Merge pull request #99600 from MicrosoftDocs/master

12/20 PM Publish

Author: huypub

articles/active-directory/authentication/howto-registration-mfa-sspr-combined.md

@@ -36,7 +36,7 @@ Before enabling the new experience, review the article [Combined security inform
 Complete these steps to enable combined registration:
 
 1. Sign in to the Azure portal as a user administrator or global administrator.
-2. Go to **Azure Active Directory** > **User settings** > **Manage settings for access panel preview features**.
+2. Go to **Azure Active Directory** > **User settings** > **Manage user feature preview settings**.
 3. Under **Users can use preview features for registering and managing security info**, choose to enable for a **Selected** group of users or for **All** users.
 
    ![Enable the combined security info preview experience for All users](media/howto-registration-mfa-sspr-combined/enable-the-combined-security-info-preview.png)
@@ -63,7 +63,7 @@ The following policy applies to all selected users, who attempt to register usin
 
 ![Create a CA policy to control security info registration](media/howto-registration-mfa-sspr-combined/require-registration-from-trusted-location.png)
 
-1. In the **Azure portal**, browse to **Azure Active Directory** > **Conditional Access**
+1. In the **Azure portal**, browse to **Azure Active Directory** > **Security** > **Conditional Access**
 1. Select **New policy**
 1. In Name, Enter a Name for this policy. For example, **Combined Security Info Registration on Trusted Networks**
 1. Under **Assignments**, click **Users and groups**, and select the users and groups you want this policy to apply to

articles/active-directory/users-groups-roles/licensing-service-plan-reference.md

@@ -21,7 +21,6 @@ This article shows you how to use *Azure CNI* networking to create and use a vir
 ## Prerequisites
 
 * The virtual network for the AKS cluster must allow outbound internet connectivity.
-* Don't create more than one AKS cluster in the same subnet.
 * AKS clusters may not use `169.254.0.0/16`, `172.30.0.0/16`, `172.31.0.0/16`, or `192.0.2.0/24` for the Kubernetes service address range.
 * The service principal used by the AKS cluster must have at least [Network Contributor](../role-based-access-control/built-in-roles.md#network-contributor) permissions on the subnet within your virtual network. If you wish to define a [custom role](../role-based-access-control/custom-roles.md) instead of using the built-in Network Contributor role, the following permissions are required:
   * `Microsoft.Network/virtualNetworks/subnets/join/action`

articles/aks/configure-azure-cni.md

@@ -19,6 +19,15 @@ With [Azure Container Networking Interface (CNI)][cni-networking], every pod get
 
 This article shows you how to use *kubenet* networking to create and use a virtual network subnet for an AKS cluster. For more information on network options and considerations, see [Network concepts for Kubernetes and AKS][aks-network-concepts].
 
+## Prerequisites
+
+* The virtual network for the AKS cluster must allow outbound internet connectivity.
+* Don't create more than one AKS cluster in the same subnet.
+* AKS clusters may not use `169.254.0.0/16`, `172.30.0.0/16`, `172.31.0.0/16`, or `192.0.2.0/24` for the Kubernetes service address range.
+* The service principal used by the AKS cluster must have at least [Network Contributor](../role-based-access-control/built-in-roles.md#network-contributor) permissions on the subnet within your virtual network. If you wish to define a [custom role](../role-based-access-control/custom-roles.md) instead of using the built-in Network Contributor role, the following permissions are required:
+  * `Microsoft.Network/virtualNetworks/subnets/join/action`
+  * `Microsoft.Network/virtualNetworks/subnets/read`
+
 > [!WARNING]
 > To use Windows Server node pools (currently in preview in AKS), you must use Azure CNI. The use of kubenet as the network model is not available for Windows Server containers.
 

articles/aks/configure-kubenet.md

@@ -24,6 +24,8 @@ This article focuses on how to secure your AKS cluster. You learn how to:
 
 You can also read the best practices for [container image management][best-practices-container-image-management] and for [pod security][best-practices-pod-security].
 
+You can also use [Azure Kubernetes Services integration with Security Center][security-center-aks] to help detect threats and view recommendations for securing your AKS clusters.
+
 ## Secure access to the API server and cluster nodes
 
 **Best practice guidance** - Securing access to the Kubernetes API-Server is one of the most important things you can do to secure your cluster. Integrate Kubernetes role-based access control (RBAC) with Azure Active Directory to control access to the API server. These controls let you secure AKS the same way that you secure access to your Azure subscriptions.
@@ -231,3 +233,4 @@ This article focused on how to secure your AKS cluster. To implement some of the
 [best-practices-pod-security]: developer-best-practices-pod-security.md
 [pod-security-contexts]: developer-best-practices-pod-security.md#secure-pod-access-to-resources
 [aks-ssh]: ssh.md
+[security-center-aks]: /azure/security-center/azure-kubernetes-service-integration

articles/aks/operator-best-practices-cluster-security.md

@@ -22,6 +22,8 @@ This article focuses on how to secure your containers in AKS. You learn how to:
 
 You can also read the best practices for [cluster security][best-practices-cluster-security] and for [pod security][best-practices-pod-security].
 
+You can also use [Container security in Security Center][security-center-containers] to help scan your containers for vulnerabilities.  There is also [Azure Container Registry integration][security-center-acr] with Security Center to help protect your images and registry from vulnerabilities.
+
 ## Secure the images and run time
 
 **Best practice guidance** - Scan your container images for vulnerabilities, and only deploy images that have passed validation. Regularly update the base images and application runtime, then redeploy workloads in the AKS cluster.
@@ -57,3 +59,5 @@ This article focused on how to secure your containers. To implement some of thes
 [best-practices-cluster-security]: operator-best-practices-cluster-security.md
 [best-practices-pod-security]: developer-best-practices-pod-security.md
 [acr-base-image-update]: ../container-registry/container-registry-tutorial-base-image-update.md
+[security-center-containers]: /azure/security-center/container-security
+[security-center-acr]: /azure/security-center/azure-container-registry-integration

articles/aks/operator-best-practices-container-image-management.md

@@ -3,7 +3,7 @@ title: Best Practices for Azure Functions
 description: Learn best practices and patterns for Azure Functions.
 ms.assetid: 9058fb2f-8a93-4036-a921-97a0772f503c
 ms.topic: conceptual
-ms.date: 10/16/2017
+ms.date: 12/17/2019
 
 ms.custom: H1Hack27Feb2017
 
@@ -67,7 +67,7 @@ There are a number of factors that impact how instances of your function app sca
 
 ### Share and manage connections
 
-Reuse connections to external resources whenever possible.  See [how to manage connections in Azure Functions](./manage-connections.md).
+Reuse connections to external resources whenever possible. See [how to manage connections in Azure Functions](./manage-connections.md).
 
 ### Avoid sharing storage accounts
 
@@ -85,10 +85,18 @@ Don't use verbose logging in production code, which has a negative performance i
 
 ### Use async code but avoid blocking calls
 
-Asynchronous programming is a recommended best practice. However, always avoid referencing the `Result` property or calling `Wait` method on a `Task` instance. This approach can lead to thread exhaustion.
+Asynchronous programming is a recommended best practice, especially when blocking I/O operations are involved.
+
+In C#, always avoid referencing the `Result` property or calling `Wait` method on a `Task` instance. This approach can lead to thread exhaustion.
 
 [!INCLUDE [HTTP client best practices](../../includes/functions-http-client-best-practices.md)]
 
+### Use multiple worker processes
+
+By default, any host instance for Functions uses a single worker process. To improve performance, especially with single-threaded runtimes like Python, use the [FUNCTIONS_WORKER_PROCESS_COUNT](functions-app-settings.md#functions_worker_process_count) to increase the number of worker processes per host (up to 10). Azure Functions then tries to evenly distribute simultaneous function invocations across these workers. 
+
+The FUNCTIONS_WORKER_PROCESS_COUNT applies to each host that Functions creates when scaling out your application to meet demand. 
+
 ### Receive messages in batch whenever possible
 
 Some triggers like Event Hub enable receiving a batch of messages on a single invocation.  Batching messages has much better performance.  You can configure the max batch size in the `host.json` file as detailed in the [host.json reference documentation](functions-host-json.md)

articles/azure-functions/functions-best-practices.md

@@ -4,7 +4,7 @@ description: Understand how to develop functions by using JavaScript.
 
 ms.assetid: 45dedd78-3ff9-411f-bb4b-16d29a11384c
 ms.topic: reference
-ms.date: 02/24/2019
+ms.date: 12/17/2019
 
 ---
 # Azure Functions JavaScript developer guide
@@ -402,6 +402,16 @@ When you work with HTTP triggers, you can access the HTTP request and response o
     context.done(null, res);   
     ```  
 
+## Scaling and concurrency
+
+By default, Azure Functions automatically monitors the load on your application and creates additional host instances for Node.js as needed. Functions uses built-in (not user configurable) thresholds for different trigger types to decide when to add instances, such the age of messages and queue size for QueueTrigger. For more information, see [How the consumption and premium plans work](functions-scale.md#how-the-consumption-and-premium-plans-work).
+
+This scaling behavior is sufficient for many Node.js applications. For CPU-bound applications, you can improve performance further by using multiple language worker processes.
+
+By default, every Functions host instance has a single language worker process. You can increase the number of worker processes per host (up to 10) by using the [FUNCTIONS_WORKER_PROCESS_COUNT](functions-app-settings.md#functions_worker_process_count) application setting. Azure Functions then tries to evenly distribute simultaneous function invocations across these workers. 
+
+The FUNCTIONS_WORKER_PROCESS_COUNT applies to each host that Functions creates when scaling out your application to meet demand. 
+
 ## Node version
 
 The following table shows the Node.js version used by each major version of the Functions runtime:

articles/azure-functions/functions-reference-node.md

@@ -2,7 +2,7 @@
 title: Python developer reference for Azure Functions 
 description: Understand how to develop functions with Python
 ms.topic: article
-ms.date: 04/16/2018
+ms.date: 12/13/2019
 ---
 
 # Azure Functions Python developer guide
@@ -276,28 +276,30 @@ In this function, the value of the `name` query parameter is obtained from the `
 
 Likewise, you can set the `status_code` and `headers` for the response message in the returned [HttpResponse] object.
 
-## Concurrency
+## Scaling and concurrency
 
-By default, the Functions Python runtime can only process one invocation of a function at a time. This concurrency level might not be sufficient under one or more of the following conditions:
+By default, Azure Functions automatically monitors the load on your application and creates additional host instances for Python as needed. Functions uses built-in (not user configurable) thresholds for different trigger types to decide when to add instances, such the age of messages and queue size for QueueTrigger. For more information, see [How the consumption and premium plans work](functions-scale.md#how-the-consumption-and-premium-plans-work).
 
-+ You're trying to handle a number of invocations being made at the same time.
-+ You're processing a large number of I/O events.
-+ Your application is I/O bound.
+This scaling behavior is sufficient for many applications. Applications with any of the following characteristics, however, may not scale as effectively:
 
-In these situations, you can improve performance by running asynchronously and by using multiple language worker processes.  
+- The application needs to handle many concurrent invocations.
+- The application processes a large number of I/O events.
+- The application is I/O bound.
+
+In such cases, you can improve performance further by employing async patterns and by using multiple language worker processes.
 
 ### Async
 
-We recommend that you use the `async def` statement to make your function run as an asynchronous coroutine.
+Because Python is a single-threaded runtime, a host instance for Python can process only one function invocation at a time. For applications that process a large number of I/O events and/or is I/O bound, you can improve performance by running functions asynchronously.
 
-```python
-# Runs with asyncio directly
+To run a function asynchronously, use the `async def` statement, which runs the function with [asyncio](https://docs.python.org/3/library/asyncio.html) directly:
 
+```python
 async def main():
     await some_nonblocking_socket_io_op()
 ```
 
-When the `main()` function is synchronous (without the `async` qualifier), the function is automatically run in an `asyncio` thread-pool.
+A function without the `async` keyword is run automatically run in an asyncio thread-pool:
 
 ```python
 # Runs in an asyncio thread-pool
@@ -308,7 +310,9 @@ def main():
 
 ### Use multiple language worker processes
 
-By default, every Functions host instance has a single language worker process. However there's support to have multiple language worker processes per host instance. Function invocations can then be evenly distributed among these language worker processes. Use the [FUNCTIONS_WORKER_PROCESS_COUNT](functions-app-settings.md#functions_worker_process_count) application setting to change this value. 
+By default, every Functions host instance has a single language worker process. You can increase the number of worker processes per host (up to 10) by using the [FUNCTIONS_WORKER_PROCESS_COUNT](functions-app-settings.md#functions_worker_process_count) application setting. Azure Functions then tries to evenly distribute simultaneous function invocations across these workers. 
+
+The FUNCTIONS_WORKER_PROCESS_COUNT applies to each host that Functions creates when scaling out your application to meet demand. 
 
 ## Context
 

articles/azure-functions/functions-reference-python.md

@@ -160,6 +160,8 @@ Different triggers may also have different scaling limits as well as documented
 
 There are many aspects of a function app that will impact how well it will scale, including host configuration, runtime footprint, and resource efficiency.  For more information, see the [scalability section of the performance considerations article](functions-best-practices.md#scalability-best-practices). You should also be aware of how connections behave as your function app scales. For more information, see [How to manage connections in Azure Functions](manage-connections.md).
 
+For additional information on scaling in Python and Node.js, see [Azure Functions Python developer guide - Scaling and concurrency](functions-reference-python.md#scaling-and-concurrency) and [Azure Functions Node.js developer guide - Scaling and concurrency](functions-reference-node.md#scaling-and-concurrency).
+
 ### Billing model
 
 Billing for the different plans is described in detail on the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/). Usage is aggregated at the function app level and counts only the time that function code is executed. The following are units for billing: