Configure diagnostic settings for Table Services to Log Analytics workspace](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2fb86bf3-d221-43d1-96d1-2434af34eaa0) |Deploys the diagnostic settings for Table Services to stream resource logs to a Log Analytics workspace when any table Service which is missing this diagnostic settings is created or updated. Note: This policy is not triggered upon Storage Account creation and requires creation of a remediation task in order to update for the account. |DeployIfNotExists, AuditIfNotExists, Disabled |[4.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/TableServicesLogsToWorkspace_DINE.json) |
-|[Configure Linux Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd5c37ce1-5f52-4523-b949-f19bf945b73a) |Deploy Association to link Linux Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations are updated over time as support is increased. |DeployIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_Arc_Linux_DINE.json) |
-|[Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2ea82cdd-f2e8-4500-af75-67a2e084ca74) |Deploy Association to link Linux virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. |DeployIfNotExists, Disabled |[6.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_Linux_DINE.json) |
-|[Configure Linux Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F050a90d5-7cce-483f-8f6c-0df462036dda) |Deploy Association to link Linux virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. |DeployIfNotExists, Disabled |[4.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_VMSS_Linux_DINE.json) |
-|[Configure Linux Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F58e891b9-ce13-4ac3-86e4-ac3e1f20cb07) |Deploy Association to link Linux virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. |DeployIfNotExists, Disabled |[4.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_VM_Linux_DINE.json) |
+|[Configure Linux Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd5c37ce1-5f52-4523-b949-f19bf945b73a) |Deploy Association to link Linux Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations are updated over time as support is increased. |DeployIfNotExists, Disabled |[2.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_Arc_Linux_DINE.json) |
+|[Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2ea82cdd-f2e8-4500-af75-67a2e084ca74) |Deploy Association to link Linux virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. |DeployIfNotExists, Disabled |[6.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_Linux_DINE.json) |
+|[Configure Linux Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F050a90d5-7cce-483f-8f6c-0df462036dda) |Deploy Association to link Linux virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. |DeployIfNotExists, Disabled |[4.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_VMSS_Linux_DINE.json) |
+|[Configure Linux Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F58e891b9-ce13-4ac3-86e4-ac3e1f20cb07) |Deploy Association to link Linux virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. |DeployIfNotExists, Disabled |[4.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_VM_Linux_DINE.json) |
|[Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc859b78a-a128-4376-a838-e97ce6625d16) |Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine. |DeployIfNotExists, Disabled |[1.4.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_DfSQL_AMA_DefaultPipeline_VM.json) |
|[Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F04754ef9-9ae3-4477-bf17-86ef50026304) |Microsoft Defender for SQL collects events from the agent and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. |DeployIfNotExists, Disabled |[1.4.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_DfSQL_AMA_UserWorkspacePipeline_VM.json) |
-|[Configure Windows Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc24c537f-2516-4c2f-aac5-2cd26baa3d26) |Deploy Association to link Windows Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations are updated over time as support is increased. |DeployIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_Arc_Windows_DINE.json) |
-|[Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Feab1f514-22e3-42e3-9a1f-e1dc9199355c) |Deploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. |DeployIfNotExists, Disabled |[4.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_Windows_DINE.json) |
-|[Configure Windows Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0a3b9bf4-d30e-424a-af6b-9a93f6f78792) |Deploy Association to link Windows virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. |DeployIfNotExists, Disabled |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_VMSS_Windows_DINE.json) |
-|[Configure Windows Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F244efd75-0d92-453c-b9a3-7d73ca36ed52) |Deploy Association to link Windows virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. |DeployIfNotExists, Disabled |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_VM_Windows_DINE.json) |
+|[Configure Windows Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc24c537f-2516-4c2f-aac5-2cd26baa3d26) |Deploy Association to link Windows Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations are updated over time as support is increased. |DeployIfNotExists, Disabled |[2.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_Arc_Windows_DINE.json) |
+|[Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Feab1f514-22e3-42e3-9a1f-e1dc9199355c) |Deploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. |DeployIfNotExists, Disabled |[4.3.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_Windows_DINE.json) |
+|[Configure Windows Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0a3b9bf4-d30e-424a-af6b-9a93f6f78792) |Deploy Association to link Windows virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. |DeployIfNotExists, Disabled |[3.3.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_VMSS_Windows_DINE.json) |
+|[Configure Windows Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F244efd75-0d92-453c-b9a3-7d73ca36ed52) |Deploy Association to link Windows virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. |DeployIfNotExists, Disabled |[3.3.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_VM_Windows_DINE.json) |
|[Deploy - Configure diagnostic settings for Azure Key Vault to Log Analytics workspace](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F951af2fa-529b-416e-ab6e-066fd85ac459) |Deploys the diagnostic settings for Azure Key Vault to stream resource logs to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. |DeployIfNotExists, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/DataConnectorsAzureKeyVault.json) |
|[Deploy - Configure diagnostic settings for Azure Kubernetes Service to Log Analytics workspace](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6c66c325-74c8-42fd-a286-a74b0e2939d8) |Deploys the diagnostic settings for Azure Kubernetes Service to stream resource logs to a Log Analytics workspace. |DeployIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/DataConnectorsAzureKubernetes_DINE.json) |
|[Deploy - Configure diagnostic settings for SQL Databases to Log Analytics workspace](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb79fa14e-238a-4c2d-b376-442ce508fc84) |Deploys the diagnostic settings for SQL Databases to stream resource logs to a Log Analytics workspace when any SQL Database which is missing this diagnostic settings is created or updated. |DeployIfNotExists, Disabled |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/DataConnectosSqlLogs.json) |
@@ -90,6 +90,7 @@ ms.custom: generated
|[Deploy Diagnostic Settings for Service Bus to Log Analytics workspace](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F04d53d87-841c-4f23-8a5b-21564380b55e) |Deploys the diagnostic settings for Service Bus to stream to a regional Log Analytics workspace when any Service Bus which is missing this diagnostic settings is created or updated. |DeployIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ServiceBus_DeployDiagnosticLog_Deploy_LogAnalytics.json) |
|[Deploy Diagnostic Settings for Stream Analytics to Event Hub](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fedf3780c-3d70-40fe-b17e-ab72013dafca) |Deploys the diagnostic settings for Stream Analytics to stream to a regional Event Hub when any Stream Analytics which is missing this diagnostic settings is created or updated. |DeployIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/StreamAnalytics_DeployDiagnosticLog_Deploy_EventHub.json) |
|[Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F237e0f7e-b0e8-4ec4-ad46-8c12cb66d673) |Deploys the diagnostic settings for Stream Analytics to stream to a regional Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. |DeployIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/StreamAnalytics_DeployDiagnosticLog_Deploy_LogAnalytics.json) |
+|[Diagnostic logs in Azure AI services resources should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1b4d1c4e-934c-4703-944c-27c82c06bebb) |Enable logs for Azure AI services resources. This enables you to recreate activity trails for investigation purposes, when a security incident occurs or your network is compromised |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/DiagnosticLogs_Audit.json) |
|[Enable logging by category group for API Management services (microsoft.apimanagement/service) to Event Hub](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3a8ff864-d881-44ce-bed3-0c63ede634cb) |Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for API Management services (microsoft.apimanagement/service). |DeployIfNotExists, AuditIfNotExists, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/DiagSettings_eventHub_apimanagement-service_DINE.json) |
|[Enable logging by category group for API Management services (microsoft.apimanagement/service) to Log Analytics](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F567c93f7-3661-494f-a30f-0a94d9bfebf8) |Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for API Management services (microsoft.apimanagement/service). |DeployIfNotExists, AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/DiagSettings_logAnalytics_apimanagement-service_DINE.json) |
|[Enable logging by category group for API Management services (microsoft.apimanagement/service) to Storage](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6f3f5778-f809-4755-9d8f-bd5a5a7add85) |Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for API Management services (microsoft.apimanagement/service). |DeployIfNotExists, AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/DiagSettings_storage_apimanagement-service_DINE.json) |
diff --git a/includes/policy/reference/byrp/microsoft.iotcentral.md b/includes/policy/reference/byrp/microsoft.iotcentral.md
index 02008cbbd9063..cd7b810cae0de 100644
--- a/includes/policy/reference/byrp/microsoft.iotcentral.md
+++ b/includes/policy/reference/byrp/microsoft.iotcentral.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.keyvault.data.md b/includes/policy/reference/byrp/microsoft.keyvault.data.md
index 96c9b02e9551c..17231b5600457 100644
--- a/includes/policy/reference/byrp/microsoft.keyvault.data.md
+++ b/includes/policy/reference/byrp/microsoft.keyvault.data.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.keyvault.md b/includes/policy/reference/byrp/microsoft.keyvault.md
index f4e0ef1ec995d..2dba3f5d5d4da 100644
--- a/includes/policy/reference/byrp/microsoft.keyvault.md
+++ b/includes/policy/reference/byrp/microsoft.keyvault.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.kubernetes.md b/includes/policy/reference/byrp/microsoft.kubernetes.md
index ee9d341b5efc6..5a175ede614af 100644
--- a/includes/policy/reference/byrp/microsoft.kubernetes.md
+++ b/includes/policy/reference/byrp/microsoft.kubernetes.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.kubernetesconfiguration.md b/includes/policy/reference/byrp/microsoft.kubernetesconfiguration.md
index 078c23eef635d..7c3434a0b2f37 100644
--- a/includes/policy/reference/byrp/microsoft.kubernetesconfiguration.md
+++ b/includes/policy/reference/byrp/microsoft.kubernetesconfiguration.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.kusto.md b/includes/policy/reference/byrp/microsoft.kusto.md
index 74b5125c18569..29af7281a34ea 100644
--- a/includes/policy/reference/byrp/microsoft.kusto.md
+++ b/includes/policy/reference/byrp/microsoft.kusto.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.labservices.md b/includes/policy/reference/byrp/microsoft.labservices.md
index e83b8efa20c9f..37a2609afa67d 100644
--- a/includes/policy/reference/byrp/microsoft.labservices.md
+++ b/includes/policy/reference/byrp/microsoft.labservices.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.loadtestservice.md b/includes/policy/reference/byrp/microsoft.loadtestservice.md
index 39bb5d9553461..ea177cc5ab2e9 100644
--- a/includes/policy/reference/byrp/microsoft.loadtestservice.md
+++ b/includes/policy/reference/byrp/microsoft.loadtestservice.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.logic.md b/includes/policy/reference/byrp/microsoft.logic.md
index af13e2e69cfab..e724315c968ee 100644
