MicrosoftDocs
diff --git a/‎articles/automation/automation-security-guidelines.md
Lines changed: 3 additions & 1 deletion b/‎articles/automation/automation-security-guidelines.md
Lines changed: 3 additions & 1 deletion
diff --git a/‎articles/automation/extension-based-hybrid-runbook-worker-install.md
Lines changed: 4 additions & 2 deletions b/‎articles/automation/extension-based-hybrid-runbook-worker-install.md
Lines changed: 4 additions & 2 deletions
diff --git a/‎articles/batch/TOC.yml
Lines changed: 2 additions & 0 deletions b/‎articles/batch/TOC.yml
Lines changed: 2 additions & 0 deletions
diff --git a/‎articles/batch/batch-container-isolation-task.md
Lines changed: 115 additions & 0 deletions b/‎articles/batch/batch-container-isolation-task.md
Lines changed: 115 additions & 0 deletions
diff --git a/‎articles/hdinsight/hdinsight-use-availability-zones.md
Lines changed: 34 additions & 19 deletions b/‎articles/hdinsight/hdinsight-use-availability-zones.md
Lines changed: 34 additions & 19 deletions
diff --git a/‎articles/healthcare-apis/azure-api-for-fhir/media/add-azure-active-directory/client-secret-string-password.png
-6.51 KB b/‎articles/healthcare-apis/azure-api-for-fhir/media/add-azure-active-directory/client-secret-string-password.png
-6.51 KB
diff --git a/‎articles/healthcare-apis/azure-api-for-fhir/media/davinci-plan-net/davinci-test-script-execution-passed.png
-13.1 KB b/‎articles/healthcare-apis/azure-api-for-fhir/media/davinci-plan-net/davinci-test-script-execution-passed.png
-13.1 KB
diff --git a/‎articles/healthcare-apis/azure-api-for-fhir/media/tutorial-smart-on-fhir/configure-reply-url.png
2.19 KB b/‎articles/healthcare-apis/azure-api-for-fhir/media/tutorial-smart-on-fhir/configure-reply-url.png
2.19 KB
diff --git a/‎articles/healthcare-apis/azure-api-for-fhir/media/tutorial-web-app/web-app-authentication.png
-27 KB b/‎articles/healthcare-apis/azure-api-for-fhir/media/tutorial-web-app/web-app-authentication.png
-27 KB
diff --git a/‎articles/healthcare-apis/fhir/media/configure-customer-managed-keys/deploy-review.png
-67.5 KB b/‎articles/healthcare-apis/fhir/media/configure-customer-managed-keys/deploy-review.png
-67.5 KB
@@ -3,7 +3,7 @@ title: Azure Automation security guidelines, security best practices Automation
 description: This article helps you with the guidelines that Azure Automation offers to ensure a secured configuration of Automation account, Hybrid Runbook worker role, authentication certificate and identities, network isolation and policies.
 services: automation
 ms.subservice: shared-capabilities
-ms.date: 09/09/2024
+ms.date: 12/03/2024
 ms.topic: overview 
 ms.service: azure-automation
 ---
@@ -48,6 +48,8 @@ This section guides you in configuring your Automation account securely.
 
 1. [Unregister](./extension-based-hybrid-runbook-worker-install.md?tabs=windows#delete-a-hybrid-runbook-worker) any unused or non-responsive hybrid workers.
 
+1. We strongly recommend that you never configure Hybrid Worker extension on a Virtual machine hosting domain controller. Security best practices don't advise such a setup due to the high-risk nature of exposing domain controllers to potential attack vectors via Azure Automation jobs. Domain controllers should be highly secured and isolated from non-essential services to prevent unauthorized access and maintain the integrity of the Active Directory Domain Services (ADDS) environment.
+
 ### Authentication certificate and identities
 
 1. For runbook authentication, we recommend that you use [Managed identities](./automation-security-overview.md#managed-identities) instead of Run As accounts. The Run As accounts are an administrative overhead and we plan to deprecate them. A managed identity from Microsoft Entra ID allows your runbook to easily access other Microsoft Entra protected resources such as Azure Key Vault. The identity is managed by the Azure platform and does not require you to provision or rotate any secrets. For more information about managed identities in Azure Automation, see [Managed identities for Azure Automation](./automation-security-overview.md#managed-identities)
 
@@ -4,7 +4,7 @@ description: This article provides information about deploying the extension-bas
 services: automation
 ms.subservice: process-automation
 ms.custom: devx-track-azurepowershell, devx-track-azurecli, devx-track-bicep, linux-related-content
-ms.date: 11/29/2024
+ms.date: 12/03/2024
 ms.topic: how-to
 #Customer intent: As a developer, I want to learn about extension so that I can efficiently deploy Hybrid Runbook Workers.
 ms.service: azure-automation
@@ -62,7 +62,9 @@ Azure Automation stores and manages runbooks and then delivers them to one or mo
 | PowerShell Core | To run PowerShell runbooks, PowerShell Core needs to be installed. For instructions, see [Installing PowerShell Core on Linux](/powershell/scripting/install/installing-powershell-core-on-linux) | 6.0.0 |
 
 > [!NOTE]
-> Hybrid Runbook Worker is currently not supported for Virtual Machine Scale Sets (VMSS).
+> - Hybrid Runbook Worker is currently not supported for Virtual Machine Scale Sets (VMSS).
+> 
+> - We strongly recommend that you never configure Hybrid Worker extension on a Virtual machine hosting domain controller. Security best practices don't advise such a setup due to the high-risk nature of exposing domain controllers to potential attack vectors via Azure Automation jobs. Domain controllers should be highly secured and isolated from non-essential services to prevent unauthorized access and maintain the integrity of the Active Directory Domain Services (ADDS) environment.
 
 
 ### Permissions for Hybrid worker credentials
 
@@ -238,6 +238,8 @@
     - name: Job preparation and completion tasks
       displayName: release, job release
       href: batch-job-prep-release.md
+    - name: Configure Container Data Isolation Task
+      href: batch-container-isolation-task.md  
     - name: Concurrent node tasks
       displayName: variable, maximize
       href: batch-parallel-node-tasks.md
 
@@ -0,0 +1,115 @@
+---
+title: Configure container isolation in Azure Batch task
+description: Learn how to configure isolation at task level in Azure Batch.
+ms.topic: how-to
+ms.date: 12/02/2024
+ms.devlang: csharp
+ms.custom: batch
+---
+
+# Batch Container Isolation Task
+
+Azure Batch offers an isolation configuration at the task level, allowing tasks to avoid mounting the entire ephemeral disk or the entire `AZ_BATCH_NODE_ROOT_DIR`. Instead, you can customize the specific Azure Batch data paths you want to attach to the container task.
+
+> [!Note]
+> **Azure Batch Data Path** refers to the specific paths on an Azure Batch node designated for tasks and applications. All these paths are located under `AZ_BATCH_NODE_ROOT_DIR`.
+
+## Why we need isolation feature in container task
+
+In a Windows container task workload, the entire ephemeral disk (D:) is attached to the task's container. For a Linux container task workload, Azure Batch attaches the entire `AZ_BATCH_NODE_ROOT_DIR` to the task's container, both in ReadWrite mode. However, if you want to customize your container volumes, this setup may cause some data to be shared across all containers running on the node. To address the same, we support the ability to customize the Azure Batch data paths that you want to attach to the task container.
+
+- **Security**: Prevents the container task data from leaking into the host machine or altering data on the host machine.
+- **Customize**: You can customize your container task volumes as needed.
+
+> [!Note]
+> To use this feature, please ensure that your node agent version is greater than 1.11.11.
+
+## Configuring host data path attachments for containers
+
+* For Linux node: We can just attach the same path into container.
+* For Windows node: Since Windows containers don't have a D: disk, we need to mount the path. Refer to the listed paths that you can choose to mount.
+
+| Azure Batch Data Path | Path in Host Machine | Path in Container  |
+|-----------------------------------|--------------------------------------------------------------------------|--------------|
+|**AZ_BATCH_APP_PACKAGE_**| D:\\batch\\tasks\\applications  | C:\\batch\\tasks\\applications | 
+|**AZ_BATCH_NODE_SHARED_DIR**| D:\\batch\\tasks\\shared  | C:\\batch\\tasks\\shared |
+|**AZ_BATCH_NODE_STARTUP_DIR**| D:\\batch\\tasks\\startup  | C:\\batch\\tasks\\startup |
+|**AZ_BATCH_NODE_MOUNTS_DIR**|D:\\batch\\tasks\\fsmounts|C:\\batch\\tasks\\fsmounts|
+|**AZ_BATCH_NODE_STARTUP_WORKING_DIR**| D:\\batch\\tasks\\startup\\wd  | C:\\batch\\tasks\\startup\\wd |
+|**AZ_BATCH_JOB_PREP_DIR** | C:\\batch\\tasks\\workitems\\{workitemname}\\{jobname}\\{jobpreptaskname} | D:\\batch\tasks\workitems\\{workitemname}\\{jobname}\\{jobpreptaskname} |
+|**AZ_BATCH_JOB_PREP_WORKING_DIR** | C:\\batch\\tasks\\workitems\\{workitemname}\\{jobname}\\{jobpreptaskname}\\wd  | D:\\batch\tasks\workitems\\{workitemname}\\{jobname}\\{jobpreptaskname}\\wd |
+|**AZ_BATCH_TASK_DIR**| D:\\batch\\tasks\\workitems\\{workitemname}\\{jobname}\\{taskname} | C:\batch\tasks\workitems\\{workitemname}\\{jobname}\\{taskname} |
+|**AZ_BATCH_TASK_WORKING_DIR** | D:\\batch\\tasks\\workitems\\{workitemname}\\{jobname}\\{taskname}\\wd | C:\\batch\\tasks\\workitems\\{workitemname}\\{jobname}\\{taskname}\\wd |
+
+
+Refer to the listed data paths that you can choose to attach to the container. Any unselected data paths have their associated environment variables removed.
+
+|Data Path Enum|Data Path with be attached to container|
+|:--------:|------------|
+|**Shared**| AZ_BATCH_NODE_SHARED_DIR |
+|**Applications**| AZ_BATCH_APP_PACKAGE_* |
+|**Startup**| AZ_BATCH_NODE_STARTUP_DIR, AZ_BATCH_NODE_STARTUP_WORKING_DIR |
+|**Vfsmounts**|AZ_BATCH_NODE_MOUNTS_DIR|
+|**JobPrep**| AZ_BATCH_JOB_PREP_DIR, AZ_BATCH_JOB_PREP_WORKING_DIR |
+|**Task**| AZ_BATCH_TASK_DIR, AZ_BATCH_TASK_WORKING_DIR |
+
+## Run a container isolation task
+
+> [!Note]
+> * If you use an empty list, the NodeAgent will not mount any data paths into the task's container. If you use null, the NodeAgent will mount the entire ephemeral disk (in Windows) or `AZ_BATCH_NODE_ROOT_DIR` (in Linux).
+> * If you don't mount the task data path into the container, you must set the task's property [workingDirectory](/rest/api/batchservice/task/add?tabs=HTTP#containerworkingdirectory) to containerImageDefault.
+
+Before running a container isolation task, you must create a pool with a container. For more information on how to create it, see this guide [Docker container workload](batch-docker-container-workloads.md).
+
+# [REST API](#tab/restapi)
+
+The following example describes how to create a container task with data isolation using REST API:
+```http
+POST {batchUrl}/jobs/{jobId}/tasks?api-version=2024-07-01.20.0
+```
+
+```json
+{
+    "id": "taskId",
+    "commandLine": "bash -c 'echo hello'",
+    "containerSettings": {
+        "imageName": "ubuntu",
+        "containerHostBatchBindMounts": [
+            {
+            "source": "Task",
+            "isReadOnly": true
+            }
+        ]
+    },
+    "userIdentity": {
+        "autoUser": {
+            "scope": "task",
+            "elevationLevel": "nonadmin"
+        }
+    }
+}
+```
+
+# [SDK / C#](#tab/csharp)
+
+The following code snippet shows an example of how to use the [Batch .NET](https://www.nuget.org/packages/Microsoft.Azure.Batch/) client library to create a container data isolation task using C#. For more details about Batch .NET, see the [reference documentation](/dotnet/api/microsoft.azure.batch).
+
+```csharp
+private async Task CreateExampleContainerIsolationTask(BatchServiceClient client, string jobId)
+{
+    var containerIsolationTask = new CloudTask("test-container-isolation", "printenv")
+    {
+        ContainerSettings = new TaskContainerSettings("docker.io/ubuntu:22.04")
+        {
+            ContainerHostBatchBindMounts = new List<ContainerHostBatchBindMountEntry>()
+            {
+                new()
+                {
+                    Source = Microsoft.Azure.Batch.Protocol.Models.ContainerHostDataPath.Task,
+                }
+            }
+        }
+    };
+    await client.JobOperations.AddTaskAsync(jobId, containerIsolationTask);
+}
+```
@@ -4,7 +4,7 @@ description: Learn how to create an Azure HDInsight cluster that uses Availabili
 ms.service: azure-hdinsight
 ms.topic: how-to
 ms.custom: references_regions
-ms.date: 06/15/2024
+ms.date: 12/03/2024
 ---
 
 # Create an HDInsight cluster that uses Availability Zones
@@ -28,23 +28,38 @@ Prerequisites:
 
 HDInsight clusters can currently be created using availability zones in the following regions:
 
- - Australia East
- - Brazil South
- - Canada Central
- - Central US
- - East US
- - East US 2
- - France Central
- - Germany West Central
- - Japan East
- - Korea Central
- - North Europe
- - Southeast Asia
- - South Central US
- - UK South
- - US Gov Virginia
- - West Europe
- - West US 2
+ * Australia East
+* Brazil South
+* Canada Central
+* Central India
+* Central US
+* East Asia
+* East US
+* East US 2
+* France Central
+* Germany West Central
+* Israel Central
+* Italy North
+* Japan East
+* Korea Central
+* Mexico Central
+* New Zealand North
+* North Europe
+* Norway East
+* Poland Central
+* Qatar Central
+* South Africa North
+* South Central US
+* Southeast Asia
+* Spain Central
+* Sweden Central
+* Switzerland North
+* UAE North
+* UK South
+* US Gov Virginia
+* West Europe
+* West US 2
+* West US 3
 
 ## Overview of availability zones for HDInsight clusters
 
@@ -79,7 +94,7 @@ In the resources section, you need to add a section of ‘zones’ and provide w
 ## Verify nodes within one Availability Zone across zones
 When the HDInsight cluster is ready, you can check the location to see which availability zone they're deployed in.
 
-:::image type="content" source="./media/hdinsight-use-availability-zones/cluster-availability-zone-info.png" alt-text="Screenshot sthat hows availability zone info in cluster overview." border="true":::
+:::image type="content" source="./media/hdinsight-use-availability-zones/cluster-availability-zone-info.png" alt-text="Screenshot shows the availability zone info in cluster overview." border="true":::
 
 **Get API response**: