Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into mcpp

Author: gitName

.openpublishing.redirection.json

@@ -6894,6 +6894,11 @@
       "redirect_url": "/azure/governance/policy/samples/hipaa-hitrust",
       "redirect_document_id": false
     },
+    {
+      "source_path": "articles/reliability/migrate-workload-aks-mysql.md",
+      "redirect_url": "/azure/reliability/availability-zones-migration-overview",
+      "redirect_document_id": true
+    },
     {
        "source_path": "articles/private-5g-core/disconnected-mode.md",
        "redirect_url": "/azure/private-5g-core/azure-stack-edge-disconnects",
@@ -6904,6 +6909,7 @@
       "redirect_url": "/azure/signups/overview",
       "redirect_document_id": false
     }
+    
   ]
 }
 

articles/api-management/TOC.yml

@@ -686,6 +686,8 @@
       href: breaking-changes/git-configuration-retirement-march-2025.md
     - name: Direct management API retirement (March 2025)
       href: breaking-changes/direct-management-api-retirement-march-2025.md
+    - name: Managed certificates suspension (August 2025)
+      href: breaking-changes/managed-certificates-suspension-august-2025.md
     - name: ADAL-based identity provider retirement (September 2025)
       href: breaking-changes/identity-provider-adal-retirement-sep-2025.md
     - name: CAPTCHA endpoint update (September 2025)

articles/api-management/api-management-capacity.md

@@ -42,9 +42,6 @@ In the v2 tiers, the following metrics are available:
 
 * **Memory Percentage of Gateway** - The percentage of memory capacity used by the gateway units.
 
-    > [!NOTE]
-    > Currently, the Memory Percentage of Gateway metric isn't supported in the Premium v2 tier.
-
 Available aggregations for these metrics are as follows.
 
 * **Avg** - Average percentage of capacity used across gateway processes in every [unit](upgrade-and-scale.md) of an API Management instance. 

articles/api-management/api-management-howto-deploy-multi-region.md

@@ -168,7 +168,7 @@ This section provides considerations for multi-region deployments when the API M
 * Configure each regional network independently. The [connectivity requirements](virtual-network-reference.md) such as required network security group rules for a virtual network in an added region are generally the same as those for a network in the primary region.
 * Virtual networks in the different regions don't need to be peered.
 > [!IMPORTANT]
-> When configured in internal virtual network mode, each regional gateway must also have outbound connectivity on port 1433 to the Azure SQL database configured for your API Management instance, which is only in the *primary* region. Ensure that you allow connectivity to the FQDN or IP address of this Azure SQL database in any routes or firewall rules you configure for networks in your secondary regions; the Azure SQL service tag can't be used in this scenario. To find the Azure SQL database name in the primary region, go to the **Network** > **Network status** page of your API Management instance in the portal. 
+> When configured in internal virtual network mode, each regional gateway must also have outbound connectivity on port 1433 to the Azure SQL database configured for your API Management instance, which is only in the *primary* region. Ensure that you allow connectivity to the FQDN or IP address of this Azure SQL database in any routes or firewall rules you configure for networks in your secondary regions; the Azure SQL service endpoint can't be used in this scenario. To find the Azure SQL database name in the primary region, go to the **Network** > **Network status** page of your API Management instance in the portal. 
 
 ### IP addresses
 

articles/api-management/api-management-region-availability.md

@@ -6,7 +6,7 @@ author: dlepow
 
 ms.service: azure-api-management
 ms.topic: concept-article
-ms.date: 06/17/2025
+ms.date: 07/21/2025
 ms.author: danlep
 ms.custom:
   - references_regions
@@ -32,6 +32,7 @@ Information in the following table is updated regularly. Capacity availability i
 | Australia Southeast | ✅ | ✅ | | |
 | Brazil South | ✅ | ✅ | |  |
 | Central India  | ✅ | ✅ | |  |
+| Central US  | ✅ | ✅ | |  |
 | East Asia | ✅ | ✅ | | ✅ |
 | East US  | ✅ | ✅ |  |  |
 | East US 2 | ✅ | ✅ | ✅ | ✅ |
@@ -49,6 +50,7 @@ Information in the following table is updated regularly. Capacity availability i
 | Sweden Central | ✅ | ✅ | | |
 | South India | ✅ | ✅ |  |  |
 | Switzerland North | ✅ |✅ |  | |
+| UAE North | ✅ | ✅ | |  |
 | UK South | ✅  | ✅ | ✅ | ✅ |
 | UK West | ✅  | ✅ | | |
 | West Europe  | ✅ | ✅ | | ✅ |

articles/api-management/breaking-changes/managed-certificates-suspension-august-2025.md

@@ -0,0 +1,39 @@
+---
+title: Azure API Management - Managed certificates suspension for new custom domains (August 2025)
+description: Azure API Management is temporarily suspending managed certificates for new custom domains from August 15, 2025 to March 15, 2026 due to industry-wide changes in domain validation.
+services: api-management
+author: dlepow
+ms.service: azure-api-management
+ms.topic: reference
+ai-usage: ai-assisted
+ms.date: 07/18/2025
+ms.author: danlep
+---
+
+# Managed certificates suspension for new custom domains (August 2025)
+
+[!INCLUDE [premium-dev-standard-basic.md](../../../includes/api-management-availability-premium-dev-standard-basic.md)]
+
+Azure managed certificates for new custom domains in API Management will be temporarily turned off from August 15, 2025 to March 15, 2026. Existing managed certificates will be autorenewed and remain unaffected.
+
+In the classic service tiers, Azure API Management offers [free, managed TLS certificates for custom domains](../configure-custom-domain.md#domain-certificate-options), allowing customers to secure their endpoints without purchasing and managing their own certificates. Because of an industry-wide deprecation of CNAME-based Domain Control Validation (DCV), our Certificate Authority (CA), DigiCert, will migrate to a new validation platform to meet Multi-Perspective Issuance Corroboration (MPIC) requirements. This migration requires a temporary suspension of managed certificates for new custom domains.
+
+## Is my service affected by this?
+
+You're affected if you plan to create new managed certificates for new custom domains in Azure API Management between August 15, 2025 and March 15, 2026. Existing managed certificates will be autorenewed before August 15, 2025 and will continue to function normally. There's no impact to existing managed certificates or custom domains already using them.
+
+## What is the deadline for the change?
+
+The suspension of managed certificates for new custom domains will be enforced from August 15, 2025 to March 15, 2026. The capability to create managed certificates will resume after the migration to the new validation platform is complete.
+
+## What do I need to do?
+
+No action is required if you already have managed certificates for your custom domains. If you need to add new managed certificates, plan to do so before August 15, 2025 or after March 15, 2026. During the suspension period, you can still configure custom domains with certificates you manage from other sources.
+
+## Help and support
+
+If you have questions, get answers from community experts in [Microsoft Q&A](https://aka.ms/apim/azureqa/change/captcha-2022). If you have a support plan and need technical help, create a [support request](https://portal.azure.com/#view/Microsoft_Azure_Support/HelpAndSupportBlade/~/overview).
+
+## Related content
+
+See all [upcoming breaking changes and feature retirements](overview.md).

articles/api-management/breaking-changes/overview.md

@@ -6,7 +6,7 @@ author: dlepow
 
 ms.service: azure-api-management
 ms.topic: reference
-ms.date: 05/30/2025
+ms.date: 07/17/2025
 ms.author: danlep
 ---
 
@@ -30,6 +30,7 @@ The following table lists all the upcoming breaking changes and feature retireme
 | [Git repository retirement][git2025] | March 15, 2025 |
 | [Direct management API retirement][mgmtapi2025] | March 15, 2025 |
 | [Workspaces preview breaking changes, part 2][workspaces2025march] | March 31, 2025 |
+| [Managed certificates suspension][managed-certificates-suspension-august-2025] | August 15, 2025 |
 | [ADAL-based Microsoft Entra ID identity provider retirement][msal2025] | September 30, 2025 |
 | [CAPTCHA endpoint update][captcha2025] | September 30, 2025 |
 | [Built-in analytics dashboard retirement][analytics2027] | March 15, 2027 |
@@ -50,3 +51,4 @@ The following table lists all the upcoming breaking changes and feature retireme
 [mgmtapi2025]: ./direct-management-api-retirement-march-2025.md
 [workspaces2024]: ./workspaces-breaking-changes-june-2024.md
 [workspaces2025march]: ./workspaces-breaking-changes-march-2025.md
+[managed-certificates-suspension-august-2025]: ./managed-certificates-suspension-august-2025.md

articles/app-service/app-service-web-configure-tls-mutual-auth.md

@@ -15,6 +15,8 @@ ms.custom: devx-track-csharp, devx-track-extended-java, devx-track-js, devx-trac
 
 # Configure TLS mutual authentication in Azure App Service
 
+[!INCLUDE [app-service-managed-certificate](./includes/managed-certs/managed-certs-note.md)]
+
 You can restrict access to your Azure App Service app by enabling various types of authentication for the app. One way to set up authentication is to request a client certificate when the client request is sent by using Transport Layer Security (TLS) / Secure Sockets Layer (SSL) and to validate the certificate. This mechanism is called *mutual authentication* or *client certificate authentication*. This article shows how to set up your app to use client certificate authentication.
 
 > [!NOTE]

articles/app-service/app-service-web-tutorial-custom-domain.md

@@ -13,6 +13,8 @@ author: msangapu-msft
 
 # Set up an existing custom domain in Azure App Service
 
+[!INCLUDE [app-service-managed-certificate](./includes/managed-certs/managed-certs-note.md)]
+
 [Azure App Service](overview.md) provides a highly scalable, self-patching web hosting service. This guide shows you how to map an existing custom Domain Name System (DNS) name to App Service. To migrate a live site and its DNS domain name to App Service with no downtime, see [Migrate an active DNS name to Azure App Service](manage-custom-dns-migrate-domain.md).
 
 The DNS record type you need to add with your domain provider depends on the domain you want to add to App Service.

articles/app-service/configure-authentication-provider-aad.md

@@ -301,7 +301,7 @@ Requests that fail these built-in checks get an HTTP `403 Forbidden` response.
 
 [fic-config]: #use-a-managed-identity-instead-of-a-secret-preview
 
-Instead of configuring a client secret for your app registration, you can [configure an application to trust a managed identity (preview)][entra-fic]. Using an identity instead of a secret means you don't have to manage a secret. You don't have secret expiration events to handle, and you don't have the same level of risk associated with possibly disclosing or leaking that secret.
+Instead of configuring a client secret for your app registration, you can [configure an application to trust a managed identity][entra-fic]. Using an identity instead of a secret means you don't have to manage a secret. You don't have secret expiration events to handle, and you don't have the same level of risk associated with possibly disclosing or leaking that secret.
 
 The identity allows you to create a *federated identity credential*, which can be used instead of a client secret as a *client assertion*. This approach is available only for workforce configurations. The built-in authentication feature currently supports federated identity credentials as a preview.
 
@@ -313,6 +313,7 @@ You can use the steps in this section to configure your App Service or Azure Fun
 
     > [!IMPORTANT]
     > The user-assigned managed identity that you create should only be assigned to the App Service or Azure Functions application through this registration. If you assign the identity to another resource, you're giving that resource unnecessary access to your app registration.
+
 1. Note down the **Object ID** and **Client ID** values of the managed identity. You'll need the object ID to create a federated identity credential in the next step. You'll use the managed identity's client ID in a later step.
 
 1. Follow the Microsoft Entra ID [instructions to configure a federated identity credential on an existing application](/entra/workload-id/workload-identity-federation-config-app-trust-managed-identity#configure-a-federated-identity-credential-on-an-existing-application). Those instructions also include sections for updating application code, which you can skip.