--- a/includes/policy/reference/byrp/microsoft.logic.md
+++ b/includes/policy/reference/byrp/microsoft.logic.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.machinelearningservices.data.md b/includes/policy/reference/byrp/microsoft.machinelearningservices.data.md
index 61990815fda21..c9ab4692605dd 100644
--- a/includes/policy/reference/byrp/microsoft.machinelearningservices.data.md
+++ b/includes/policy/reference/byrp/microsoft.machinelearningservices.data.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.machinelearningservices.md b/includes/policy/reference/byrp/microsoft.machinelearningservices.md
index 4c6b51e297b29..07057528a24e9 100644
--- a/includes/policy/reference/byrp/microsoft.machinelearningservices.md
+++ b/includes/policy/reference/byrp/microsoft.machinelearningservices.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
@@ -19,13 +19,13 @@ ms.custom: generated
|[Azure Machine Learning Compute Instance should have idle shutdown.](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F679ddf89-ab8f-48a5-9029-e76054077449) |Having an idle shutdown schedule reduces cost by shutting down computes that are idle after a pre-determined period of activity. |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/IdleShutdown_Audit.json) |
|[Azure Machine Learning compute instances should be recreated to get the latest software updates](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff110a506-2dcb-422e-bcea-d533fc8c35e2) |Ensure Azure Machine Learning compute instances run on the latest available operating system. Security is improved and vulnerabilities reduced by running with the latest security patches. For more information, visit [https://aka.ms/azureml-ci-updates/](https://aka.ms/azureml-ci-updates/). |[parameters('effects')] |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/ComputeInstanceUpdates_Audit.json) |
|[Azure Machine Learning Computes should be in a virtual network](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7804b5c7-01dc-4723-969b-ae300cc07ff1) |Azure Virtual Networks provide enhanced security and isolation for your Azure Machine Learning Compute Clusters and Instances, as well as subnets, access control policies, and other features to further restrict access. When a compute is configured with a virtual network, it is not publicly addressable and can only be accessed from virtual machines and applications within the virtual network. |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Vnet_Audit.json) |
-|[Azure Machine Learning Computes should have local authentication methods disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe96a9a5f-07ca-471b-9bc5-6a0f33cbd68f) |Disabling local authentication methods improves security by ensuring that Machine Learning Computes require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/azure-ml-aad-policy](https://aka.ms/azure-ml-aad-policy). |Audit, Deny, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/DisableLocalAuth_Audit.json) |
+|[Azure Machine Learning Computes should have local authentication methods disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe96a9a5f-07ca-471b-9bc5-6a0f33cbd68f) |Disabling local authentication methods improves security by ensuring that Machine Learning Computes require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/azure-ml-aad-policy](https://aka.ms/azure-ml-aad-policy). |Audit, Deny, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/DisableLocalAuth_Audit.json) |
|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) |Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). |Audit, Deny, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json) |
|[Azure Machine Learning Workspaces should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F438c38d2-3772-465a-a9cc-7a6666a275ce) |Disabling public network access improves security by ensuring that the Machine Learning Workspaces aren't exposed on the public internet. You can control exposure of your workspaces by creating private endpoints instead. Learn more at: [https://learn.microsoft.com/azure/machine-learning/how-to-configure-private-link?view=azureml-api-2&tabs=azure-portal](../../../../articles/machine-learning/how-to-configure-private-link.md). |Audit, Deny, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_PublicNetworkAccessDisabled_Audit.json) |
|[Azure Machine Learning workspaces should enable V1LegacyMode to support network isolation backward compatibility](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe413671a-dd10-4cc1-a943-45b598596cb7) |Azure ML is making a transition to a new V2 API platform on Azure Resource Manager and you can control API platform version using V1LegacyMode parameter. Enabling the V1LegacyMode parameter will enable you to keep your workspaces in the same network isolation as V1, though you won't have use of the new V2 features. We recommend turning on V1 Legacy Mode only when you want to keep the AzureML control plane data inside your private networks. Learn more at: [https://aka.ms/V1LegacyMode](https://aka.ms/V1LegacyMode). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_EnableV1LegacyMode_Audit.json) |
|[Azure Machine Learning workspaces should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F45e05259-1eb5-4f70-9574-baf73e9d219b) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link](../../../../articles/machine-learning/how-to-configure-private-link.md). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_PrivateEndpoint_Audit_V2.json) |
|[Azure Machine Learning workspaces should use user-assigned managed identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0c7d88-c7de-45b8-ac49-db49e72eaa78) |Manange access to Azure ML workspace and associated resources, Azure Container Registry, KeyVault, Storage, and App Insights using user-assigned managed identity. By default, system-assigned managed identity is used by Azure ML workspace to access the associated resources. User-assigned managed identity allows you to create the identity as an Azure resource and maintain the life cycle of that identity. Learn more at [https://docs.microsoft.com/azure/machine-learning/how-to-use-managed-identities?tabs=python](../../../../articles/machine-learning/how-to-use-managed-identities.md). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_UAIEnabled_Audit.json) |
-|[Configure Azure Machine Learning Computes to disable local authentication methods](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa6f9a2d0-cff7-4855-83ad-4cd750666512) |Disable location authentication methods so that your Machine Learning Computes require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/azure-ml-aad-policy](https://aka.ms/azure-ml-aad-policy). |Modify, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/DisableLocalAuth_Modify.json) |
+|[Configure Azure Machine Learning Computes to disable local authentication methods](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa6f9a2d0-cff7-4855-83ad-4cd750666512) |Disable location authentication methods so that your Machine Learning Computes require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/azure-ml-aad-policy](https://aka.ms/azure-ml-aad-policy). |Modify, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/DisableLocalAuth_Modify.json) |
|[Configure Azure Machine Learning Workspaces to disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa10ee784-7409-4941-b091-663697637c0f) |Disable public network access for Azure Machine Learning Workspaces so that your workspaces aren't accessible over the public internet. This helps protect the workspaces against data leakage risks. You can control exposure of your workspaces by creating private endpoints instead. Learn more at: [https://learn.microsoft.com/azure/machine-learning/how-to-configure-private-link?view=azureml-api-2&tabs=azure-portal](../../../../articles/machine-learning/how-to-configure-private-link.md). |Modify, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_PublicNetworkAccessDisabled_Modify.json) |
|[Configure Azure Machine Learning workspaces with private endpoints](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7838fd83-5cbb-4b5d-888c-bfa240972597) |Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Machine Learning workspace, you can reduce data leakage risks. Learn more about private links at: [https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link](../../../../articles/machine-learning/how-to-configure-private-link.md). |DeployIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_PrivateEndpoint_DINE.json) |
|[Configure diagnostic settings for Azure Machine Learning Workspaces to Log Analytics workspace](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff59276f0-5740-4aaf-821d-45d185aa210e) |Deploys the diagnostic settings for Azure Machine Learning Workspaces to stream resource logs to a Log Analytics Workspace when any Azure Machine Learning Workspace which is missing this diagnostic settings is created or updated. |DeployIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/AuditDiagnosticLog_DINE.json) |
diff --git a/includes/policy/reference/byrp/microsoft.machinelearningservices.v2.data.md b/includes/policy/reference/byrp/microsoft.machinelearningservices.v2.data.md
index 02b83e25ebfed..f4a0496ab6dad 100644
--- a/includes/policy/reference/byrp/microsoft.machinelearningservices.v2.data.md
+++ b/includes/policy/reference/byrp/microsoft.machinelearningservices.v2.data.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.maintenance.md b/includes/policy/reference/byrp/microsoft.maintenance.md
index 790382f37cb1b..183fc142ef105 100644
--- a/includes/policy/reference/byrp/microsoft.maintenance.md
+++ b/includes/policy/reference/byrp/microsoft.maintenance.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.managedhsm.data.md b/includes/policy/reference/byrp/microsoft.managedhsm.data.md
index 1fddad63eac63..35d5f813c0537 100644
--- a/includes/policy/reference/byrp/microsoft.managedhsm.data.md
+++ b/includes/policy/reference/byrp/microsoft.managedhsm.data.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.managedidentity.md b/includes/policy/reference/byrp/microsoft.managedidentity.md
index a088379f811d4..9700f8d7b419c 100644
--- a/includes/policy/reference/byrp/microsoft.managedidentity.md
+++ b/includes/policy/reference/byrp/microsoft.managedidentity.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.managedservices.md b/includes/policy/reference/byrp/microsoft.managedservices.md
index 4b77b9421528e..da9b834031240 100644
--- a/includes/policy/reference/byrp/microsoft.managedservices.md
+++ b/includes/policy/reference/byrp/microsoft.managedservices.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.maps.md b/includes/policy/reference/byrp/microsoft.maps.md
index e6f5844771c0a..7829701f257d4 100644
--- a/includes/policy/reference/byrp/microsoft.maps.md
+++ b/includes/policy/reference/byrp/microsoft.maps.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.media.md b/includes/policy/reference/byrp/microsoft.media.md
index e29640bde6f8d..c8df2f9d09ef1 100644
--- a/includes/policy/reference/byrp/microsoft.media.md
+++ b/includes/policy/reference/byrp/microsoft.media.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.mobilenetwork.md b/includes/policy/reference/byrp/microsoft.mobilenetwork.md
index 7d51d5516109d..3a2b709a2a1cf 100644
--- a/includes/policy/reference/byrp/microsoft.mobilenetwork.md
+++ b/includes/policy/reference/byrp/microsoft.mobilenetwork.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.netapp.md b/includes/policy/reference/byrp/microsoft.netapp.md
index 312225643ceae..20f891b04fc15 100644
--- a/includes/policy/reference/byrp/microsoft.netapp.md
+++ b/includes/policy/reference/byrp/microsoft.netapp.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.network.md b/includes/policy/reference/byrp/microsoft.network.md
index 715432252d2a4..3be00357a7ef9 100644
--- a/includes/policy/reference/byrp/microsoft.network.md
+++ b/includes/policy/reference/byrp/microsoft.network.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.operationalinsights.md b/includes/policy/reference/byrp/microsoft.operationalinsights.md
index 4540e02385591..d637203957d18 100644
--- a/includes/policy/reference/byrp/microsoft.operationalinsights.md
+++ b/includes/policy/reference/byrp/microsoft.operationalinsights.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.operationsmanagement.md b/includes/policy/reference/byrp/microsoft.operationsmanagement.md
index 3c4d1103a944a..7ba823f935d40 100644
--- a/includes/policy/reference/byrp/microsoft.operationsmanagement.md
+++ b/includes/policy/reference/byrp/microsoft.operationsmanagement.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.portal.md b/includes/policy/reference/byrp/microsoft.portal.md
index d01d305f4e17d..53a764dc244cc 100644
--- a/includes/policy/reference/byrp/microsoft.portal.md
+++ b/includes/policy/reference/byrp/microsoft.portal.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.purview.md b/includes/policy/reference/byrp/microsoft.purview.md
index 2246efa752d16..8e137198f7992 100644
--- a/includes/policy/reference/byrp/microsoft.purview.md
+++ b/includes/policy/reference/byrp/microsoft.purview.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.recoveryservices.md b/includes/policy/reference/byrp/microsoft.recoveryservices.md
index b95aac280886d..2f3421adae91c 100644
--- a/includes/policy/reference/byrp/microsoft.recoveryservices.md
+++ b/includes/policy/reference/byrp/microsoft.recoveryservices.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.resources.md b/includes/policy/reference/byrp/microsoft.resources.md
index 9b2463f9142a5..99f58f54bb416 100644
--- a/includes/policy/reference/byrp/microsoft.resources.md
+++ b/includes/policy/reference/byrp/microsoft.resources.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.search.md b/includes/policy/reference/byrp/microsoft.search.md
index 7b38f9fea4568..f38e8454b1c18 100644
--- a/includes/policy/reference/byrp/microsoft.search.md
+++ b/includes/policy/reference/byrp/microsoft.search.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
@@ -11,7 +11,7 @@ ms.custom: generated
|---|---|---|---|
|[\[Preview\]: Azure AI Search Service should be Zone Redundant](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F90bc8109-d21a-4692-88fc-51419391da3d) |Azure AI Search Service can be configured to be Zone Redundant or not. Availability zones are used when you add two or more replicas to your search service. Each replica is placed in a different availability zone within the region. |Audit, Deny, Disabled |[1.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Resilience/Search_searchServices_ZoneRedundant_Audit.json) |
|[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: [https://aka.ms/AI/auth](https://aka.ms/AI/auth) |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/DisableLocalAuth_Audit.json) |
-|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) |
+|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) |
|[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePrivateLinkSupportedResource_Deny.json) |
|[Azure Cognitive Search services should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fee980b6d-0eca-4501-8d54-f6290fd512c3) |Disabling public network access improves security by ensuring that your Azure Cognitive Search service is not exposed on the public internet. Creating private endpoints can limit exposure of your Search service. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/RequirePublicNetworkAccessDisabled_Deny.json) |
|[Azure Cognitive Search services should have local authentication methods disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6300012e-e9a4-4649-b41f-a85f5c43be91) |Disabling local authentication methods improves security by ensuring that Azure Cognitive Search services exclusively require Azure Active Directory identities for authentication. Learn more at: [https://aka.ms/azure-cognitive-search/rbac](https://aka.ms/azure-cognitive-search/rbac). Note that while the disable local authentication parameter is still in preview, the deny effect for this policy may result in limited Azure Cognitive Search portal functionality since some features of the Portal use the GA API which does not support the parameter. |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/DisableLocalAuth_AuditDeny.json) |
@@ -22,4 +22,5 @@ ms.custom: generated
|[Configure Azure Cognitive Search services with private endpoints](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb698b005-b660-4837-b833-a7aaab26ddba) |Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cognitive Search service, you can reduce data leakage risks. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |DeployIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/PrivateEndpoints_DINE.json) |
|[Deploy Diagnostic Settings for Search Services to Event Hub](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3d5da587-71bd-41f5-ac95-dd3330c2d58d) |Deploys the diagnostic settings for Search Services to stream to a regional Event Hub when any Search Services which is missing this diagnostic settings is created or updated. |DeployIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/Search_DeployDiagnosticLog_Deploy_EventHub.json) |
|[Deploy Diagnostic Settings for Search Services to Log Analytics workspace](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F08ba64b8-738f-4918-9686-730d2ed79c7d) |Deploys the diagnostic settings for Search Services to stream to a regional Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. |DeployIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/Search_DeployDiagnosticLog_Deploy_LogAnalytics.json) |
+|[Diagnostic logs in Azure AI services resources should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1b4d1c4e-934c-4703-944c-27c82c06bebb) |Enable logs for Azure AI services resources. This enables you to recreate activity trails for investigation purposes, when a security incident occurs or your network is compromised |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/DiagnosticLogs_Audit.json) |
|[Resource logs in Search services should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb4330a05-a843-4bc8-bf9a-cacce50c67f4) |Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised |AuditIfNotExists, Disabled |[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/AuditDiagnosticLog_Audit.json) |
diff --git a/includes/policy/reference/byrp/microsoft.security.md b/includes/policy/reference/byrp/microsoft.security.md
index 95b7530ef43ff..fa792c7b41014 100644
--- a/includes/policy/reference/byrp/microsoft.security.md
+++ b/includes/policy/reference/byrp/microsoft.security.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
@@ -35,9 +35,7 @@ ms.custom: generated
|[Azure Defender for servers should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4da35fc9-c9e7-4960-aec9-797fe7d9051d) |Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnVM_Audit.json) |
|[Azure Defender for SQL servers on machines should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6581d072-105e-4418-827f-bd446d56421b) |Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedDataSecurityOnSqlServerVirtualMachines_Audit.json) |
|[Azure registry container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F090c7b07-b4ed-4561-ad20-e9075f3ccaff) |Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. Resolving vulnerabilities can greatly improve your security posture, ensuring images are safe to use prior to deployment. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_AzureContainerRegistryVulnerabilityAssessment_Audit.json) |
-|[Azure registry container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0f936f-2f01-4bf5-b6be-d423792fa562) |Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. |AuditIfNotExists, Disabled |[2.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json) |
|[Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F17f4b1cc-c55c-4d94-b1f9-2978f6ac2957) |Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. This recommendation provides visibility to vulnerable images currently running in your Kubernetes clusters. Remediating vulnerabilities in container images that are currently running is key to improving your security posture, significantly reducing the attack surface for your containerized workloads. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_K8sRuningImagesVulnerabilityAssessmentBasedOnMDVM_Audit.json) |
-|[Azure running container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0fc39691-5a3f-4e3e-94ee-2e6447309ad9) |Container image vulnerability assessment scans container images running on your Kubernetes clusters for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_KuberenetesRuningImagesVulnerabilityAssessment_Audit.json) |
|[Blocked accounts with owner permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0cfea604-3201-4e14-88fc-fae4c427a6c5) |Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveBlockedAccountsWithOwnerPermissions_Audit.json) |
|[Blocked accounts with read and write permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8d7e1fde-fe26-4b5f-8108-f8e432cbc2be) |Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveBlockedAccountsWithReadWritePermissions_Audit.json) |
|[Cloud Services (extended support) role instances should be configured securely](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa0c11ca4-5828-4384-a2f2-fd7444dd5b4d) |Protect your Cloud Service (extended support) role instances from attacks by ensuring they are not expolosed to any OS vulnerabilities. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_CsesOSVulnerabilities_Audit.json) |
diff --git a/includes/policy/reference/byrp/microsoft.servicebus.md b/includes/policy/reference/byrp/microsoft.servicebus.md
index ade145e3aee00..d109a045c737c 100644
--- a/includes/policy/reference/byrp/microsoft.servicebus.md
+++ b/includes/policy/reference/byrp/microsoft.servicebus.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.servicefabric.md b/includes/policy/reference/byrp/microsoft.servicefabric.md
index 5eaedba50d05b..44374c5910db7 100644
--- a/includes/policy/reference/byrp/microsoft.servicefabric.md
+++ b/includes/policy/reference/byrp/microsoft.servicefabric.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.signalrservice.md b/includes/policy/reference/byrp/microsoft.signalrservice.md
index f18b0ff72872a..98dc8a15cf994 100644
--- a/includes/policy/reference/byrp/microsoft.signalrservice.md
+++ b/includes/policy/reference/byrp/microsoft.signalrservice.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.solutions.md b/includes/policy/reference/byrp/microsoft.solutions.md
index 5f7590ed14611..2a0e3d0cff314 100644
--- a/includes/policy/reference/byrp/microsoft.solutions.md
+++ b/includes/policy/reference/byrp/microsoft.solutions.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.sql.md b/includes/policy/reference/byrp/microsoft.sql.md
index 0639fee1e8394..96d9fbcae3e4e 100644
--- a/includes/policy/reference/byrp/microsoft.sql.md
+++ b/includes/policy/reference/byrp/microsoft.sql.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.storage.md b/includes/policy/reference/byrp/microsoft.storage.md
index 88062c2ab736c..9d0a8d9fc5a45 100644
--- a/includes/policy/reference/byrp/microsoft.storage.md
+++ b/includes/policy/reference/byrp/microsoft.storage.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.storagecache.md b/includes/policy/reference/byrp/microsoft.storagecache.md
index ebdf4a4e9eda8..6b218f243bc45 100644
--- a/includes/policy/reference/byrp/microsoft.storagecache.md
+++ b/includes/policy/reference/byrp/microsoft.storagecache.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.storagesync.md b/includes/policy/reference/byrp/microsoft.storagesync.md
index 0d5e157089179..eccc3cdbef91e 100644
--- a/includes/policy/reference/byrp/microsoft.storagesync.md
+++ b/includes/policy/reference/byrp/microsoft.storagesync.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.streamanalytics.md b/includes/policy/reference/byrp/microsoft.streamanalytics.md
index d2452adaf1119..3e70d6077c3e8 100644
--- a/includes/policy/reference/byrp/microsoft.streamanalytics.md
+++ b/includes/policy/reference/byrp/microsoft.streamanalytics.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.synapse.md b/includes/policy/reference/byrp/microsoft.synapse.md
index 34b6f5948e7cb..c2c3e4aab2db5 100644
--- a/includes/policy/reference/byrp/microsoft.synapse.md
+++ b/includes/policy/reference/byrp/microsoft.synapse.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.virtualmachineimages.md b/includes/policy/reference/byrp/microsoft.virtualmachineimages.md
index 04312a8d9a294..2557679358ee4 100644
--- a/includes/policy/reference/byrp/microsoft.virtualmachineimages.md
+++ b/includes/policy/reference/byrp/microsoft.virtualmachineimages.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/byrp/microsoft.web.md b/includes/policy/reference/byrp/microsoft.web.md
index 9af5ca9177806..b9bb42f0492fe 100644
--- a/includes/policy/reference/byrp/microsoft.web.md
+++ b/includes/policy/reference/byrp/microsoft.web.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
diff --git a/includes/policy/reference/custom/init-asc.md b/includes/policy/reference/custom/init-asc.md
index d02430f124633..63959e79b34b2 100644
--- a/includes/policy/reference/custom/init-asc.md
+++ b/includes/policy/reference/custom/init-asc.md
@@ -2,7 +2,7 @@
author: davidsmatlak
ms.service: azure-policy
ms.topic: include
-ms.date: 03/13/2024
+ms.date: 03/18/2024
ms.author: davidsmatlak
ms.custom: generated
---
@@ -69,7 +69,7 @@ ms.custom: generated
|[Auto provisioning of the Log Analytics agent should be enabled on your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F475aae12-b88a-4572-8b36-9b712b2b3a17) |To monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Automatic_provisioning_log_analytics_monitoring_agent.json) |
|[Automation account variables should be encrypted](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3657f5a0-770e-44a3-b44e-9431ba1e9735) |It is important to enable encryption of Automation account variable assets when storing sensitive data |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Automation/AuditUnencryptedVars_Audit.json) |
|[Azure AI Services resources should have key access disabled (disable local authentication)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc) |Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: [https://aka.ms/AI/auth](https://aka.ms/AI/auth) |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/DisableLocalAuth_Audit.json) |
-|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) |
+|[Azure AI Services resources should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. |Audit, Deny, Disabled |[3.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/NetworkAcls_Audit.json) |
|[Azure API Management platform version should be stv2](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1dc2fc00-2245-4143-99f4-874c937f13ef) |Azure API Management stv1 compute platform version will be retired effective 31 August 2024, and these instances should be migrated to stv2 compute platform for continued support. Learn more at [https://learn.microsoft.com/azure/api-management/breaking-changes/stv1-platform-retirement-august-2024](../../../../articles/api-management/breaking-changes/stv1-platform-retirement-august-2024.md) |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/PlatformVersion_AuditDeny.json) |
|[Azure Arc enabled Kubernetes clusters should have the Azure Policy extension installed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6b2122c1-8120-4ff5-801b-17625a355590) |The Azure Policy extension for Azure Arc provides at-scale enforcements and safeguards on your Arc enabled Kubernetes clusters in a centralized, consistent manner. Learn more at [https://aka.ms/akspolicydoc](https://aka.ms/akspolicydoc). |AuditIfNotExists, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ArcPolicyExtension_Audit.json) |
|[Azure Backup should be enabled for Virtual Machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F013e242c-8828-4970-87b3-ab247555486d) |Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Backup/VirtualMachines_EnableAzureBackup_Audit.json) |
@@ -99,17 +99,15 @@ ms.custom: generated
|[Azure Kubernetes Service clusters should have Defender profile enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa1840de2-8088-4ea8-b153-b4c723e9cb01) |Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers in [https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks](../../../../articles/defender-for-cloud/defender-for-containers-introduction.md) |Audit, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ASC_Azure_Defender_AKS_SecurityProfile_Audit.json) |
|[Azure Machine Learning compute instances should be recreated to get the latest software updates](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff110a506-2dcb-422e-bcea-d533fc8c35e2) |Ensure Azure Machine Learning compute instances run on the latest available operating system. Security is improved and vulnerabilities reduced by running with the latest security patches. For more information, visit [https://aka.ms/azureml-ci-updates/](https://aka.ms/azureml-ci-updates/). |[parameters('effects')] |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/ComputeInstanceUpdates_Audit.json) |
|[Azure Machine Learning Computes should be in a virtual network](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7804b5c7-01dc-4723-969b-ae300cc07ff1) |Azure Virtual Networks provide enhanced security and isolation for your Azure Machine Learning Compute Clusters and Instances, as well as subnets, access control policies, and other features to further restrict access. When a compute is configured with a virtual network, it is not publicly addressable and can only be accessed from virtual machines and applications within the virtual network. |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Vnet_Audit.json) |
-|[Azure Machine Learning Computes should have local authentication methods disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe96a9a5f-07ca-471b-9bc5-6a0f33cbd68f) |Disabling local authentication methods improves security by ensuring that Machine Learning Computes require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/azure-ml-aad-policy](https://aka.ms/azure-ml-aad-policy). |Audit, Deny, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/DisableLocalAuth_Audit.json) |
+|[Azure Machine Learning Computes should have local authentication methods disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe96a9a5f-07ca-471b-9bc5-6a0f33cbd68f) |Disabling local authentication methods improves security by ensuring that Machine Learning Computes require Azure Active Directory identities exclusively for authentication. Learn more at: [https://aka.ms/azure-ml-aad-policy](https://aka.ms/azure-ml-aad-policy). |Audit, Deny, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/DisableLocalAuth_Audit.json) |
|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) |Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). |Audit, Deny, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json) |
|[Azure Machine Learning Workspaces should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F438c38d2-3772-465a-a9cc-7a6666a275ce) |Disabling public network access improves security by ensuring that the Machine Learning Workspaces aren't exposed on the public internet. You can control exposure of your workspaces by creating private endpoints instead. Learn more at: [https://learn.microsoft.com/azure/machine-learning/how-to-configure-private-link?view=azureml-api-2&tabs=azure-portal](../../../../articles/machine-learning/how-to-configure-private-link.md). |Audit, Deny, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_PublicNetworkAccessDisabled_Audit.json) |
|[Azure Machine Learning workspaces should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F45e05259-1eb5-4f70-9574-baf73e9d219b) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link](../../../../articles/machine-learning/how-to-configure-private-link.md). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_PrivateEndpoint_Audit_V2.json) |
|[Azure MySQL flexible server should have Microsoft Entra Only Authentication enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F40e85574-ef33-47e8-a854-7a65c7500560) |Disabling local authentication methods and allowing only Microsoft Entra Authentication improves security by ensuring that Azure MySQL flexible server can exclusively be accessed by Microsoft Entra identities. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_FlexibleServers_ADOnlyEnabled_Audit.json) |
|[Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0a15ec92-a229-4763-bb14-0ea34a568f8d) |Azure Policy Add-on for Kubernetes service (AKS) extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. |Audit, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AKS_AzurePolicyAddOn_Audit.json) |
|[Azure registry container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F090c7b07-b4ed-4561-ad20-e9075f3ccaff) |Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. Resolving vulnerabilities can greatly improve your security posture, ensuring images are safe to use prior to deployment. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_AzureContainerRegistryVulnerabilityAssessment_Audit.json) |
-|[Azure registry container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0f936f-2f01-4bf5-b6be-d423792fa562) |Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. |AuditIfNotExists, Disabled |[2.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json) |
|[Azure Role-Based Access Control (RBAC) should be used on Kubernetes Services](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fac4a19c2-fa67-49b4-8ae5-0b2e78c49457) |To provide granular filtering on the actions that users can perform, use Azure Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. |Audit, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableRBAC_KubernetesService_Audit.json) |
|[Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F17f4b1cc-c55c-4d94-b1f9-2978f6ac2957) |Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. This recommendation provides visibility to vulnerable images currently running in your Kubernetes clusters. Remediating vulnerabilities in container images that are currently running is key to improving your security posture, significantly reducing the attack surface for your containerized workloads. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/MDC_K8sRuningImagesVulnerabilityAssessmentBasedOnMDVM_Audit.json) |
-|[Azure running container images should have vulnerabilities resolved (powered by Qualys)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0fc39691-5a3f-4e3e-94ee-2e6447309ad9) |Container image vulnerability assessment scans container images running on your Kubernetes clusters for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_KuberenetesRuningImagesVulnerabilityAssessment_Audit.json) |
|[Azure SignalR Service should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2393d2cf-a342-44cd-a2e2-fe0188fd1234) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure SignalR Service resource instead of the entire service, you'll reduce your data leakage risks. Learn more about private links at: [https://aka.ms/asrs/privatelink](https://aka.ms/asrs/privatelink). |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SignalR/PrivateEndpointEnabled_Audit_v2.json) |
|[Azure Spring Cloud should use network injection](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Faf35e2a4-ef96-44e7-a9ae-853dd97032c4) |Azure Spring Cloud instances should use virtual network injection for the following purposes: 1. Isolate Azure Spring Cloud from Internet. 2. Enable Azure Spring Cloud to interact with systems in either on premises data centers or Azure service in other virtual networks. 3. Empower customers to control inbound and outbound network communications for Azure Spring Cloud. |Audit, Disabled, Deny |[1.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Platform/Spring_VNETEnabled_Audit.json) |
|[Azure SQL Database should be running TLS version 1.2 or newer](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F32e6bbec-16b6-44c2-be37-c5b672d103cf) |Setting TLS version to 1.2 or newer improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2 or newer. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities. |Audit, Disabled, Deny |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_MiniumTLSVersion_Audit.json) |
@@ -176,7 +174,7 @@ ms.custom: generated
|[Linux machines should meet requirements for the Azure compute security baseline](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffc9b3da7-8347-4380-8e70-0a0361d8dedd) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. |AuditIfNotExists, Disabled |[2.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/AzureLinuxBaseline_AINE.json) |
|[Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa4fe33eb-e377-4efb-ab31-0784311bc499) |This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_InstallLaAgentOnVm.json) |
|[Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa3a6ea0c-e018-4933-9ef0-5aaa1501449b) |Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_InstallLaAgentOnVmss.json) |
-|[Machines should be configured to periodically check for missing system updates](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fbd876905-5b84-4f73-ab2d-2e7a7c4568d9) |To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: [https://aka.ms/computevm-windowspatchassessmentmode,](https://aka.ms/computevm-windowspatchassessmentmode,) for Linux: [https://aka.ms/computevm-linuxpatchassessmentmode](https://aka.ms/computevm-linuxpatchassessmentmode). |Audit, Deny, Disabled |[3.6.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Update%20Manager/AzUpdateMgmtCenter_AutoAssessmentMode_Audit.json) |
+|[Machines should be configured to periodically check for missing system updates](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fbd876905-5b84-4f73-ab2d-2e7a7c4568d9) |To ensure periodic assessments for missing system updates are triggered automatically every 24 hours, the AssessmentMode property should be set to 'AutomaticByPlatform'. Learn more about AssessmentMode property for Windows: [https://aka.ms/computevm-windowspatchassessmentmode,](https://aka.ms/computevm-windowspatchassessmentmode,) for Linux: [https://aka.ms/computevm-linuxpatchassessmentmode](https://aka.ms/computevm-linuxpatchassessmentmode). |Audit, Deny, Disabled |[3.7.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Update%20Manager/AzUpdateMgmtCenter_AutoAssessmentMode_Audit.json) |
|[Machines should have secret findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3ac7c827-eea2-4bde-acc7-9568cd320efa) |Audits virtual machines to detect whether they contain secret findings from the secret scanning solutions on your virtual machines. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerSecretAssessment_Audit.json) |
|[Management ports of virtual machines should be protected with just-in-time network access control](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb0f33259-77d7-4c9e-aac6-3aabcfae693c) |Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_JITNetworkAccess_Audit.json) |
|[Management ports should be closed on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F22730e10-96f6-4aac-ad84-9383d35b5917) |Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_OpenManagementPortsOnVirtualMachines_Audit.json) |