Merge branch 'main' into release-ga-lbcd

Author: v-alje

articles/active-directory-b2c/policy-keys-overview.md

@@ -75,7 +75,7 @@ If an Azure AD B2C keyset has multiple keys, only one of the keys is active at a
   - When the current date and time is greater than a key's activation date, Azure AD B2C activates the key and stop using the prior active key.
 - When the current key's expiration time has elapsed and the key container contains a new key with valid *nbf (not before)* and *exp (expiration)* times, the new key becomes active automatically. New tokens are signed with the newly active key. It's possible to keep an expired key published for token validation until disabled by an admin, but this must be requested by [filing a support request](/azure/active-directory-b2c/find-help-open-support-ticket).
 
-- When the current key's expiration time has elapsed and the key container *doesn't* contain a new key with valid *not before* and *expiration* times, Azure AD B2C won't be able to use the expired key. Azure AD B2C raises an error message within a dependant component of your custom policy. To avoid this issue, you can create a default key without activation and expiration dates as a safety net.
+- When the current key's expiration time has elapsed and the key container *doesn't* contain a new key with valid *not before* and *expiration* times, Azure AD B2C won't be able to use the expired key. Azure AD B2C raises an error message within a dependent component of your custom policy. To avoid this issue, you can create a default key without activation and expiration dates as a safety net.
 - The key's endpoint (JWKS URI) of the OpenId Connect well-known configuration endpoint reflects the keys configured in the Key Container, when the Key is referenced in the [JwtIssuer Technical Profile](./jwt-issuer-technical-profile.md). An application using an OIDC library will automatically fetch this metadata to ensure it uses the correct keys to validate tokens. For more information, learn how to use [Microsoft Authentication Library](../active-directory/develop/msal-b2c-overview.md), which always fetches the latest token signing keys automatically.
 
 :::image type="content" source="media/policy-keys-overview/key-rollover.png" alt-text="A diagram describing the process for key rollover in Azure AD B2C." lightbox="media/policy-keys-overview/key-rollover.png":::

articles/api-management/TOC.yml

@@ -204,24 +204,6 @@
         href: sap-api.md
     - name: Import gRPC API
       href: grpc-api.md
-    - name: Azure OpenAI and LLM APIs
-      items:
-      - name: AI gateway capabilities in API Management
-        href: genai-gateway-capabilities.md
-      - name: Import Azure AI Foundry API
-        href: azure-ai-foundry-api.md
-      - name: Import Azure OpenAI API
-        href: azure-openai-api-from-specification.md
-      - name: Import OpenAI-compatible LLM API
-        href: openai-compatible-llm-api.md
-      - name: Authenticate and authorize to Azure OpenAI
-        href: api-management-authenticate-authorize-azure-openai.md
-      - name: Expose REST API as MCP server
-        href: export-rest-mcp-server.md
-      - name: Semantic caching for Azure OpenAI API requests
-        href: azure-openai-enable-semantic-caching.md
-      - name: Protect Azure OpenAI keys
-        href: /semantic-kernel/deploy/use-ai-apis-with-api-management?toc=%2Fazure%2Fapi-management%2Ftoc.json&bc=/azure/api-management/breadcrumb/toc.json
     - name: Configure API for SSE
       href: how-to-server-sent-events.md
     - name: API import restrictions
@@ -250,6 +232,24 @@
       href: api-management-howto-cache.md
     - name: Custom caching
       href: api-management-sample-cache-by-key.md
+- name: API management for AI
+  items:
+  - name: AI gateway capabilities in API Management
+    href: genai-gateway-capabilities.md
+  - name: Import Azure AI Foundry API
+    href: azure-ai-foundry-api.md
+  - name: Import Azure OpenAI API
+    href: azure-openai-api-from-specification.md
+  - name: Import OpenAI-compatible LLM API
+    href: openai-compatible-llm-api.md
+  - name: Authenticate and authorize to Azure OpenAI
+    href: api-management-authenticate-authorize-azure-openai.md
+  - name: Expose REST API as MCP server
+    href: export-rest-mcp-server.md
+  - name: Semantic caching for Azure OpenAI API requests
+    href: azure-openai-enable-semantic-caching.md
+  - name: Protect Azure OpenAI keys
+    href: /semantic-kernel/deploy/use-ai-apis-with-api-management?toc=%2Fazure%2Fapi-management%2Ftoc.json&bc=/azure/api-management/breadcrumb/toc.json
 - name: Manage APIs with policies
   items:
   - name: API Management policies overview

articles/api-management/api-management-howto-autoscale.md

@@ -6,7 +6,7 @@ author: dlepow
 
 ms.service: azure-api-management
 ms.topic: how-to
-ms.date: 02/06/2024
+ms.date: 06/03/2025
 ms.author: danlep
 ms.custom: engagement-fy23
 ---
@@ -22,7 +22,6 @@ The article walks through the process of configuring autoscale and suggests opti
 > [!NOTE]
 > * In service tiers that support multiple scale units, you can also [manually scale](upgrade-and-scale.md) your API Management instance.
 > * An API Management service in the **Consumption** tier scales automatically based on the traffic - without any additional configuration needed.
-> * Currently, autoscale is not supported for the [workspace gateway](workspaces-overview.md#workspace-gateway) in API Management workspaces.
 
 [!INCLUDE [api-management-service-update-behavior](../../includes/api-management-service-update-behavior.md)]
 
@@ -41,15 +40,15 @@ Certain limitations and consequences of scaling decisions need to be considered
 
 + The [pricing tier](api-management-features.md) of your API Management instance determines the [maximum number of units](upgrade-and-scale.md#upgrade-and-scale) you may scale to. For example, the **Standard tier** can be scaled to 4 units. You can add any number of units to the **Premium** tier.
 + If the service is locked by another operation, the scaling request will fail and retry automatically.
-+ If your service instance is deployed in multiple regions (locations), only units in the **Primary location** can be autoscaled with Azure Monitor autoscale. Units in other locations can only be scaled manually.
-+ If your service instance is configured with [availability zones](zone-redundancy.md) in the **Primary location**, be aware of the number of zones when configuring autoscaling. The number of API Management units in autoscale rules and limits must be a multiple of the number of zones. 
++ If your service instance is deployed in multiple regions (locations), only units in the **Primary location** can be autoscaled with Azure Monitor autoscale. Units in other locations can be scaled manually or using custom scaling tools.
++ If your service instance is configured with [availability zones](zone-redundancy.md) in the **Primary location**, we recommend leaving the default **Automatic** setting for availability zones. If you select specific zones, the number of API Management units in autoscale rules and limits must be a multiple of the number of zones configured. 
 
 ## Enable and configure autoscale for an API Management instance
 
 Follow these steps to configure autoscale for an Azure API Management service:
 
 1. Sign in to the [Azure portal](https://portal.azure.com), and navigate to your API Management instance.
-1. In the left menu, select **Scale out (auto-scale)**, and then select **Custom autoscale**.
+1. In the left menu, select **Deployment + infrastructure** > **Scale out (auto-scale)**, and then select **Custom autoscale**.
 
     :::image type="content" source="media/api-management-howto-autoscale/01.png" alt-text="Screenshot of scale-out options in the portal.":::
 

articles/api-management/how-to-create-workspace.md

@@ -5,7 +5,7 @@ author: dlepow
 ms.topic: how-to
 ms.service: azure-api-management
 ms.author: danlep
-ms.date: 05/14/2025
+ms.date: 06/03/2025
 ms.custom:
   - build-2025
 ---
@@ -56,7 +56,7 @@ Follow the steps in this article to:
           > [!IMPORTANT]
           > Plan your workspace's network configuration carefully. You can't change the network configuration after you create the workspace.
     
-        * If you select a network configuration that includes private inbound or private outbound network access, select a **Virtual network** and **Subnet** to isolate the workspace gateway, or create a new one. For network requirements, see [Network resource requirements for workspace gateways](virtual-network-workspaces-resources.md).
+        * If you select either **Inbound public access, outbound private access** (virtual network integration) or **Inbound private access, outbound private access** (virtual network injection), select a **Virtual network** and **Subnet** to isolate the workspace gateway, or create a new one. For network requirements, see [Network resource requirements for workspace gateways](virtual-network-workspaces-resources.md).
 
 1. Select **Next**. After validation completes, select **Create**.
 

articles/api-management/index.yml

@@ -104,12 +104,14 @@ landingContent:
     linkLists:
       -  linkListType: how-to-guide
          links:
-          - text: Import API from Azure OpenAI service
+          - text: Import Azure AI Foundry API
+            url: azure-ai-foundry-api.md
+          - text: Import Azure OpenAI API
             url: azure-openai-api-from-specification.md
-          - text: Enable semantic caching for Azure OpenAI APIs
-            url: azure-openai-enable-semantic-caching.md   
-          - text: Authenticate and authorize to Azure OpenAI APIs
-            url: api-management-authenticate-authorize-azure-openai.md
+          - text: Import OpenAI-compatible LLM API
+            url: openai-compatible-llm-api.md
+          - text: Expose REST API as MCP server
+            url: export-rest-mcp-server.md
       - linkListType: concept
         links:
           - text: Premium v2 tier (preview)

articles/api-management/media/how-to-create-workspace/create-workspace-gateway.png

@@ -6,7 +6,7 @@ author: dlepow
 
 ms.service: azure-api-management
 ms.topic: how-to
-ms.date: 07/02/2024
+ms.date: 06/03/2025
 ms.author: danlep
 ms.custom:
   - engagement-fy23
@@ -20,7 +20,7 @@ ms.custom:
 Customers can scale an Azure API Management instance in a dedicated service tier by adding and removing units. A **unit** is composed of dedicated Azure resources and has a certain load-bearing capacity expressed as a number of API calls per second. This number doesn't represent a call limit, but rather an estimated maximum throughput value to allow for rough capacity planning. Actual throughput and latency vary broadly depending on factors such as number and rate of concurrent connections, the kind and number of configured policies, request and response sizes, and backend latency.
 
 > [!NOTE]
-> * In the **Basic**, **Standard**, and **Premium** tiers of the API Management service, you can configure an instance to [scale automatically](api-management-howto-autoscale.md) based on a set of rules.
+> * In the **Basic**, **Standard**, and **Premium** tiers of the API Management service, and in [workspace gateways](workspaces-overview.md#workspace-gateway), you can configure an instance to [scale automatically](api-management-howto-autoscale.md) based on a set of rules.
 > * API Management instances in the **Consumption** tier scale automatically based on the traffic. Currently, you cannot upgrade from or downgrade to the Consumption tier.
 
 The throughput and price of each unit depend on the [service tier](api-management-features.md) in which the unit exists. If you need to increase capacity for a service within a tier, you should add a unit. If the tier that is currently selected in your API Management instance doesn't allow adding more units, you need to upgrade to a higher-level tier.

articles/api-management/upgrade-and-scale.md

@@ -1,35 +1,34 @@
 ---
 title: Azure API Management workspace gateways - VNet integration - network resources
-description: Learn about requirements for network resources when you integrate your API Management workspace gateway in an Azure virtual network.
+description: Learn about requirements for network resources when you integrate or inject your API Management workspace gateway in an Azure virtual network.
 author: dlepow
 
 ms.service: azure-api-management
 ms.topic: concept-article
-ms.date: 07/15/2024
+ms.date: 06/03/2025
 ms.author: danlep
 ---
 
-# Network resource requirements for integration of a workspace gateway into a virtual network
+# Network resource requirements to integrate or inject a workspace gateway into a virtual network
 
 [!INCLUDE [api-management-availability-premium](../../includes/api-management-availability-premium.md)]
 
-Network isolation is an optional feature of an API Management [workspace gateway](workspaces-overview.md#workspace-gateway). This article provides network resource requirements when you integrate your gateway in an Azure virtual network. Some requirements differ depending on the desired inbound and outbound access mode. The following modes are supported:
+Network isolation is an optional feature of an API Management [workspace gateway](workspaces-overview.md#workspace-gateway). This article provides network resource requirements when you integrate or inject your gateway in an Azure virtual network. Some requirements differ depending on the desired inbound and outbound access mode. The following modes are supported:
 
-* Public inbound access, private outbound access (Public/Private)
-* Private inbound access, private outbound access (Private/Private)
+* **Virtual network integration**: public inbound access, private outbound access 
+* **Virtual network injection**: private inbound access, private outbound access
 
-For information about networking options in API Management, see [Use a virtual network to secure inbound or outbound traffic for Azure API Management](virtual-network-concepts.md).
+For background about networking options in API Management, see [Use a virtual network to secure inbound or outbound traffic for Azure API Management](virtual-network-concepts.md).
 
 [!INCLUDE [api-management-virtual-network-workspaces-alert](../../includes/api-management-virtual-network-workspaces-alert.md)]
 
-
 ## Network location
 
-* The virtual network must be in the same region and Azure subscription as the API Management instance.
+The virtual network must be in the same region and Azure subscription as the API Management instance.
 
 ### Dedicated subnet
 
-* The subnet used for virtual network integration can only be used by a single workspace gateway. It can't be shared with another Azure resource.
+* The subnet used for virtual network integration or injection can only be used by a single workspace gateway. It can't be shared with another Azure resource.
 
 ## Subnet size 
 
@@ -42,19 +41,19 @@ The subnet must be delegated as follows to enable the desired inbound and outbou
 
 For information about configuring subnet delegation, see [Add or remove a subnet delegation](../virtual-network/manage-subnet-delegation.md).
 
-#### [Public/Private](#tab/external)
+#### [Virtual network integration](#tab/external)
 
 
-For Public/Private mode, the subnet needs to be delegated to the **Microsoft.Web/serverFarms** service.
+For virtual network integration, the subnet needs to be delegated to the **Microsoft.Web/serverFarms** service.
 
 :::image type="content" source="media/virtual-network-injection-workspaces-resources/delegate-external.png" alt-text="Screenshot showing subnet delegation to Microsoft.Web/serverFarms in the portal.":::
 
 > [!NOTE]
 > You might need to register the `Microsoft.Web/serverFarms` resource provider in the subscription so that you can delegate the subnet to the service.
 
-#### [Private/Private](#tab/internal)
+#### [Virtual network injection](#tab/internal)
 
-For Private/Private mode, the subnet needs to be delegated to the **Microsoft.Web/hostingEnvironments** service.
+For virtual network injection, the subnet needs to be delegated to the **Microsoft.Web/hostingEnvironments** service.
 
 :::image type="content" source="media/virtual-network-injection-workspaces-resources/delegate-internal.png" alt-text="Screenshot showing subnet delegation to Microsoft.Web/hostingEnvironments in the portal.":::
 
@@ -67,27 +66,30 @@ For Private/Private mode, the subnet needs to be delegated to the **Microsoft.We
 
 ## Network security group (NSG) rules
 
-A network security group (NSG) must be attached to the subnet to explicitly allow inbound connectivity. Configure the following rules in the NSG. Set the priority of these rules higher than that of the default rules.
+A network security group (NSG) must be attached to the subnet to explicitly allow certain inbound or outbound connectivity. Configure the following rules in the NSG. Set the priority of these rules higher than that of the default rules.
+
+Configure other NSG rules to meet your organization's network access requirements.
 
-#### [Public/Private](#tab/external)
+#### [Virtual network integration](#tab/external)
 
-| Source / Destination Port(s) | Direction          | Transport protocol |   Source | Destination   | Purpose |
-|------------------------------|--------------------|--------------------|---------------------------------------|----------------------------------|-----------|
-| */80                          | Inbound            | TCP                | AzureLoadBalancer | Workspace gateway subnet range                           | Allow internal health ping traffic     |
-| */80,443 | Inbound | TCP | Internet | Workspace gateway subnet range | Allow inbound traffic |
+| Direction | Source  | Source port ranges | Destination | Destination port ranges | Protocol |  Action | Purpose | 
+|-------|--------------|----------|---------|------------|-----------|-----|--------|
+| Inbound | AzureLoadBalancer | * | Workspace gateway subnet range  | 80 | TCP | Allow | Allow internal health ping traffic |
+| Inbound | Internet | * | Workspace gateway subnet range  | 80,443 | TCP | Allow | Allow inbound traffic |
 
-#### [Private/Private](#tab/internal)
+#### [Virtual network injection](#tab/internal)
 
-| Source / Destination Port(s) | Direction          | Transport protocol |   Source | Destination   | Purpose |
-|------------------------------|--------------------|--------------------|---------------------------------------|----------------------------------|-----------|
-| */80                          | Inbound            | TCP                | AzureLoadBalancer | Workspace gateway subnet range                           | Allow internal health ping traffic     |
-| */80,443 | Inbound | TCP | Virtual network | Workspace gateway subnet range | Allow inbound traffic |
+| Direction | Source  | Source port ranges | Destination | Destination port ranges | Protocol |  Action | Purpose | 
+|-------|--------------|----------|---------|------------|-----------|-----|--------|
+| Inbound | AzureLoadBalancer | * | Workspace gateway subnet range  | 80 | TCP | Allow | Allow internal health ping traffic |
+| Inbound | VirtualNetwork | * | Workspace gateway subnet range  | 80,443 | TCP | Allow | Allow inbound traffic |
+| Outbound | VirtualNetwork | * | Storage | 443 | TCP | Allow | Dependency on Azure Storage |
 
 ---
 
-## DNS settings for Private/Private configuration
+## DNS settings for virtual network injection
 
-In the Private/Private network configuration, you have to manage your own DNS to enable inbound access to your workspace gateway. 
+For virtual network injection, you have to manage your own DNS to enable inbound access to your workspace gateway. 
 
 We recommend: