Merging changes synced from https://github.com/MicrosoftDocs/azure-docs-pr (branch live)

Author: Learn Build Service GitHub App

articles/aks/kubernetes-service-principal.md

@@ -36,7 +36,7 @@ The following limitations apply when you create and manage AKS clusters that sup
 ## Create an AKS cluster
 
 > [!IMPORTANT]
-> If you run a single system node pool for your AKS cluster in a production environment, we recommend you use at least three nodes for the node pool.
+> If you run a single system node pool for your AKS cluster in a production environment, we recommend you use at least three nodes for the node pool. If one node goes down, you lose control plane resources and redundancy is compromised. You can mitigate this risk by having more control plane nodes.
 
 To get started, create an AKS cluster with a single node pool. The following example uses the [az group create][az-group-create] command to create a resource group named *myResourceGroup* in the *eastus* region. An AKS cluster named *myAKSCluster* is then created using the [`az aks create`][az-aks-create] command.
 

articles/aks/use-multiple-node-pools.md

@@ -13,6 +13,8 @@ In Azure Kubernetes Service (AKS), nodes of the same configuration are grouped t
 > [!Important]
 > If you run a single system node pool for your AKS cluster in a production environment, we recommend you use at least three nodes for the node pool.
 
+This article explains how to manage system node pools in AKS. For information about how to use multiple node pools, see [use multiple node pools][use-multiple-node-pools].
+
 ## Before you begin
 
 ### [Azure CLI](#tab/azure-cli)
@@ -29,9 +31,9 @@ You need the Azure PowerShell version 7.5.0 or later installed and configured. R
 
 The following limitations apply when you create and manage AKS clusters that support system node pools.
 
-* See [Quotas, virtual machine size restrictions, and region availability in Azure Kubernetes Service (AKS)][quotas-skus-regions].
-* The name of a node pool may only contain lowercase alphanumeric characters and must begin with a lowercase letter. For Linux node pools, the length must be between 1 and 12 characters. For Windows node pools, the length must be between one and six characters.
+* See [Quotas, VM size restrictions, and region availability in AKS][quotas-skus-regions].
 * An API version of 2020-03-01 or greater must be used to set a node pool mode. Clusters created on API versions older than 2020-03-01 contain only user node pools, but can be migrated to contain system node pools by following [update pool mode steps](#update-existing-cluster-system-and-user-node-pools).
+* The name of a node pool may only contain lowercase alphanumeric characters and must begin with a lowercase letter. For Linux node pools, the length must be between 1 and 12 characters. For Windows node pools, the length must be between one and six characters.
 * The mode of a node pool is a required property and must be explicitly set when using ARM templates or direct API calls.
 
 ## System and user node pools
@@ -41,12 +43,12 @@ You can enforce this behavior by creating a dedicated system node pool. Use the
 
 System node pools have the following restrictions:
 
+* System node pools must support at least 30 pods as described by the [minimum and maximum value formula for pods][maximum-pods].
 * System pools osType must be Linux.
 * User node pools osType may be Linux or Windows.
 * System pools must contain at least one node, and user node pools may contain zero or more nodes.
 * System node pools require a VM SKU of at least 2 vCPUs and 4 GB memory. But burstable-VM(B series) isn't recommended.
 * A minimum of two nodes 4 vCPUs is recommended (for example, Standard_DS4_v2), especially for large clusters (Multiple CoreDNS Pod replicas, 3-4+ add-ons, etc.).
-* System node pools must support at least 30 pods as described by the [minimum and maximum value formula for pods][maximum-pods].
 * Spot node pools require user node pools.
 * Adding another system node pool or changing which node pool is a system node pool *does not* automatically move system pods. System pods can continue to run on the same node pool, even if you change it to a user node pool. If you delete or scale down a node pool running system pods that were previously a system node pool, those system pods are redeployed with preferred scheduling to the new system node pool.
 
@@ -311,7 +313,7 @@ Remove-AzResourceGroup -Name myResourceGroup
 
 ## Next steps
 
-In this article, you learned how to create and manage system node pools in an AKS cluster. For more information about how to use multiple node pools, see [use multiple node pools][use-multiple-node-pools].
+In this article, you learned how to create and manage system node pools in an AKS cluster. For information about how to start and stop AKS node pools, see [start and stop AKS node pools][start-stop-nodepools].
 
 <!-- EXTERNAL LINKS -->
 [kubernetes-drain]: https://kubernetes.io/docs/tasks/administer-cluster/safely-drain-node/
@@ -351,3 +353,4 @@ In this article, you learned how to create and manage system node pools in an AK
 [use-multiple-node-pools]: use-multiple-node-pools.md
 [maximum-pods]: configure-azure-cni.md#maximum-pods-per-node
 [update-node-pool-mode]: use-system-pools.md#update-existing-cluster-system-and-user-node-pools
+[start-stop-nodepools]: /start-stop-nodepools.md

articles/aks/use-system-pools.md

@@ -88,6 +88,8 @@
         href: devops-api-development-templates.md  
       - name: APIs
         items:
+            - name: GraphQL APIs
+              href: graphql-apis-overview.md
             - name: API design ebook
               href: https://azure.microsoft.com/mediahandler/files/resourcefiles/api-design/Azure_API-Design_Guide_eBook.pdf?toc=%2Fazure%2Fapi-management%2Ftoc.json&bc=/azure/api-management/breadcrumb/toc.json
             - name: RESTful web API design
@@ -265,6 +267,8 @@
                 - name: Manage secrets using named values
                   displayName: Azure CLI, az apim nv
                   href: api-management-howto-properties.md
+                - name: Configure a GraphQL resolver
+                  href: configure-graphql-resolver.md
       - name: Secure your APIs
         items:
           - name: Secure API access
@@ -432,6 +436,8 @@
               href: forward-request-policy.md
             - name: get-authorization-context
               href: get-authorization-context-policy.md
+            - name: http-data-source
+              href: http-data-source-policy.md
             - name: include-fragment
               href: include-fragment-policy.md
             - name: invoke-dapr-binding
@@ -448,6 +454,8 @@
               href: mock-response-policy.md
             - name: proxy
               href: proxy-policy.md
+            - name: publish-event
+              href: publish-event-policy.md
             - name: publish-to-dapr
               href: publish-to-dapr-policy.md
             - name: quota

articles/api-management/TOC.yml

@@ -7,7 +7,7 @@ author: dlepow
 
 ms.service: api-management
 ms.topic: article
-ms.date: 02/07/2022
+ms.date: 02/22/2023
 ms.author: danlep
 ---
 
@@ -38,12 +38,11 @@ Each API Management [pricing tier](https://aka.ms/apimpricing) offers a distinct
 | Direct management API                                                                        | No          | Yes       | Yes   | Yes      | Yes     |
 | Azure Monitor logs and metrics                                                               | No          | Yes       | Yes   | Yes      | Yes     |
 | Static IP                                                                                    | No          | Yes       | Yes   | Yes      | Yes     |
-| [WebSocket APIs](websocket-api.md)                                                                                    | No          | Yes       | Yes   | Yes      | Yes     |
-| [GraphQL APIs](graphql-api.md)<sup>5</sup>                                                                               | Yes          | Yes       | Yes   | Yes      | Yes     |
-| [Synthetic GraphQL APIs (preview)](graphql-schema-resolve-api.md)                                            | No           | Yes       | Yes   | Yes      | Yes     |
+| [Pass-through WebSocket APIs](websocket-api.md)                                                                                    | No          | Yes       | Yes   | Yes      | Yes     |
+| [Pass-through GraphQL APIs](graphql-apis-overview.md)                                                                               | Yes          | Yes       | Yes   | Yes      | Yes     |
+| [Synthetic GraphQL APIs](graphql-apis-overview.md)                                            | Yes           | Yes       | Yes   | Yes      | Yes     |
 
 <sup>1</sup> Enables the use of Azure AD (and Azure AD B2C) as an identity provider for user sign in on the developer portal.<br/>
 <sup>2</sup> Including related functionality such as users, groups, issues, applications, and email templates and notifications.<br/>
 <sup>3</sup> See [Gateway overview](api-management-gateways-overview.md#feature-comparison-managed-versus-self-hosted-gateways) for a feature comparison of managed versus self-hosted gateways. In the Developer tier self-hosted gateways are limited to a single gateway node. <br/>
-<sup>4</sup> The following policies aren't available in the Consumption tier: rate limit by key and quota by key. <br/>
-<sup>5</sup> GraphQL subscriptions aren't supported in the Consumption tier.
+<sup>4</sup> The following policies aren't available in the Consumption tier: rate limit by key and quota by key.

articles/api-management/api-management-features.md

@@ -7,7 +7,7 @@ author: dlepow
 
 ms.service: api-management
 ms.topic: conceptual
-ms.date: 08/04/2022
+ms.date: 02/22/2023
 ms.author: danlep
 ---
 
@@ -91,11 +91,9 @@ The following table compares features available in the managed gateway versus th
 | [Function App](import-function-app-as-api.md) |  ✔️ | ✔️ | ✔️ |
 | [Container App](import-container-app-with-oas.md) |  ✔️ | ✔️ | ✔️ |
 | [Service Fabric](../service-fabric/service-fabric-api-management-overview.md) |  Developer, Premium |  ❌ | ❌ |
-| [Passthrough GraphQL](graphql-api.md) |  ✔️ | ✔️<sup>1</sup> | ❌ |
-| [Synthetic GraphQL](graphql-schema-resolve-api.md) |  ✔️ |  ❌ | ❌ |
-| [Passthrough WebSocket](websocket-api.md) |  ✔️ |  ❌ | ❌ |
-
-<sup>1</sup> GraphQL subscriptions aren't supported in the Consumption tier.
+| [Pass-through GraphQL](graphql-apis-overview.md) |  ✔️ | ✔️ | ❌ |
+| [Synthetic GraphQL](graphql-apis-overview.md)|  ✔️ |  ✔️ | ❌ |
+| [Pass-through WebSocket](websocket-api.md) |  ✔️ |  ❌ | ❌ |
 
 ### Policies
 
@@ -104,9 +102,9 @@ Managed and self-hosted gateways support all available [policies](api-management
 | Policy | Managed (Dedicated)  | Managed (Consumption) | Self-hosted<sup>1</sup>  |
 | --- | ----- | ----- | ---------- |
 | [Dapr integration](api-management-policies.md#dapr-integration-policies) |  ❌ | ❌ | ✔️ |
-| [Get authorization context](get-authorization-context-policy.md) |  ✔️ |  ❌ | ❌ |
+| [GraphQL resolvers](api-management-policies.md#graphql-resolver-policies) and [GraphQL validation](api-management-policies.md#validation-policies)|  ✔️ | ✔️ | ❌ |
+| [Get authorization context](get-authorization-context-policy.md) |  ✔️ |  ✔️ | ❌ |
 | [Quota and rate limit](api-management-policies.md#access-restriction-policies) |  ✔️ |  ✔️<sup>2</sup> | ✔️<sup>3</sup>
-| [Set GraphQL resolver](set-graphql-resolver-policy.md) |  ✔️ |  ❌ | ❌ |
 
 <sup>1</sup> Configured policies that aren't supported by the self-hosted gateway are skipped during policy execution.<br/>
 <sup>2</sup> The rate limit by key and quota by key policies aren't available in the Consumption tier.<br/>

articles/api-management/api-management-gateways-overview.md

@@ -5,7 +5,7 @@ description: Learn how to deploy a Premium tier Azure API Management instance to
 author: dlepow
 ms.service: api-management
 ms.topic: how-to
-ms.date: 09/27/2022
+ms.date: 01/26/2023
 ms.author: danlep
 ---
 
@@ -50,18 +50,16 @@ When adding a region, you configure:
 ## <a name="remove-region"> </a>Remove an API Management service region
 
 1. In the Azure portal, navigate to your API Management service and select **Locations** from the left menu.
-2. For the location you would like to remove, select the context menu using the **...** button at the right end of the table. Select **Delete**.
-3. Confirm the deletion and select **Save** to apply the changes.
+1. For the location you would like to remove, select the context menu using the **...** button at the right end of the table. Select **Delete**.
+1. Confirm the deletion and select **Save** to apply the changes.
+
 
 ## <a name="route-backend"> </a>Route API calls to regional backend services
 
 By default, each API routes requests to a single backend service URL. Even if you've configured Azure API Management gateways in various regions, the API gateway will still forward requests to the same backend service, which is deployed in only one region. In this case, the performance gain will come only from responses cached within Azure API Management in a region specific to the request; contacting the backend across the globe may still cause high latency.
 
 To take advantage of geographical distribution of your system, you should have backend services deployed in the same regions as Azure API Management instances. Then, using policies and `@(context.Deployment.Region)` property, you can route the traffic to local instances of your backend.
 
-> [!TIP]
-> Optionally set the `disableGateway` property in a regional gateway to disable routing of API traffic there. For example, temporarily disable a regional gateway when testing or updating a regional backend service. 
-
 1. Navigate to your Azure API Management instance and select **APIs** from the left menu.
 2. Select your desired API.
 3. Select **Code editor** from the arrow dropdown in the **Inbound processing**.
@@ -118,6 +116,44 @@ API Management routes the requests to a regional gateway based on [the lowest la
 1. [Configure the API Management regional status endpoints in Traffic Manager](../traffic-manager/traffic-manager-monitoring.md). The regional status endpoints follow the URL pattern of `https://<service-name>-<region>-01.regional.azure-api.net/status-0123456789abcdef`, for example `https://contoso-westus2-01.regional.azure-api.net/status-0123456789abcdef`.
 1. Specify [the routing method](../traffic-manager/traffic-manager-routing-methods.md) of the Traffic Manager.
 
+## Disable routing to a regional gateway
+
+Under some conditions, you might need to temporarily disable routing to one of the regional gateways. For example:
+
+* After adding a new region, to keep it disabled while you configure and test the regional backend service 
+* During regular backend maintenance in a region
+* To redirect traffic to other regions during a planned disaster recovery drill that simulates an unavailable region, or during a regional failure 
+
+To disable routing to a regional gateway in your API Management instance, update the gateway's `disableGateway` property value to `true`. You can set the value using the [Create or update service](/rest/api/apimanagement/current-ga/api-management-service/create-or-update) REST API, the [az apim update](/cli/azure/apim#az-apim-update) command in the Azure CLI, the [set-azapimanagement](/powershell/module/az.apimanagement/set-azapimanagement) Azure PowerShell cmdlet, or other Azure tools.
+    
+To disable a regional gateway using the Azure CLI:
+
+1. Use the [az apim show](/cli/azure/apim#az-apim-show) command to show the locations, gateway status, and regional URLs configured for the API Management instance. 
+    ```azurecli
+    az apim show --name contoso --resource-group myResourceGroup \
+        --query "additionalLocations[].{Location:location,Disabled:disableGateway,Url:gatewayRegionalUrl}" \
+        --output table
+    ```
+    Example output:
+
+    ```
+    Location    Disabled    Url
+    ----------  ----------  ------------------------------------------------------------
+    West US 2   True        https://contoso-westus2-01.regional.azure-api.net
+    West Europe True        https://contoso-westeurope-01.regional.azure-api.net
+    ```
+1. Use the [az apim update](/cli/azure/apim#az-apim-update) command to disable the gateway in an available location, such as West US 2.
+    ```azurecli
+    az apim update --name contoso --resource-group myResourceGroup \
+    --set additionalLocations[location="West US 2"].disableGateway=true
+    ```
+
+    The update may take a few minutes. 
+
+1. Verify that traffic directed to the regional gateway URL is redirected to another region. 
+ 
+To restore routing to the regional gateway, set the value of `disableGateway` to `false`. 
+
 ## Virtual networking
 
 This section provides considerations for multi-region deployments when the API Management instance is injected in a virtual network.

articles/api-management/api-management-howto-deploy-multi-region.md

@@ -99,6 +99,16 @@ When configuring a policy, you must first select the scope at which the policy a
 
 For more information, see [Set or edit policies](set-edit-policies.md#use-base-element-to-set-policy-evaluation-order).
 
+### GraphQL resolver policies
+
+In API Management, a [GraphQL resolver](configure-graphql-resolver.md) is configured using policies scoped to a specific operation type and field in a [GraphQL schema](graphql-apis-overview.md#resolvers).
+
+* Currently, API Management supports GraphQL resolvers that specify HTTP data sources. Configure a single [`http-data-source`](http-data-source-policy.md) policy with elements to specify a request to (and optionally response from) an HTTP data source.
+* You can't include a resolver policy in policy definitions at other scopes such as API, product, or all APIs. It also doesn't inherit policies configured at other scopes.
+* The gateway evaluates a resolver-scoped policy *after* any configured `inbound` and `backend` policies in the policy execution pipeline.
+
+For more information, see [Configure a GraphQL resolver](configure-graphql-resolver.md).
+
 ## Examples
 
 ### Apply policies specified at different scopes

articles/api-management/api-management-howto-policies.md

@@ -73,9 +73,9 @@ More information about policies:
 -  [Send message to Pub/Sub topic](publish-to-dapr-policy.md): Uses Dapr runtime to publish a message to a Publish/Subscribe topic. To learn more about Publish/Subscribe messaging in Dapr, see the description in this [README](https://github.com/dapr/docs/blob/master/README.md) file.
 -  [Trigger output binding](invoke-dapr-binding-policy.md): Uses Dapr runtime to invoke an external system via output binding. To learn more about bindings in Dapr, see the description in this [README](https://github.com/dapr/docs/blob/master/README.md) file.
 
-## GraphQL API policies
-- [Validate GraphQL request](validate-graphql-request-policy.md) - Validates and authorizes a request to a GraphQL API. 
-- [Set GraphQL resolver](set-graphql-resolver-policy.md) - Retrieves or sets data for a GraphQL field in an object type specified in a GraphQL schema.
+## GraphQL resolver policies
+- [HTTP data source for resolver](http-data-source-policy.md) - Configures the HTTP request and optionally the HTTP response to resolve data for an object type and field in a GraphQL schema.
+- [Publish event to GraphQL subscription](publish-event-policy.md) - Publishes an event to one or more subscriptions specified in a GraphQL API schema. Used in the `http-response` element of the `http-data-source` policy
 
 ## Transformation policies
 -   [Convert JSON to XML](json-to-xml-policy.md) - Converts request or response body from JSON to XML.
@@ -92,6 +92,7 @@ More information about policies:
 ## Validation policies
 
 - [Validate content](validate-content-policy.md) - Validates the size or content of a request or response body against one or more API schemas. The supported schema formats are JSON and XML.
+- [Validate GraphQL request](validate-graphql-request-policy.md) - Validates and authorizes a request to a GraphQL API. 
 - [Validate parameters](validate-parameters-policy.md) - Validates the request header, query, or path parameters against the API schema.
 - [Validate headers](validate-headers-policy.md) - Validates the response headers against the API schema.
 - [Validate status code](validate-status-code-policy.md) - Validates the HTTP status codes in