Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into waf-agc

Author: halkazwini

.openpublishing.publish.config.json

@@ -70,7 +70,7 @@
         },
         {
             "path_to_root": "azure_cli_scripts",
-            "url": "https://github.com/Azure-Samples/azure-cli-samples",
+            "url": "https://github.com/ggailey777/azure-cli-samples",
             "branch": "master",
             "branch_mapping": {}
         },

.openpublishing.redirection.json

@@ -10,7 +10,7 @@ ms.custom:
   - devdivchpfy22
   - build-2025
 ms.topic: tutorial
-ms.date: 05/14/2025
+ms.date: 07/09/2025
 ms.author: danlep
 ---
 # Tutorial: Monitor published APIs

articles/api-management/api-management-howto-use-azure-monitor.md

@@ -7,7 +7,7 @@ author: dlepow
 
 ms.service: azure-api-management
 ms.topic: how-to
-ms.date: 05/19/2025
+ms.date: 07/11/2025
 ms.author: danlep
 ms.custom:
   - build-2025
@@ -22,9 +22,9 @@ API Management now supports built-in OAuth 2.0 application-based access to produ
 > Applications are currently in limited preview. To sign up, fill [this form](https://aka.ms/apimappspreview).
 
 With this feature:
-
 * API managers set a product property to enable application-based access.
 * API managers register client applications in Microsoft Entra ID to limit access to specific products. 
+* Developers can access client application credentials using the API Management developer portal.
 * Using the OAuth 2.0 client credentials flow, developers or apps obtain tokens that they can include in API requests
 * Tokens presented in API requests are validated by the API Management gateway to authorize access to the product's APIs.
 
@@ -61,7 +61,8 @@ Follow these steps to enable **Application based access** for a product. A produ
 
 The following example uses the **Starter** product, but choose any published product that has at least one API assigned to it.
 
-1. Sign in to the [portal](https://portal.azure.com) and navigate to your API Management instance.
+1. Sign in to the portal at the following custom URL for the applications feature: [https://portal.azure.com/?feature.customPortal=false&Microsoft_Azure_ApiManagement=applications](https://portal.azure.com/?feature.customPortal=false&Microsoft_Azure_ApiManagement=applications)
+1. Navigate to your API Management instance.
 1. In the left menu, under **APIs**, select **Products**.
 1. Choose the product that you want to configure, such as the **Starter** product.
 1. In the left menu, under **Product**, select **Properties**.
@@ -103,10 +104,13 @@ To review application settings in **App registrations**:
 Now register a client application that limits access to one or more products. 
 
 * A product must have **Application based access** enabled to be associated with a client application. 
-* Each client application has a single user (owner) in the API Management instance. One the owner can access product APIs through the application.
+* Each client application has a single user (owner) in the API Management instance. Only the owner can access product APIs through the application.
 * A product can be associated with more than one client application.
 
-1. Sign in to the [portal](https://portal.azure.com) and navigate to your API Management instance.
+To register a client application:
+
+1. Sign in to the portal at the following custom URL for the applications feature: [https://portal.azure.com/?feature.customPortal=false&Microsoft_Azure_ApiManagement=applications](https://portal.azure.com/?feature.customPortal=false&Microsoft_Azure_ApiManagement=applications)
+1. Navigate to your API Management instance.
 1. In the left menu, under **APIs**, select **Applications** > **+ Register application**.
 1. In the **Register an application** page, enter the following application settings:
     * **Name**: Enter a name for the application. 
@@ -152,6 +156,16 @@ To review application settings in **App registrations**:
 
     :::image type="content" source="media/applications/client-api-permissions.png" alt-text="Screenshot of API permissions in the portal.":::  
 
+## Get application settings in developer portal
+
+Users can sign in to the developer portal to view the client applications that they own.
+
+1. Sign in to the developer portal (`https://<your-apim-instance-name>.developer.azure-api.net`) using a user account that was set as the owner of a client application.
+1. In the top navigation menu, select **Applications**.
+1. Applications that the user owns appear in the list. 
+1. Select an application to view its details, such as the **Client ID**, **Client secret**, and **Scope**. These values are needed to generate a token to call the product APIs.
+
+    :::image type="content" source="media/applications/applications-developer-portal.png" alt-text="Screenshot of client applications in the developer portal.":::
 
 ## Create token and use with API call
 
@@ -204,6 +218,16 @@ Write-Host "Response:"
 $getresponse | ConvertTo-Json -Depth 5
 ```
 
+## Troubleshooting
+
+### Internal server error when registering applications in the portal
+
+If you're unable to list applications, or you receive an internal server error when registering applications in the portal, check the following:    
+
+* The **Application Administrator** role is assigned to the API Management instance's managed identity in Microsoft Entra ID. 
+* You're signed in to the portal at the following custom URL for the applications feature: [https://portal.azure.com/?feature.customPortal=false&Microsoft_Azure_ApiManagement=applications](https://portal.azure.com/?feature.customPortal=false&Microsoft_Azure_ApiManagement=applications). This URL is required to access the applications feature in API Management.
+
+
 ## Related content
 
 * [Create and publish a product](api-management-howto-add-products.md)

articles/api-management/applications.md

@@ -54,6 +54,8 @@ If you want to enable *public* inbound access to an API Management instance in t
 * Minimum: /27 (32 addresses)
 * Recommended: /24 (256 addresses) - to accommodate scaling of API Management instance
 
+### Network security group
+
 [!INCLUDE [api-management-virtual-network-v2-nsg-rules](../../includes/api-management-virtual-network-v2-nsg-rules.md)]
 
 ### Subnet delegation

articles/api-management/inject-vnet-v2.md

@@ -46,8 +46,14 @@ If you want to inject a Premium v2 (preview) API Management instance into a virt
 * Minimum: /27 (32 addresses)
 * Recommended: /24 (256 addresses) - to accommodate scaling of API Management instance
 
+### Network security group
+
 [!INCLUDE [api-management-virtual-network-v2-nsg-rules](../../includes/api-management-virtual-network-v2-nsg-rules.md)]
 
+> [!IMPORTANT]
+> * Inbound NSG rules do not apply when a v2 tier instance is integrated in a virtual network for private outbound access. To enforce inbound NSG rules, use virtual network injection instead of integration.
+> * This differs from networking in the classic Premium tier, where inbound NSG rules are enforced in both external and internal virtual network injection modes. [Learn more](virtual-network-injection-resources.md)
+
 ### Subnet delegation
 
 The subnet needs to be delegated to the **Microsoft.Web/serverFarms** service.

articles/api-management/integrate-vnet-outbound.md

@@ -1,7 +1,7 @@
 ---
 title: Monitor Azure API Management
 description: Learn how to monitor Azure API Management using Azure Monitor, including data collection, analysis, and alerting.
-ms.date: 05/14/2025
+ms.date: 07/09/2025
 ms.custom:
   - horz-monitor
   - build-2025
@@ -49,27 +49,31 @@ Azure API Management provides analytics for your APIs so that you can analyze th
 
 With API analytics, analyze the usage and performance of the APIs in your API Management instance across several dimensions, including:
 
-- Time
+- Timeline
 - Geography
 - APIs
 - API operations
 - Products
 - Subscriptions
 - Users
 - Requests
+- Language models (for large language model APIs)
 
 API analytics provides data on requests, including failed and unauthorized requests. Geography values are based on IP address mapping. There can be a delay in the availability of analytics data.
 
 #### Azure Monitor-based dashboard
 
 To use the Azure Monitor-based dashboard, you need a Log Analytics workspace as a data source for API Management gateway logs.
 
-If you need to configure one, the following are brief steps to send gateway logs to a Log Analytics workspace. For more information, see [Tutorial: Monitor published APIs](api-management-howto-use-azure-monitor.md#resource-logs). This procedure is a one-time setup.
+If you need to configure one, the following are brief steps to send gateway logs to a Log Analytics workspace. For more information, see [Enable diagnostic setting for Azure Monitor logs](#enable-diagnostic-setting-for-azure-monitor-logs), later in this article. This procedure is a one-time setup.
 
 1. In the [Azure portal](https://portal.azure.com), navigate to your API Management instance.
 1. In the left-hand menu, under **Monitoring**, select **Diagnostic settings** > **+ Add diagnostic setting**.
 1. Enter a descriptive name for the diagnostic setting.
 1. In **Logs**, select **Logs related to ApiManagement Gateway**.
+    > [!TIP]
+    > To collect logs for large language model (LLM) APIs for display on the Azure Monitor-based dashboard, also select **Logs related to generative AI gateway**.
+
 1. In **Destination details**, select **Send to Log Analytics** and select a Log Analytics workspace in the same or a different subscription. If you need to create a workspace, see [Create a Log Analytics workspace](/azure/azure-monitor/logs/quick-create-workspace).
 1. Make sure **Resource specific** is selected as the destination table.
 1. Select **Save**.
@@ -111,7 +115,7 @@ This section shows you how to enable Azure Monitor logs for auditing and trouble
 |API Management gateway     |  Requests processed by the API Management gateway, including HTTP methods, protocols, request and response bodies, headers, timings, error details, and cache involvement.       | Adjust settings for all APIs, or override them for individual APIs.<br/><br/>In API Management instances configured with [workspaces](workspaces-overview.md), gateway logs can be collected individually for each workspace and aggregated for centralized access by the platform team.  |
 |WebSocket connections     | Events for [WebSocket API](websocket-api.md) connections, starting from the handshake until the connection is terminated.       |
 |Developer portal usage     |  Requests that are received and processed by the API Management [developer portal](developer-portal-overview.md), including user authentication actions, views of API details, and API testing in the interactive test console.|
-| Generative AI gateway | Requests processed by the API Management gateway for large language model (LLM) REST APIs such as Azure OpenAI APIs, including token usage, models, and optionally details of request prompts and response completions. | Enable logging of request messages and/or response messages for specific LLM APIs.
+| Generative AI gateway | Requests processed by the API Management gateway for large language model (LLM) REST APIs such as Azure AI Foundry APIs, including token usage, models, and optionally details of request prompts and response completions. | Enable logging of request messages and/or response messages for specific LLM APIs.
 
 For more information, see [API Management monitoring data reference](monitor-api-management-reference.md).
 

articles/api-management/media/applications/applications-developer-portal.png

@@ -5,7 +5,7 @@ author: dlepow
 
 ms.service: azure-api-management
 ms.topic: concept-article
-ms.date: 06/18/2025
+ms.date: 07/08/2025
 ms.author: danlep
 ---
 
@@ -45,7 +45,6 @@ For information about configuring subnet delegation, see [Add or remove a subnet
 
 #### [Virtual network integration](#tab/external)
 
-
 For virtual network integration, the subnet needs to be delegated to the **Microsoft.Web/serverFarms** service.
 
 :::image type="content" source="media/virtual-network-injection-workspaces-resources/delegate-external.png" alt-text="Screenshot showing subnet delegation to Microsoft.Web/serverFarms in the portal.":::
@@ -65,21 +64,20 @@ For virtual network injection, the subnet needs to be delegated to the **Microso
 
 ---
 
+## Network security group
 
-## Network security group (NSG) rules
+#### [Virtual network integration](#tab/external)
 
-A network security group (NSG) must be attached to the subnet to explicitly allow certain inbound or outbound connectivity. Configure the following rules in the NSG. Set the priority of these rules higher than that of the default rules.
+[!INCLUDE [api-management-virtual-network-v2-nsg-rules](../../includes/api-management-virtual-network-v2-nsg-rules.md)]
 
-Configure other NSG rules to meet your organization's network access requirements.
 
-#### [Virtual network integration](#tab/external)
+#### [Virtual network injection](#tab/internal)
 
-| Direction | Source  | Source port ranges | Destination | Destination port ranges | Protocol |  Action | Purpose | 
-|-------|--------------|----------|---------|------------|-----------|-----|--------|
-| Inbound | AzureLoadBalancer | * | Workspace gateway subnet range  | 80 | TCP | Allow | Allow internal health ping traffic |
-| Inbound | Internet | * | Workspace gateway subnet range  | 80,443 | TCP | Allow | Allow inbound traffic |
+A network security group (NSG) must be associated with the subnet. To set up a network security group, see [Create a network security group](../virtual-network/manage-network-security-group.md). 
 
-#### [Virtual network injection](#tab/internal)
+* Configure the following rules in the NSG. Set the priority of these rules higher than that of the default rules.
+* Configure other outbound rules you need for the gateway to reach your API backends. 
+* Configure other NSG rules to meet your organization’s network access requirements. For example, NSG rules can also be used to block outbound traffic to the internet and allow access only to resources in your virtual network. 
 
 | Direction | Source  | Source port ranges | Destination | Destination port ranges | Protocol |  Action | Purpose | 
 |-------|--------------|----------|---------|------------|-----------|-----|--------|
@@ -89,6 +87,10 @@ Configure other NSG rules to meet your organization's network access requirement
 
 ---
 
+> [!IMPORTANT]
+> * Inbound NSG rules do not apply when you integrate a workspace gateway in a virtual network for private outbound access. To enforce inbound NSG rules, use virtual network injection instead of integration.
+> * This differs from networking in the classic Premium tier, where inbound NSG rules are enforced in both external and internal virtual network injection modes. [Learn more](virtual-network-injection-resources.md)
+
 ## DNS settings for virtual network injection
 
 For virtual network injection, you have to manage your own DNS to enable inbound access to your workspace gateway.