Merge pull request #262836 from MicrosoftDocs/repo_sync_working_branch

TimShererWithAquent · web-flow · commit 2d9bf9190cbf · 2024-01-10T18:45:19.000Z
Confirm merge from repo_sync_working_branch to main to sync with https://github.com/MicrosoftDocs/azure-docs (branch main)
diff --git a/articles/app-service/monitor-instances-health-check.md b/articles/app-service/monitor-instances-health-check.md
@@ -45,6 +45,7 @@ Note that _/api/health_ is just an example added for illustration purposes. We d
 > - The Health check path should check critical components of your application. For example, if your application depends on a database and a messaging system, the Health check endpoint should connect to those components. If the application can't connect to a critical component, then the path should return a 500-level response code to indicate the app is unhealthy. Also, if the path does not return a response within 1 minute, the health check ping is considered unhealthy.
 > - When selecting the Health check path, make sure you're selecting a path that returns a 200 status code, only when the app is fully warmed up.
 > - In order to use Health check on your Function App, you must use a [premium or dedicated hosting plan](../azure-functions/functions-scale.md#overview-of-plans).
+> - Details about Health check on Function Apps can be found here: [Monitor function apps using Health check](/azure-functions/configure-monitoring?tabs=v2#monitor-function-apps-using-health-check).
 
 > [!CAUTION]
 > Health check configuration changes restart your app. To minimize impact to production apps, we recommend [configuring staging slots](deploy-staging-slots.md) and swapping to production.
@@ -65,6 +66,9 @@ Health check integrates with App Service's [authentication and authorization fea
 
 If you're using your own authentication system, the Health check path must allow anonymous access. To secure the Health check endpoint, you should first use features such as [IP restrictions](app-service-ip-restrictions.md#set-an-ip-address-based-rule), [client certificates](app-service-ip-restrictions.md#set-an-ip-address-based-rule), or a Virtual Network to restrict application access. Once you have those features in-place, you can authenticate the health check request by inspecting the header, `x-ms-auth-internal-token`, and validating that it matches the SHA256 hash of the environment variable `WEBSITE_AUTH_ENCRYPTION_KEY`. If they match, then the health check request is valid and originating from App Service. 
 
+> [!NOTE]
+> Specifically for [Azure Functions authentication](/azure/azure-functions/security-concepts?tabs=v4#function-access-keys), the function that serves as Health check endpoint needs to allow anonymous access. 
+
 ##### [.NET](#tab/dotnet)
 
 ```C#
diff --git a/articles/app-service/scripts/terraform-secure-backend-frontend.md b/articles/app-service/scripts/terraform-secure-backend-frontend.md
@@ -17,7 +17,7 @@ This article illustrates an example use of [Private Endpoint](../networking/priv
 - Deploy a VNet
 - Create the first subnet for the integration
 - Create the second subnet for the private endpoint, you have to set a specific parameter to disable network policies
-- Deploy one App Service plan of type PremiumV2 or PremiumV3, required for Private Endpoint feature
+- Deploy one App Service plan of type Basic, Standard, PremiumV2, PremiumV3, IsolatedV2, Functions Premium (sometimes referred to as the Elastic Premium plan), required for Private Endpoint feature
 - Create the frontend web app with specific app settings to consume the private DNS zone, [more details](../overview-vnet-integration.md#azure-dns-private-zones)
 - Connect the frontend web app to the integration subnet
 - Create the backend web app
diff --git a/articles/azure-monitor/app/java-standalone-telemetry-processors.md b/articles/azure-monitor/app/java-standalone-telemetry-processors.md
@@ -260,7 +260,7 @@ The `mask` action requires the following settings:
 * `replace`
 * `action`: `mask`
 
-`pattern` can contain a named group placed betwen `?<` and `>:`. Example: `(?<userGroupName>[a-zA-Z.:\/]+)\d+`? The group is `(?<userGroupName>[a-zA-Z.:\/]+)` and `userGroupName` is the name of the group. `pattern` can then contain the same named group placed between `${` and `}` followed by the mask. Example where the mask is **: `${userGroupName}**`.
+`pattern` can contain a named group placed between `?<` and `>:`. Example: `(?<userGroupName>[a-zA-Z.:\/]+)\d+`? The group is `(?<userGroupName>[a-zA-Z.:\/]+)` and `userGroupName` is the name of the group. `pattern` can then contain the same named group placed between `${` and `}` followed by the mask. Example where the mask is **: `${userGroupName}**`.
 
 See  [Telemetry processor examples](./java-standalone-telemetry-processors-examples.md) for masking examples.
 
diff --git a/articles/defender-for-cloud/faq-defender-for-servers.yml b/articles/defender-for-cloud/faq-defender-for-servers.yml
@@ -17,7 +17,7 @@ sections:
       - question: |
           Can I enable Defender for Servers on a subset of machines in a subscription?
         answer: |
-          No. When you enable Microsoft Defender for Servers on an Azure subscription or on a connected AWS account or GCP project, all connected machines are protected by Defender for Servers. Servers that don't have the Log Analytics agent or Azure Monitor agent installed are also protected.
+          Yes. It's now possible to manage Defender for Servers on specific resources within your subscription, giving you full control over your protection strategy. With this capability, you can configure specific resources with custom configurations that differ from the settings configured at the subscription level. Learn more about [enabling Defender for Servers at the resource level](/azure/defender-for-cloud/tutorial-enable-servers-plan#enable-the-plan-at-the-resource-level). However, when you enable Microsoft Defender for Servers on a connected AWS account or GCP project, all connected machines are protected by Defender for Servers.
 
       - question: |
           Can I get a discount if I already have a Microsoft Defender for Endpoint license?
diff --git a/articles/machine-learning/how-to-access-data-interactive.md b/articles/machine-learning/how-to-access-data-interactive.md
@@ -60,7 +60,7 @@ subscription = '<subscription_id>'
 resource_group = '<resource_group>'
 workspace = '<workspace>'
 datastore_name = '<datastore>'
-path_on_datastore '<path>'
+path_on_datastore = '<path>'
 
 # long-form Datastore uri format:
 uri = f'azureml://subscriptions/{subscription}/resourcegroups/{resource_group}/workspaces/{workspace}/datastores/{datastore_name}/paths/{path_on_datastore}'.
diff --git a/articles/site-recovery/move-azure-VMs-AVset-Azone.md b/articles/site-recovery/move-azure-VMs-AVset-Azone.md
@@ -92,7 +92,7 @@ The following steps will guide you when using Azure Site Recovery to enable repl
 > These steps are for a single VM. You can extend the same to multiple VMs. Go to the Recovery Services vault, select **+ Replicate**, and select the relevant VMs together.
 
 1. In the Azure portal, select **Virtual machines**, and select the VM you want to move into Availability Zones.
-2. In **Operations**, select **Disaster recovery**.
+2. In **Backup + disaster recovery**, select **Disaster recovery**.
 3. In **Configure disaster recovery** > **Target region**, select the target region to which you'll replicate. Ensure this region [supports](../availability-zones/az-region.md) Availability Zones.
 4. Select **Next: Advanced settings**.
 5. Choose the appropriate values for the target subscription, target VM resource group, and virtual network.
@@ -155,4 +155,4 @@ Go to the VM. Select **Disable Replication**. This action stops the process of c
 In this tutorial, you increased the availability of an Azure VM by moving into an availability set or Availability Zone. Now you can set disaster recovery for the moved VM.
 
 > [!div class="nextstepaction"]
-> [Set up disaster recovery after migration](azure-to-azure-quickstart.md)
+> [Set up disaster recovery after migration](azure-to-azure-quickstart.md)
diff --git a/articles/site-recovery/site-recovery-faq.yml b/articles/site-recovery/site-recovery-faq.yml
@@ -258,9 +258,9 @@ sections:
         answer: |
               Yes, [ExpressRoute can be used](concepts-expressroute-with-site-recovery.md) to replicate on-premises virtual machines to Azure.
 
-              - Azure Site Recovery replicates data to an Azure Storage over a public endpoint. You need to set up [Microsoft peering](../expressroute/expressroute-circuit-peerings.md#microsoftpeering) or use an existing [public peering](../expressroute/about-public-peering.md) (deprecated for new circuits)  to use ExpressRoute for Site Recovery replication.
+              - Azure Site Recovery replicates data to an Azure Storage over a public endpoint. You need to set up [Microsoft peering](../expressroute/expressroute-circuit-peerings.md#microsoftpeering) or use an existing [public peering](../expressroute/about-public-peering.md) (deprecated for new circuits) to use ExpressRoute for Site Recovery replication.
               - Microsoft peering is the recommended routing domain for replication.
-              - Replication is not supported over private peering.
+              - Replication is supported over private peering only when private endpoints are enabled for the vault.
               - If you're protecting VMware machines or physical machines, ensure that the [Networking Requirements](vmware-azure-configuration-server-requirements.md#network-requirements) for Configuration Server are also met. Connectivity to specific URLs is required by Configuration Server for orchestration of Site Recovery replication. ExpressRoute cannot be used for this connectivity.
               - After the virtual machines have been failed over to an Azure virtual network you can access them using the [private peering](../expressroute/expressroute-circuit-peerings.md#privatepeering) setup with the Azure virtual network.
 
diff --git a/articles/virtual-machines/extensions/enable-infiniband.md b/articles/virtual-machines/extensions/enable-infiniband.md
@@ -61,6 +61,9 @@ For Windows, download and install the [Mellanox OFED for Windows drivers](https:
 ## Enable IP over InfiniBand (IB)
 If you plan to run MPI jobs, you typically don't need IPoIB. The MPI library will use the verbs interface for IB communication (unless you explicitly use the TCP/IP channel of MPI library). But if you have an app that uses TCP/IP for communication and you want to run over IB, you can use IPoIB over the IB interface. Use the following commands (for RHEL/CentOS) to enable IP over InfiniBand.
 
+> [!IMPORTANT] 
+> To avoid issues, ensure you aren't running older versions of Microsoft Azure Linux Agent (waagent). We recommend using at least [version 2.4.0.2](https://github.com/Azure/WALinuxAgent/releases/tag/v2.4.0.2) before enabling IP over IB.
+
 ```bash
 sudo sed -i -e 's/# OS.EnableRDMA=n/OS.EnableRDMA=y/g' /etc/waagent.conf
 sudo systemctl restart waagent
diff --git a/articles/virtual-machines/instance-metadata-service.md b/articles/virtual-machines/instance-metadata-service.md
@@ -1340,7 +1340,7 @@ If there's a data element not found or a malformed request, the Instance Metadat
 - **Why am I'm not seeing the SKU information for my VM in `instance/compute` details?**
   - For custom images created from Azure Marketplace, Azure platform doesn't retain the SKU information for the custom image and the details for any VMs created from the custom image. This is by design and hence not surfaced in the VM `instance/compute` details.
 
-- **Why is my request timed out for my call to the service?**
+- **Why is my request timed out (or failed to connect) for my call to the service?**
   - Metadata calls must be made from the primary IP address assigned to the primary network card of the VM. Additionally, if you've changed your routes, there must be a route for the 169.254.169.254/32 address in your VM's local routing table.
 
     ### [Windows](#tab/windows/)
