Merge pull request #790 from MicrosoftDocs/main

10/11/2024 PM Publish

Author: Taojunshen

articles/ai-services/encryption/cognitive-services-encryption-keys-portal.md

@@ -27,20 +27,6 @@ Azure AI is built on top of multiple Azure services. While the data is stored se
         * unwrap key
         * get
 
-        For example, the managed identity for Azure Cosmos DB would need to have those permissions to the key vault.
-
-## How metadata is stored
-
-The following services are used by Azure AI to store metadata for your Azure AI resource and projects:
-
-|Service|What it's used for|Example|
-|-----|-----|-----|
-|Azure Cosmos DB|Stores metadata for your Azure AI projects and tools|Flow creation timestamps, deployment tags, evaluation metrics|
-|Azure AI Search|Stores indices that are used to help query your AI studio content.|An index based off your model deployment names|
-|Azure Storage Account|Stores artifacts created by Azure AI projects and tools|Fine-tuned models|
-
-All of the above services are encrypted using the same key at the time that you create your Azure AI resource for the first time, and are set up in a managed resource group in your subscription once for every Azure AI resource and set of projects associated with it. Your Azure AI resource and projects read and write data using managed identity. Managed identities are granted access to the resources using a role assignment (Azure role-based access control) on the data resources. The encryption key you provide is used to encrypt data that is stored on Microsoft-managed resources. It's also used to create indices for Azure AI Search, which are created at runtime.
-
 ## Customer-managed keys
 
 When you don't use a customer-managed key, Microsoft creates and manages these resources in a Microsoft owned Azure subscription and uses a Microsoft-managed key to encrypt the data. 
@@ -53,14 +39,13 @@ When you use a customer-managed key, these resources are _in your Azure subscrip
 These Microsoft-managed resources are located in a new Azure resource group is created in your subscription. This group is in addition to the resource group for your project. This resource group contains the Microsoft-managed resources that your key is used with. The resource group is named using the formula of `<Azure AI resource group name><GUID>`. It isn't possible to change the naming of the resources in this managed resource group.
 
 > [!TIP]
-> * The [Request Units](/azure/cosmos-db/request-units) for the Azure Cosmos DB automatically scale as needed.
 > * If your AI resource uses a private endpoint, this resource group will also contain a Microsoft-managed Azure Virtual Network. This VNet is used to secure communications between the managed services and the project. You cannot provide your own VNet for use with the Microsoft-managed resources. You also cannot modify the virtual network. For example, you cannot change the IP address range that it uses.
 
 > [!IMPORTANT]
 > If your subscription does not have enough quota for these services, a failure will occur.
 
 > [!WARNING]
-> Don't delete the managed resource group that contains this Azure Cosmos DB instance, or any of the resources automatically created in this group. If you need to delete the resource group or Microsoft-managed services in it, you must delete the Azure AI resources that uses it. The resource group resources are deleted when the associated AI resource is deleted.
+> Don't delete the managed resource group any of the resources automatically created in this group. If you need to delete the resource group or Microsoft-managed services in it, you must delete the Azure AI resources that uses it. The resource group resources are deleted when the associated AI resource is deleted.
 
 The process to enable Customer-Managed Keys with Azure Key Vault for Azure AI services varies by product. Use these links for service-specific instructions:
 

articles/ai-services/openai/quotas-limits.md

@@ -10,7 +10,7 @@ ms.custom:
   - ignite-2023
   - references_regions
 ms.topic: conceptual
-ms.date: 10/10/2024
+ms.date: 10/11/2024
 ms.author: mbullwin
 ---
 
@@ -62,6 +62,17 @@ The following sections provide you with a quick guide to the default quotas and
 
 ## o1-preview & o1-mini rate limits
 
+> [!IMPORTANT]
+> The ratio of RPM/TPM for quota with o1-series models works differently than older chat completions models:
+>
+> - **Older chat models:** 1 unit of capacity = 6 RPM and 1,000 TPM.
+> - **o1-preview:** 1 unit of capacity = 1 RPM and 6,000 TPM.
+> - **o1-mini:** 1 unit of capacity = 1 RPM per 10,000 TPM.
+>
+> This is particularly important for programmatic model deployment as this change in RPM/TPM ratio can result in accidental under allocation of quota if one is still assuming the 1:1000 ratio followed by older chat completion models.
+>
+> There is a known issue with the [quota/usages API](/rest/api/aiservices/accountmanagement/usages/list?view=rest-aiservices-accountmanagement-2024-06-01-preview&tabs=HTTP&preserve-view=true) where it assumes the old ratio applies to the new o1-series models. The API returns the correct base capacity number, but does not apply the correct ratio for the accurate calculation of TPM.
+
 ### o1-preview & o1-mini global standard
 
 | Model|Tier| Quota Limit in tokens per minute (TPM) | Requests per minute |

articles/ai-studio/concepts/rbac-ai-studio.md

@@ -16,8 +16,6 @@ author: Blackmist
 
 # Role-based access control in Azure AI Studio
 
-[!INCLUDE [Feature preview](~/reusable-content/ce-skilling/azure/includes/ai-studio/includes/feature-preview.md)]
-
 In this article, you learn how to manage access (authorization) to an Azure AI Studio hub. Azure role-based access control (Azure RBAC) is used to manage access to Azure resources, such as the ability to create new resources or use existing ones. Users in your Microsoft Entra ID are assigned specific roles, which grant access to resources. Azure provides both built-in roles and the ability to create custom roles. 
 
 > [!WARNING]

articles/ai-studio/how-to/configure-managed-network.md

@@ -15,8 +15,6 @@ zone_pivot_groups: azure-ai-studio-sdk-cli
 
 # How to configure a managed network for Azure AI Studio hubs
 
-[!INCLUDE [Feature preview](~/reusable-content/ce-skilling/azure/includes/ai-studio/includes/feature-preview.md)]
-
 We have two network isolation aspects. One is the network isolation to access an Azure AI Studio hub. Another is the network isolation of computing resources for both your hub and project (such as compute instance, serverless and managed online endpoint.) This document explains the latter highlighted in the diagram. You can use hub built-in network isolation to protect your computing resources.
 
 :::image type="content" source="../media/how-to/network/azure-ai-network-outbound.svg" alt-text="Diagram of hub network isolation." lightbox="../media/how-to/network/azure-ai-network-outbound.png":::
@@ -145,6 +143,7 @@ Before following the steps in this article, make sure you have the following pre
 * Using FQDN outbound rules increases the cost of the managed virtual network because FQDN rules use Azure Firewall. For more information, see [Pricing](#pricing).
 * FQDN outbound rules only support ports 80 and 443.
 * When using a compute instance with a managed network, use the `az ml compute connect-ssh` command to connect to the compute using SSH.
+* If your managed network is configured to __allow only approved outbound__, you cannot use an FQDN rule to access Azure Storage Accounts. You must use a private endpoint instead.
 
 ## Configure a managed virtual network to allow internet outbound
 

articles/ai-studio/how-to/configure-private-link.md

@@ -15,8 +15,6 @@ author: Blackmist
 
 # How to configure a private link for Azure AI Studio hubs
 
-[!INCLUDE [Feature preview](~/reusable-content/ce-skilling/azure/includes/ai-studio/includes/feature-preview.md)]
-
 We have two network isolation aspects. One is the network isolation to access an Azure AI Studio hub. Another is the network isolation of computing resources in your hub and projects such as compute instances, serverless, and managed online endpoints. This article explains the former highlighted in the diagram. You can use private link to establish the private connection to your hub and its default resources. This article is for Azure AI Studio (hub and projects). For information on Azure AI services, see the [Azure AI services documentation](/azure/ai-services/cognitive-services-virtual-networks).
 
 :::image type="content" source="../media/how-to/network/azure-ai-network-inbound.svg" alt-text="Diagram of AI Studio hub network isolation." lightbox="../media/how-to/network/azure-ai-network-inbound.png":::

articles/machine-learning/how-to-managed-network.md

@@ -1116,6 +1116,7 @@ The Azure Machine Learning managed VNet feature is free. However, you're charged
 * When using Managed Vnet, you can't deploy compute resources inside your custom Vnet. Compute resources can only be created inside the managed Vnet.
 * Managed network isolation cannot establish a private connection from the managed virtual network to a user's on-premises resources.
 For the list of supported private connections, see [Private Endpoints](/azure/machine-learning/how-to-managed-network?view=azureml-api-2&tabs=azure-cli&preserve-view=true#private-endpoints).
+* If your managed network is configured to __allow only approved outbound__, you cannot use an FQDN rule to access Azure Storage Accounts. You must use a private endpoint instead.
 
 ### Migration of compute resources
 

articles/machine-learning/how-to-secure-rag-workflows.md

@@ -13,7 +13,7 @@ ms.topic: how-to
 ms.custom:
   - prompt-flow
   - ignite-2023
-  - code02
+  - code03
 ---
 
 # Secure your RAG workflows with network isolation (preview)