Merge pull request #296356 from MicrosoftDocs/main

OOB Publish 3/14 - ASAP

Author: Albertyang0

.openpublishing.redirection.json

@@ -6289,6 +6289,11 @@
       "redirect_url": "/azure/virtual-network/vnet-integration-for-azure-services",
       "redirect_document_id": false
     },
+    {
+      "source_path_from_root": "/articles/cyclecloud/how-to/ccws/cleanup-roles.md",
+      "redirect_url": "/azure/cyclecloud/how-to/ccws/deploy-with-cli",
+      "redirect_document_id": false      
+    },
     {
       "source_path": "articles/cloud-services/applications-dont-support-tls-1-2.md",
       "redirect_url": "/previous-versions/azure/cloud-services/applications-dont-support-tls-1-2",

articles/app-service/overview-vnet-integration.md

@@ -3,7 +3,7 @@ title: Integrate your app with an Azure virtual network
 description: Integrate your app in Azure App Service with Azure virtual networks.
 author: madsd
 ms.topic: conceptual
-ms.date: 04/05/2024
+ms.date: 03/14/2025
 ms.author: madsd
 ms.custom: UpdateFrequency3
 
@@ -20,15 +20,15 @@ This article describes the Azure App Service virtual network integration feature
 App Service has two variations:
 
 * The dedicated compute pricing tiers, which include the Basic, Standard, Premium, Premium v2, and Premium v3.
-* The App Service Environment, which deploys directly into your virtual network with dedicated supporting infrastructure and is using the Isolated and Isolated v2 pricing tiers.
+* The App Service Environment, which deploys directly into your virtual network with dedicated supporting infrastructure and is using the Isolated v2 pricing tiers.
 
 The virtual network integration feature is used in Azure App Service dedicated compute pricing tiers. If your app is in an [App Service Environment](./environment/overview.md), it already integrates with a virtual network and doesn't require you to configure virtual network integration feature to reach resources in the same virtual network. For more information on all the networking features, see [App Service networking features](./networking-features.md).
 
 Virtual network integration gives your app access to resources in your virtual network, but it doesn't grant inbound private access to your app from the virtual network. Private site access refers to making an app accessible only from a private network, such as from within an Azure virtual network. Virtual network integration is used only to make outbound calls from your app into your virtual network. Refer to [private endpoint](./networking/private-endpoint.md) for inbound private access.
 
 The virtual network integration feature:
 
-* Requires a [supported Basic or Standard](./overview-vnet-integration.md#limitations), Premium, Premium v2, Premium v3, or Elastic Premium App Service pricing tier.
+* Requires a Basic, Standard, Premium, Premium v2, Premium v3, or Elastic Premium App Service pricing tier.
 * Supports TCP and UDP.
 * Works with App Service apps, function apps, and Logic apps.
 
@@ -211,9 +211,6 @@ After your app integrates with your virtual network, it uses the same DNS server
 
 There are some limitations with using virtual network integration:
 
-* The feature is available from all App Service deployments in Premium v2 and Premium v3. It's also available in Basic and Standard tier but only from newer App Service deployments. If you're on an older deployment, you can only use the feature from a Premium v2 App Service plan. If you want to make sure you can use the feature in a Basic or Standard App Service plan, create your app in a Premium v3 App Service plan. Those plans are only supported on our newest deployments. You can scale down if you want after the plan is created.
-* The feature isn't available for Isolated plan apps in an App Service Environment.
-* You can't reach resources across peering connections with classic virtual networks.
 * The feature requires an unused subnet that's an IPv4 `/28` block or larger in an Azure Resource Manager virtual network. MPSJ requires a `/26` block or larger.
 * The app and the virtual network must be in the same region.
 * The integration virtual network can't have IPv6 address spaces defined.

articles/bastion/whats-new.md

@@ -27,7 +27,7 @@ You can also find the latest Bastion updates and subscribe to the RSS feed [here
 | SKU | [Bastion Premium SKU](bastion-overview.md#sku)| Bastion Premium SKU is now generally available in all regions that Bastion is available in. | June 2024 | N/A|
 | Feature | [Microsoft Entra ID support for portal (SSH)](bastion-connect-vm-ssh-linux.md#microsoft-entra-id-authentication)  |Microsoft Entra ID support for SSH connections in portal is now GA. | November 2024 | N/A|
 |Feature  |  [Availability Zones for Bastion](../reliability/reliability-bastion.md?toc=/azure/bastion/TOC.json) |Availability Zones is now in public preview as a customer-enabled feature in select regions. | May 2024 | See available region list [here](../reliability/reliability-bastion.md?toc=%2Fazure%2Fbastion%2FTOC.json#regions-supported).
-|SKU  |  [Bastion Developer SKU](quickstart-developer-sku.md) | Bastion Developer SKU is now in GA for select regions. | May 2024 | See available region list [here](quickstart-developer-sku.md#developer).
+|Platform Capability|  [Bastion Developer](quickstart-developer-sku.md) | Bastion Developer is now in GA for select regions. | May 2024 | See available region list [here](quickstart-developer-sku.md#developer).
 
 
 ## Next steps

articles/cost-management-billing/savings-plan/scope-savings-plan.md

@@ -21,11 +21,10 @@ You have the following options to scope a savings plan, depending on your needs:
 
 - **Resource group scope** - Applies benefits to eligible resources in the selected resource group.
 - **Subscription scope** - Applies benefits to eligible resources in the selected subscription.
-- **Management group** - Applies benefits to eligible resources from all subscriptions in both the management group and billing scope.
-- **Shared scope** - Applies benefits to eligible resources within subscriptions that are in the EA enrollment or MCA billing profile.
-  - If a subscription is moved to different enrollment/billing profile, benefits will no longer be applied to the subscription.
-  - For EA customers, shared scope can include multiple Microsoft Entra tenants in the enrollment.
-  - For Microsoft Customer Agreement customers, the billing scope is the billing profile. The shared scope can include multiple Microsoft Entra tenants in a billing profile.
+- **Management group** - Applies benefits to eligible resources from all subscriptions that are in both:
+  - the management group
+  - the same Enrollment/Billing Profile as the subscription used to purchase the benefit
+- **Shared scope** - Applies benefits to eligible resources within subscriptions that are in the EA Enrollment or MCA Billing Profile. The shared scope benefits applied to all Microsoft Entra tenants in the Enrollment/Billing Profile.
 
 ## Scope processing order
 While applying savings plan benefits to your usage, Azure processes savings plans in the following order:

articles/cyclecloud/how-to/ccws/cleanup-roles.md

@@ -2,46 +2,59 @@
 title: Plan your CycleCloud Workspace for Slurm Deployment
 description: A checklist to help plan for your CycleCloud Workspace for Slurm deployment
 author: xpillons
-ms.date: 08/22/2024
-ms.author: xpillons
+ms.date: 03/05/2025
+ms.author: padmalathas
 ---
 
 # Plan your CycleCloud Workspace for Slurm Deployment
-You can deploy either a greenfield environment in which all resources needed for Azure CycleCloud Workspace for Slurm will be provisioned for you or a brownfield deployment for which you will provide existing resources.
+
+You have two deployment options for Azure CycleCloud Workspace for Slurm:
+- Greenfield environment: In this option, all the resources needed are provisioned for you.
+- Brownfield deployment: In this option, you provide the existing resources.
 
 When doing a deployment, the Azure user account used need to be granted the following roles:
 - `Contributor` on the Subscription
 - `User Access Administrator` on the Subscription
 
+> Note: It is recommended to pre-deploy a [Hub VNet](/azure/architecture/networking/architecture/hub-spoke) to connect to your enterprise network if one is not already established. This hub can accommodate a [VPN Gateway](/azure/vpn-gateway/tutorial-create-gateway-portal) and an Azure Bastion. The CycleCloud Workspace for Slurm environment will be a spoke and peered during deployment.
+
 ## Greenfield Deployment
 
-In a greenfield deployment, the following resources and role assignments will be created:
-- Resource Group
-- The Virtual Network, its subnets `ccw-cyclecloud-subnet`, and `ccw-compute-subnet`
-- The Virtual Machine `ccw-cyclecloud-vm`, NIC, OS, Data Disks, and a System Managed Identity
-- A uniquely named storage account for CycleCloud projects
-- Network Security Group named `nsg-ccw-common`
-- `Contributor`, `Storage Account Contributor`, and `Storage Blob Data Contributor` roles at the subscription level for the CycleCloud VM System Managed Identity
-- Optionally a Bastion, subnet `AzureBastionSubnet`, and public IP `bastion-pip`
-- Optionally a NAT gateway named `ccw-nat-gateway` and public IP `pip-ccw-nat-gateway`
-- Optionally an Azure NetApp Files account, pool, and volume with subnet `hpc-anf-subnet`
-- Optionally an Azure Managed Lustre Filesystem with subnet `ccw-lustre-subnet`
-- Optionally a VNET Peering
-- Optionally a Private Endpoint to an existing Azure Database for MySQL flexible server instance
+In a greenfield deployment, the following resources and role assignments are created:
+- A Resource Group.
+- The Virtual Network, its subnets `ccw-cyclecloud-subnet`, and `ccw-compute-subnet`.
+- The Virtual Machine (VM) `ccw-cyclecloud-vm`, NIC, OS, Data Disks, and a System Managed Identity.
+- A User-Assigned Managed Identity used to access the CycleCloud storage account.
+- A uniquely named storage account for CycleCloud projects and a Private Endpoint in the `ccw-cyclecloud-subnet`.
+- Network Security Group (NSG) named `nsg-ccw-common`.
+- `Contributor`, `Storage Account Contributor`, and `Storage Blob Data Contributor` roles at the subscription level for the CycleCloud VM System Managed Identity.
+- Optionally a Bastion, subnet `AzureBastionSubnet`, and public IP `bastion-pip`.
+- Optionally a NAT gateway named `ccw-nat-gateway` and public IP `pip-ccw-nat-gateway`.
+- Optionally an Azure NetApp Files account, pool, and volume with subnet `hpc-anf-subnet`.
+- Optionally an Azure Managed Lustre Filesystem with subnet `ccw-lustre-subnet`.
+- Optionally a VNET Peering.
+- Optionally a Private Endpoint to an existing Azure Database for MySQL flexible server instance.
 
 ## Brownfield Deployment
-You will be able to provide existing resources for:
-- The VNET and subnets in which the environment will be deployed
-- Filesystem Storage for the users's home directories and/or additional filers, as external NFS mount points or Azure Managed Lustre Filesystem
-- an Azure Database for MySQL flexible server instance for Slurm Job Accounting
-
-If you bring your own VNET you have to follow these pre-requisistes:
-- a /29 **cyclecloud** subnet for the CycleCloud VM, with `Microsoft.Storage` Service Endpoint assigned,
-- a **compute** subnet for the nodes, with `Microsoft.Storage` Service Endpoint assigned. This is where the scheduler, login, and compute nodes will be created
-- when using Azure NetApp Files, a dedicated **netapp** subnet with the `Microsoft.NetApp/volumes` delegation as documented here [Azure NetApp Files](/azure/azure-netapp-files/azure-netapp-files-introduction).
-- when using Azure Managed Lustre Filesystem, a dedicated **lustre** subnet with a CIDR based on the storage capacity to provision as documented here [Azure Managed Lustre](/azure/azure-managed-lustre/amlfs-overview)
-- if deploying a Bastion, a dedicated **BastionSubnet** as documented [here](/azure/bastion/configuration-settings#subnet)
+
+In a brownfield deployment, you can provide existing resources for:
+- The VNET and subnets in which the environment is deployed.
+- Filesystem Storage for the user's home directories and/or other filers, as external NFS mount points or Azure Managed Lustre Filesystem (AMLS).
+- An Azure Database for MySQL flexible server instance for Slurm Job Accounting.
+
+If you're bringing your own VNET, follow these prerequisites:
+- A /29 **cyclecloud** subnet for the CycleCloud VM.
+- A **compute** subnet for the nodes, where the scheduler, login, and compute nodes are created.
+- When using Azure NetApp Files, a dedicated **netapp** subnet with the `Microsoft.NetApp/volumes` delegation as documented here [Azure NetApp Files](/azure/azure-netapp-files/azure-netapp-files-introduction).
+- When using Azure Managed Lustre Filesystem, a dedicated **lustre** subnet with a CIDR based on the storage capacity to provision as documented here [Azure Managed Lustre](/azure/azure-managed-lustre/amlfs-overview).
+- If deploying a Bastion, a dedicated **BastionSubnet** as documented [here](/azure/bastion/configuration-settings#subnet).
 - Your NSGs should allow communications between subnets as defined in the [bicep/network-new.bicep](https://github.com/Azure/cyclecloud-slurm-workspace/blob/main/bicep/network-new.bicep) file.
 
 ## Quotas
-Before deploying, ensure that your subscription has the required quota for the Virtual Machine types desired for CycleCloud nodes.
+
+Before deploying, ensure that your subscription has the required quota for the VM types desired for the CycleCloud nodes.
+
+## Resources
+
+* [How to create and manage a VPN gateway using the Azure portal](/azure/vpn-gateway/tutorial-create-gateway-portal)
+* [Configure P2S VPN Gateway for Microsoft Entra ID authentication – Microsoft-registered app](/azure/vpn-gateway/point-to-site-entra-gateway)