Merge branch 'master' of https://github.com/Microsoft/azure-docs-pr into wafupdate0529

Author: KumudD

articles/active-directory-b2c/active-directory-b2c-custom-setup-adfs2016-idp.md

@@ -140,7 +140,7 @@ Now that you have a button in place, you need to link it to an action. The actio
 To use ADFS as an identity provider in Azure AD B2C, you need to create an ADFS Relying Party Trust with the Azure AD B2C SAML metadata. The following example shows a URL address to the SAML metadata of an Azure AD B2C technical profile:
 
 ```
-https://login.microsoftonline.com/te/your-tenant/your-policy/samlp/metadata?idptp=your-technical-profile
+https://your-tenant-name.b2clogin.com/your-tenant-name/your-policy/samlp/metadata?idptp=your-technical-profile
 ```
 
 Replace the following values:

articles/aks/tutorial-kubernetes-app-update.md

@@ -83,7 +83,10 @@ Use [docker tag][docker-tag] to tag the image. Replace `<acrLoginServer>` with y
 docker tag azure-vote-front <acrLoginServer>/azure-vote-front:v2
 ```
 
-Now use [docker push][docker-push] to upload the image to your registry. Replace `<acrLoginServer>` with your ACR login server name. If you experience issues pushing to your ACR registry, make sure that you have run the [az acr login][az-acr-login] command.
+Now use [docker push][docker-push] to upload the image to your registry. Replace `<acrLoginServer>` with your ACR login server name.
+
+> [!NOTE]
+> If you experience issues pushing to your ACR registry, make sure that you are still logged in. Run the [az acr login][az-acr-login] command using the name of your Azure Container Registry that you created in the [Create an Azure Container Registry](tutorial-kubernetes-prepare-acr.md#create-an-azure-container-registry) step. For example, `az acr login --name <azure container registry name>`.
 
 ```console
 docker push <acrLoginServer>/azure-vote-front:v2

articles/application-gateway/application-gateway-autoscaling-zone-redundant.md

@@ -5,7 +5,7 @@ services: application-gateway
 author: vhorne
 ms.service: application-gateway
 ms.topic: article
-ms.date: 5/22/2019
+ms.date: 6/1/2019
 ms.author: victorh
 ---
 
@@ -50,6 +50,8 @@ Compute unit guidance:
 > Each instance can currently support approximately 10 capacity units.
 > The number of requests a compute unit can handle depends on various criteria like TLS certificate key size, key exchange algorithm, header rewrites, and in case of WAF incoming request size. We recommend you perform application tests to determine request rate per compute unit. Both capacity unit and compute unit will be made available as a metric before billing starts.
 
+The following table shows example prices and are for illustration purposes only.
+
 **Pricing in US East**:
 
 |              SKU Name                             | Fixed price ($/hr)  | Capacity Unit price ($/CU-hr)   |
@@ -137,6 +139,9 @@ The following table compares the features available with each SKU.
 |Netwatcher integration|Not supported.|
 |Azure Support Center integration|Not yet available.
 
+## Migrate from v1 to v2
+
+An Azure PowerShell script is available in the PowerShell gallery to help you migrate from your v1 Application Gateway/WAF to the v2 Autoscaling SKU. This script helps you copy the configuration from your v1 gateway. Traffic migration is still your responsibility. For more details, see [Migrate Azure Application Gateway from v1 to v2](migrate-v1-v2.md).
 ## Next steps
 
 - [Quickstart: Direct web traffic with Azure Application Gateway - Azure portal](quick-create-portal.md)

articles/application-gateway/application-gateway-faq.md

@@ -6,14 +6,16 @@ author: vhorne
 ms.service: application-gateway
 ms.topic: article
 ms.workload: infrastructure-services
-ms.date: 4/30/2019
+ms.date: 6/1/2019
 ms.author: victorh
 ---
 
 # Frequently asked questions about Application Gateway
 
 [!INCLUDE [updated-for-az](../../includes/updated-for-az.md)]
 
+The following are common questions asked about Azure Application Gateway.
+
 ## General
 
 ### What is Application Gateway?
@@ -182,14 +184,19 @@ See [Order of processing rules](https://docs.microsoft.com/azure/application-gat
 
 The Host field specifies the name to send the probe to when you've configured multisite on Application Gateway. Otherwise use '127.0.0.1'. This value is different from the virtual machine host name. Its format is \<protocol\>://\<host\>:\<port\>\<path\>.
 
-### Can I whitelist Application Gateway access to only a few source IPs?
+### Can I allow Application Gateway access to only a few source IP addresses?
 
-Yes. See [restrict access to specific source IPs](https://docs.microsoft.com/azure/application-gateway/configuration-overview#whitelist-application-gateway-access-to-a-few-source-ips).
+Yes. See [restrict access to specific source IPs](https://docs.microsoft.com/azure/application-gateway/configuration-overview#allow-application-gateway-access-to-a-few-source-ips).
 
 ### Can I use the same port for both public-facing and private-facing listeners?
 
 No.
 
+### Is there guidance available to migrate from the v1 SKU to the v2 SKU?
+
+Yes. For details see, [Migrate Azure Application Gateway and Web Application Firewall from v1 to v2](migrate-v1-v2.md).
+
+
 ## Configuration - SSL
 
 ### What certificates does Application Gateway support?
@@ -308,6 +315,10 @@ For more information, see [OWASP top-10 vulnerabilities](https://www.owasp.org/i
 
 Yes. You can enable DDoS protection on the virtual network where the application gateway is deployed. This setting ensures that the Azure DDoS Protection service also protects the application gateway virtual IP (VIP).
 
+### Is there guidance available to migrate from the v1 SKU to the v2 SKU?
+
+Yes. For details see, [Migrate Azure Application Gateway and Web Application Firewall from v1 to v2](migrate-v1-v2.md).
+
 ## Diagnostics and logging
 
 ### What types of logs does Application Gateway provide?

articles/application-gateway/configuration-overview.md

@@ -5,7 +5,7 @@ services: application-gateway
 author: vhorne
 ms.service: application-gateway
 ms.topic: article
-ms.date: 4/30/2019
+ms.date: 6/1/2019
 ms.author: absha
 
 ---
@@ -53,7 +53,7 @@ Network security groups (NSGs) are supported on Application Gateway. But there a
 
 - Traffic from the **AzureLoadBalancer** tag must be allowed.
 
-##### Whitelist Application Gateway access to a few source IPs
+##### Allow Application Gateway access to a few source IPs
 
 For this scenario, use NSGs on the Application Gateway subnet. Put the following restrictions on the subnet in this order of priority:
 

articles/application-gateway/migrate-v1-v2.md

@@ -0,0 +1,182 @@
+---
+title: Migrate Azure Application Gateway and Web Application Firewall from v1 to v2
+description: This article shows you how to migrate Azure Application Gateway and Web Application Firewall from v1 to v2
+services: application-gateway
+author: vhorne
+ms.service: application-gateway
+ms.topic: article
+ms.date: 6/1/2019
+ms.author: victorh
+---
+
+# Migrate Azure Application Gateway and Web Application Firewall from v1 to v2
+
+[Azure Application Gateway and Web Application Firewall (WAF) v2](application-gateway-autoscaling-zone-redundant.md) is now available, offering additional features such as autoscaling and availability-zone redundancy. However, existing v1 gateways aren't automatically upgraded to v2. If you want to migrate from v1 to v2, follow the steps in this article.
+
+There are two stages in a migration:
+
+1. Migrate the configuration
+2. Migrate the client traffic
+
+This article covers configuration migration. Client traffic migration varies depending on your specific environment. However, some high-level, general recommendations [are provided](#migrate-client-traffic).
+
+## Migration overview
+
+An Azure PowerShell script is available that does the following:
+
+* Creates a new Standard_v2 or WAF_v2 gateway in a virtual network subnet that you specify.
+* Seamlessly copies the configuration associated with the v1 Standard or WAF gateway to the newly created Standard_V2 or WAF_V2 gateway.
+
+### Caveats\Limitations
+
+* The new v2 gateway has new public and private IP addresses. It isn't possible to move the IP addresses associated with the existing v1 gateway seamlessly to v2. However, you can allocate an existing (unallocated) public or private IP address to the new v2 gateway.
+* You must provide an IP address space for another subnet within your virtual network where your v1 gateway is located. The script can't create the v2 gateway in any existing subnets that already have a v1 gateway. However, if the existing subnet already has a v2 gateway, that may still work provided there's enough IP address space.
+* To  migrate an SSL configuration, you must specify all the SSL certs used in your v1 gateway.
+* If you have FIPS mode enabled for your V1 gateway, it won’t be migrated to your new v2 gateway. FIPS mode isn't supported in v2.
+* v2 doesn't support IPv6, so IPv6 enabled v1 gateways aren't migrated. If you run the script, it may not complete.
+* If the v1 gateway has only a private IP address, the script creates a public IP address and a private IP address for the new v2 gateway. v2 gateways currently don't support only private IP addresses.
+
+## Download the script
+
+Download the migration script from the  [PowerShell Gallery](https://www.powershellgallery.com/packages/AzureAppGWMigration).
+
+## Use the script
+
+There are two options for you depending on your local PowerShell environment setup and preferences:
+
+* If you don’t have the Azure Az modules installed, or don’t mind uninstalling the Azure Az modules, the best option is to use the `Install-Script` option to run the script.
+* If you need to keep the Azure Az modules, your best bet is to download the script and run it directly.
+
+To determine if you have the Azure Az modules installed, run `Get-InstalledModule -Name az`. If you don't see any installed Az modules, then you can use the `Install-Script` method.
+
+### Install using the Install-Script method
+
+To use this option, you must not have the Azure Az modules installed on your computer. If they're installed, the following command displays an error. You can either uninstall the Azure Az modules, or use the other option to download the script manually and run it.
+  
+Run the script with the following command:
+
+`Install-Script -Name AzureAppGWMigration`
+
+This command also installs the required Az modules.  
+
+### Install using the script directly
+
+If you do have some Azure Az modules installed and can't uninstall them (or don't want to uninstall them), you can manually download the script using the **Manual Download** tab in the script download link. The script is downloaded as a raw nupkg file. To install the script from this nupkg file, see [Manual Package Download](https://docs.microsoft.com/powershell/gallery/how-to/working-with-packages/manual-download).
+
+To run the script:
+
+1. Use `Connect-AzAccount` to connect to Azure.
+
+1. Use `Import-Module Az` to import the Az modules.
+
+1. Run `Get-Help AzureAppGWMigration.ps1` to examine the required parameters:
+
+   `AzureAppGwMigration.ps1
+    -resourceId <v1 application gateway Resource ID>
+    -subnetAddressRange <subnet space you want to use>
+    -appgwName <string to use to append>
+    -sslCertificates <comma-separated SSLCert objects as above>
+    -trustedRootCertificates <comma-separated Trusted Root Cert objects as above>
+    -privateIpAddress <private IP string>
+    -publicIpResourceName <public IP name string>
+    -validateMigration -enableAutoScale`
+
+   Parameters for the script:
+   * **resourceId: [String]: Required** - This is the Azure Resource ID for your existing Standard v1 or WAF v1 gateway. To find this string value,  navigate to the Azure portal, select your application gateway or WAF resource, and click the **Properties** link for the gateway. The Resource ID is located on that page.
+
+     You can also run the following Azure PowerShell commands to get the Resource ID:
+
+     ```azurepowershell
+     $appgw = Get-AzApplicationGateway -Name <v1 gateway name> -ResourceGroupName <resource group Name> 
+     $appgw.Id
+     ```
+
+   * **subnetAddressRange: [String]:  Required** - This is the IP address space that you have allocated (or want to allocate) for a new subnet that contains your new v2 gateway. This must be specified in the CIDR notation. For example: 10.0.0.0/24. You do not need to create this subnet in advance. The script creates it for you if it doesn't exist.
+   * **appgwName: [String]: Optional**. This is a string you specify to use as the name for the new Standard_v2 or WAF_v2 gateway. If this parameter isn't supplied, the name of your existing v1 gateway will be used with the suffix *_v2* appended.
+   * **sslCertificates: [PSApplicationGatewaySslCertificate]: Optional**.  A comma-separated list of PSApplicationGatewaySslCertificate objects that you create to represent the SSL certs from your v1 gateway must be uploaded to the new v2 gateway. For each of your SSL certs configured for your Standard v1 or WAF v1 gateway, you can create a new PSApplicationGatewaySslCertificate object via the `New-AzApplicationGatewaySslCertificate` command shown here. You need the path to your SSL Cert file and the password.
+
+       This parameter is only optional if you don’t have HTTPS listeners configured for your v1 gateway or WAF. If you have at least one HTTPS listener setup, you must specify this parameter.
+
+      ```azurepowershell  
+      $password = ConvertTo-SecureString <cert-password> -AsPlainText -Force
+      $mySslCert1 = New-AzApplicationGatewaySslCertificate -Name "Cert01" `
+        -CertificateFile <Cert-File-Path-1> `
+        -Password $password 
+      $mySslCert2 = New-AzApplicationGatewaySslCertificate -Name "Cert02" `
+        -CertificateFile <Cert-File-Path-2> `
+        -Password $password
+      ```
+
+      You can pass in `$mySslCert1, $mySslCert2` (comma-separated) in the previous example as values for this parameter in the script.
+   * **trustedRootCertificates: [PSApplicationGatewayTrustedRootCertificate]: Optional**. A comma-separated list of PSApplicationGatewayTrustedRootCertificate objects that you create to represent the [Trusted Root certificates](ssl-overview.md) for authentication of your backend instances from your v2 gateway.  
+
+      To create a list of PSApplicationGatewayTrustedRootCertificate objects, see [New-AzApplicationGatewayTrustedRootCertificate](https://docs.microsoft.com/powershell/module/Az.Network/New-AzApplicationGatewayTrustedRootCertificate?view=azps-2.1.0&viewFallbackFrom=azps-2.0.0).
+   * **privateIpAddress: [String]: Optional**. A specific private IP address that you want to associate to your new v2 gateway.  This must be from the same VNet that you allocate for your new v2 gateway. If this isn't specified, the script allocates a private IP address for your v2 gateway.
+    * **publicIpResourceId: [String]: Optional**. The resourceId of a public IP address resource in your subscription that you want to allocate to the new v2 gateway. If this is not specified, the script allocates a new public IP in the same resource group. The name is the v2 gateway’s name with *-IP* appended.
+   * **validateMigration: [switch]: Optional**. Use this parameter if you want the script to do some basic configuration comparison validations after the v2 gateway creation and the configuration copy. By default, no validation is done.
+   * **enableAutoScale: [switch]: Optional**. Use this parameter if you want the script to enable AutoScaling on the new v2 gateway after it is created. By default, AutoScaling is disabled. You can always manually enable it later on the newly created v2 gateway.
+
+1. Run the script using the appropriate parameters.
+
+    **Example**
+
+   ```azurepowershell
+   AzureAppGWMigration.ps1 `
+      -resourceId /subscriptions/8b1d0fea-8d57-4975-adfb-308f1f4d12aa/resourceGroups/MyResourceGroup/providers/Microsoft.Network/applicationGateways/myv1appgateway `
+      -subnetAddressRange 10.0.0.0/24 `
+      -appgwname "MynewV2gw" `
+      -sslCertificates $Certs `
+      -trustedRootCertificates $trustedCert `
+      -privateIpAddress "10.0.0.1" `
+      -publicIpResourceName "MyPublicIP" `
+      -validateMigration -enableAutoScale
+   ```
+
+## Migrate client traffic
+
+First, double check that the script successfully created a new v2 gateway with the exact configuration migrated over from your v1 gateway. You can verify this from the Azure portal.
+
+Also, send a small amount of traffic through the v2 gateway as a manual test.
+  
+Here are a few scenarios where your current application gateway (Standard) may receive client traffic, and our recommendations for each one:
+
+* **A custom DNS zone (for example, contoso.com) that points to the frontend IP address (using an A record) associated with your Standard v1 or WAF v1 gateway**.
+
+    You can update your DNS record to point to the frontend IP or DNS label associated with your Standard_v2 application gateway. Depending on the TTL configured on your DNS record, it may take a while for all your client traffic to migrate to your new v2 gateway.
+* **A custom DNS zone (for example, contoso.com) that points to the DNS label (for example: *myappgw.eastus.cloudapp.azure.com* using a CNAME record) associated with your v1 gateway**.
+
+   You have two choices:
+
+  * If you use public IP addresses on your application gateway, you can do a controlled, granular migration using a Traffic Manager profile to incrementally route traffic (weighted traffic routing method) to the new v2 gateway.
+
+    You can do this by adding the DNS labels of both the v1 and v2 application gateways to the Traffic Manager profile, and CNAMEing your custom DNS record (for example, www.contoso.com) to the Traffic Manager domain (for example, contoso.trafficmanager.net).
+  * Or, you can update your custom domain DNS record to point to the DNS label of the new v2 application gateway. Depending on the TTL configured on your DNS record, it may take a while for all your client traffic to migrate to your new v2 gateway.
+* **Your clients connect to the frontend IP address of your application gateway**.
+
+   Update your clients to use the IP address(es) associated with the newly created v2 application gateway. We recommend that you don't use IP addresses directly. Consider using the DNS name label (for example, yourgateway.eastus.cloudapp.azure.com) associated with your application gateway that you can CNAME to your own custom DNS zone (for example, contoso.com).
+
+## Common questions
+
+### Are there any limitations with the Azure PowerShell script to migrate the configuration from v1 to v2?
+
+Yes. See [Caveats/Limitations](#caveatslimitations).
+
+### Is this article and the Azure PowerShell script applicable for Application Gateway WAF product as well? 
+
+Yes.
+
+### Does the Azure PowerShell script also switch over the traffic from my v1 gateway to the newly created v2 gateway?
+
+No. The Azure PowerShell script only migrates the configuration. Actual traffic migration is your responsibility and in your control.
+
+### Is the new v2 gateway created by the Azure PowerShell script sized appropriately to handle all of the traffic that is currently served by my v1 gateway?
+
+The Azure PowerShell script creates a new v2 gateway with an appropriate size to handle the traffic on your existing V1 gateway. Autoscaling is disabled by default, but you can enable AutoScaling when you run the script.
+
+### I ran into some issues with using this script. How can I get help?
+  
+You can send an email to [email protected], open a support case with Azure Support, or do both.
+
+## Next steps
+
+[Learn about Application Gateway v2](application-gateway-autoscaling-zone-redundant.md)

articles/application-gateway/toc.yml

@@ -209,6 +209,8 @@
         href: how-to-troubleshoot-application-gateway-session-affinity-issues.md           
       - name: Bad Gateway (502) errors
         href: application-gateway-troubleshooting-502.md
+  - name: Migrate from v1 to v2
+    href: migrate-v1-v2.md
 - name: Reference
   items:
   - name: CRS rules