Merge pull request #293552 from MicrosoftDocs/main

1/24/2025 AM Publish

Author: Taojunshen

articles/app-service/provision-resource-terraform.md

@@ -78,6 +78,9 @@ resource "azurerm_linux_web_app" "webapp" {
   https_only            = true
   site_config { 
     minimum_tls_version = "1.2"
+    application_stack {
+      node_version = "16-lts"
+    }
   }
 }
 

articles/bastion/native-client.md

@@ -5,13 +5,13 @@ description: Learn how to configure Bastion for native client connections.
 author: cherylmc
 ms.service: azure-bastion
 ms.topic: how-to
-ms.date: 12/09/2024
+ms.date: 01/24/2025
 ms.author: cherylmc
 ---
 
 # Configure Bastion for native client connections
 
-This article helps you configure your Bastion deployment to accept connections from the native client (SSH or RDP) on your local computer to VMs located in the VNet. The native client feature lets you connect to your target VMs via Bastion using Azure CLI, and expands your sign-in options to include local SSH key pair and Microsoft Entra ID. Additionally, you can also upload or download files, depending on the connection type and client.
+This article helps you configure your Bastion deployment to accept connections from the native client (SSH or RDP) on your local computer to VMs located in the virtual network. The native client feature lets you connect to your target VMs via Bastion using Azure CLI, and expands your sign-in options to include local SSH key pair and Microsoft Entra ID. Additionally, you can also upload or download files, depending on the connection type and client.
 
 :::image type="content" source="./media/native-client/native-client-architecture.png" alt-text="Diagram shows a connection via native client." lightbox="./media/native-client/native-client-architecture.png":::
 
@@ -22,7 +22,7 @@ You can configure this feature by modifying an existing Bastion deployment, or y
 
 ## Deploy Bastion with the native client feature
 
-If you haven't already deployed Bastion to your VNet, you can deploy with the native client feature specified by deploying Bastion using manual settings. For steps, see [Tutorial - Deploy Bastion with manual settings](tutorial-create-host-portal.md#createhost). When you deploy Bastion, specify the following settings:
+If you haven't already deployed Bastion to your virtual network, you can deploy with the native client feature specified by deploying Bastion using manual settings. For steps, see [Tutorial - Deploy Bastion with manual settings](tutorial-create-host-portal.md#createhost). When you deploy Bastion, specify the following settings:
 
 1. On the **Basics** tab, for **Instance Details -> Tier** select **Standard**. Native client support requires the Standard SKU.
 
@@ -34,7 +34,7 @@ If you haven't already deployed Bastion to your VNet, you can deploy with the na
 
 ## Modify an existing Bastion deployment
 
-If you've already deployed Bastion to your VNet, modify the following configuration settings:
+If you've already deployed Bastion to your virtual network, modify the following configuration settings:
 
 1. Navigate to the **Configuration** page for your Bastion resource. Verify that the SKU Tier is **Standard**. If it isn't, select **Standard**.
 1. Select the box for **Native Client Support**, then apply your changes.
@@ -53,12 +53,12 @@ Use the following table to understand how to connect from native clients. Notice
 
 | Client | Target VM | Method | Microsoft Entra authentication | File transfer | Concurrent VM sessions | Custom port |
 |---|---|---|---| --- |---|---|
-| Windows native client | Windows VM | [RDP](connect-vm-native-client-windows.md) | Yes | [Upload/Download](vm-upload-download-native.md#rdp) | Yes | Yes |
+| Windows native client | Windows VM | [RDP](connect-vm-native-client-windows.md) | Yes | [Yes](vm-upload-download-native.md#rdp) | Yes | Yes |
 |  | Linux VM | [SSH](connect-vm-native-client-windows.md) | Yes |No | Yes | Yes |
-| | Any VM|[az network bastion tunnel](connect-vm-native-client-windows.md#connect-to-a-vm---tunnel-command)  |No |[Upload](vm-upload-download-native.md#tunnel-command)| No | No |
+| | Any VM|[az network bastion tunnel](connect-vm-native-client-windows.md#connect-to-a-vm---tunnel-command)  |No |[Yes](vm-upload-download-native.md#tunnel-command)| No | No |
 | Linux native client | Linux VM |[SSH](connect-vm-native-client-linux.md#ssh)| Yes | No | Yes | Yes |
-| | Windows or any VM| [az network bastion tunnel](connect-vm-native-client-linux.md) | No | [Upload](vm-upload-download-native.md#tunnel-command) | No | No |
-| Other native client (putty) | Any VM | [az network bastion tunnel](connect-vm-native-client-linux.md) | No | [Upload](vm-upload-download-native.md#tunnel-command) | No | No |
+| | Windows or any VM| [az network bastion tunnel](connect-vm-native-client-linux.md) | No | [Yes](vm-upload-download-native.md#tunnel-command) | No | No |
+| Other native client (putty) | Any VM | [az network bastion tunnel](connect-vm-native-client-linux.md) | No | [Yes](vm-upload-download-native.md#tunnel-command) | No | No |
 
 **Limitations:**
 

articles/bastion/vm-upload-download-native.md

@@ -5,7 +5,7 @@ description: Learn how to upload or download files using Azure Bastion and a nat
 author: cherylmc
 ms.service: azure-bastion
 ms.topic: how-to
-ms.date: 03/11/2024
+ms.date: 01/24/2025
 ms.author: cherylmc
 # Customer intent: I want to upload or download files using Bastion.
 
@@ -30,7 +30,7 @@ Azure Bastion offers support for file transfer between your target VM and local
 The steps in this section apply when connecting to a target VM from a Windows local computer using the native Windows client and RDP. The **az network bastion rdp** command uses the native client MSTSC. Once connected to the target VM, you can upload and download files using **right-click**, then **Copy** and **Paste**. To learn more about this command and how to connect, see [Connect from a Windows native client](connect-vm-native-client-windows.md).
 
 > [!NOTE]
-> File transfer over SSH is not supported using this method. Instead, use the [az network bastion tunnel command](#tunnel-command) to upload files over SSH.
+> File transfer over SSH isn't supported using this method. Instead, use the [az network bastion tunnel command](#tunnel-command) to upload files over SSH.
 >
 
 1. Sign in to your Azure account. If you have more than one subscription, select the subscription containing your Bastion resource.

articles/cloud-shell/release-notes.md

@@ -1,7 +1,7 @@
 ---
 title: Azure Cloud Shell release notes
 description: This article lists the new features and changes released in Azure Cloud Shell.
-ms.date: 12/09/2024
+ms.date: 01/24/2025
 ms.topic: release-notes
 ---
 
@@ -11,6 +11,14 @@ The following document outlines the changes to Azure Cloud Shell. The Cloud Shel
 updated on a monthly basis. Changes can include new or updated features and tools, security updates,
 and bug fixes.
 
+## January 2025
+
+Tool changes
+
+- Updated Azure CLI to [v2.68.0](/cli/azure/release-notes-azure-cli)
+- Updated Azure PowerShell to [v13.1.0](/powershell/azure/release-notes-azureps?view=azps-13.1.0&preserve-view=true)
+- Removed guava-android Java library
+
 ## December 2024
 
 Tool changes

articles/firewall/tutorial-firewall-deploy-portal.md

@@ -5,7 +5,7 @@ services: firewall
 author: vhorne
 ms.service: azure-firewall
 ms.topic: how-to
-ms.date: 11/14/2023
+ms.date: 01/24/2025
 ms.author: victorh
 ms.custom: mvc
 #Customer intent: As an administrator new to this service, I want to control outbound network access from resources located in an Azure subnet.
@@ -88,14 +88,14 @@ This virtual network has two subnets.
 1. For **Name**, type **fw-pip** and select **OK**.
 1. Select **Next**.
 1. For **Address space**, accept the default **10.0.0.0/16**.
-1. Under **Subnet**, select **default** and change the **Name** to **Workload-SN**.
+1. Under **Subnets**, select **default** and change the **Name** to **Workload-SN**.
 1. For **Starting address**, change it to **10.0.2.0/24**.
 1. Select **Save**.
 1. Select **Review + create**.
 1. Select **Create**.
 
 > [!NOTE]
-> Azure Firewall uses public IPs as needed based on available ports. After randomly selecting a public IP to connect outbound from, it will only use the next available public IP after no more connections can be made from the current public IP. In scenarios with high traffic volume and throughput, it is recommended to use a NAT Gateway to provide outbound connectivity. SNAT ports are dynamically allocated across all public IPs associated with NAT Gateway. To learn more see [integrate NAT Gateway with Azure Firewall](/azure/firewall/integrate-with-nat-gateway). 
+> Azure Firewall uses public IPs as needed based on available ports. After randomly selecting a public IP to connect outbound from, it will only use the next available public IP after no more connections can be made from the current public IP. In scenarios with high traffic volume and throughput, it's recommended to use a NAT Gateway to provide outbound connectivity. SNAT ports are dynamically allocated across all public IPs associated with NAT Gateway. To learn more, see [Scale SNAT ports with Azure NAT Gateway](/azure/firewall/integrate-with-nat-gateway). 
 
 ### Create a virtual machine
 
@@ -130,8 +130,8 @@ Now create the workload virtual machine, and place it in the **Workload-SN** sub
 
 ## Examine the firewall
 
-7. Go to the resource group and select the firewall.
-8. Note the firewall private and public IP addresses. You use these addresses later.
+1. Go to the resource group and select the firewall.
+1. Note the firewall private and public IP addresses. You use these addresses later.
 
 ## Create a default route
 
@@ -141,7 +141,7 @@ As a result, there's no need create another user defined route to include the Az
 
 For the **Workload-SN** subnet, configure the outbound default route to go through the firewall.
 
-1. On the Azure portal search for **Route tables**.
+1. On the Azure portal, search for **Route tables**.
 1. Select **Route tables** in the results pane.
 1. Select **Create**.
 1. For **Subscription**, select your subscription.
@@ -204,7 +204,7 @@ This is the network rule that allows outbound access to two IP addresses at port
 2. For **Destination type** select **IP address**.
 3. For **Destination address**, type **209.244.0.3,209.244.0.4**
 
-   These are public DNS servers operated by Level3.
+   These addresses are public DNS servers operated by Level3.
 1. For **Destination Ports**, type **53**.
 2. Select **Add**.
 

articles/hdinsight/hdinsight-release-notes.md

@@ -51,14 +51,17 @@ For workload specific versions, see [HDInsight 5.x component versions](./hdinsig
 
 * MSI Based authentication for SQL Databases.
 
-    HDInsight now offers Managed Identity for secure authentication with SQL databases in its clusters offerings. This enhancement provides a more secure mechanism for authentication.
-
+    HDInsight now offers Managed Identity for secure authentication with SQL databases in its clusters offerings. This enhancement provides a more secure mechanism for authentication. For more information see, [Use Managed Identity for SQL Database authentication in Azure HDInsight](./use-managed-identity-for-sql-database-authentication-in-azure-hdinsight.md).
+    
    To use Managed Identity with SQL databases, follow these steps: 
 
     * This feature isn't enabled by default. To enable it, submit a [support ticket](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/overview) with your subscription and region details.
 
     * After the capability has been enabled, proceed to recreate the cluster.
 
+    > [!NOTE]
+    > Managed Identity is currently available only in public regions. It will be rolled out to other regions (Federal and China regions) in future releases. 
+
 ## New Regions 
 
 * New Zealand North.

articles/hdinsight/use-managed-identity-for-sql-database-authentication-in-azure-hdinsight.md

@@ -23,12 +23,12 @@ The Managed Identity (MI) option is available for the following Databases:
 |Ranger (ESP)|❌ | ❌ |
 
 > [!NOTE]
-> * Managed Identity (MI) is currently available only in public regions.
+> * Managed Identity (MI) is currently available only in public regions. It will be rolled out to other regions (Federal and China regions) in future releases.
 > * MI option isn't enabled by default. To get it enabled, submit a [support ticket](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/overview) with your subscription and region details.
 
 > [!IMPORTANT]
 > * It's recommended not to update the Managed Identity after cluster recreation as it can disrupt cluster operation.
-> *  When you recreate an MSI with the same name, users must recreate the contained user and reassign roles, as the new MSI will have different object and client IDs even if the name remains unchanged.
+> * When you recreate an MSI with the same name, you must recreate the contained user and reassign roles, as the new MSI will have different object and client IDs even if the name remains unchanged.
 
 
 ## Steps to Use Managed Identity during cluster creation in Azure portal

articles/iot/tutorial-iot-industrial-solution-architecture.md

@@ -94,11 +94,11 @@ The station OPC UA server uses the following OPC UA node IDs for telemetry to th
 - i=418 - actual cycle time
 - i=434 - pressure
 
-### Digital feedback loop with UA Cloud Commander and UA Cloud Action
+## Digital feedback loop with UA Cloud Commander and UA Cloud Action
 
 The solution uses a digital feedback loop to manage the pressure in a simulated station. To implement the feedback loop, the solution triggers a command from the cloud on one of the OPC UA servers in the simulation. The trigger activates when simulated time-series pressure data reaches a certain threshold. You can see the pressure of the assembly machine in the Azure Data Explorer dashboard. The pressure is released at regular intervals for the Seattle production line.
 
-### Install the production line simulation and cloud services
+## Install the production line simulation and cloud services
 
 Select the **Deploy** button to deploy all required resources to your Azure subscription:
 
@@ -123,7 +123,7 @@ curl -sfL https://get.k3s.io | sh
 
 Your VM is now ready to run the production line simulation.
 
-### Run the production line simulation
+## Run the production line simulation
 
 In the VM, open a Windows command prompt, enter *wsl*, and press **Enter**. Navigate to the `/mnt/c/ManufacturingOntologies-main/Tools/FactorySimulation` directory and run the **StartSimulation** shell script:
 

articles/operator-nexus/TOC.yml

@@ -206,8 +206,14 @@
           href: howto-set-up-break-glass-access.md
         - name: How to use-break-glass-access
           href: howto-use-break-glass-access.md
-        - name: How to enable-Micro-BFD on CE and PE devices.md
+        - name: How to enable-Micro-BFD on CE and PE devices
           href: howto-enable-micro-bfd.md
+        - name: How to replace a terminal server
+          href: howto-replace-a-terminal-server.md
+        - name: How to upgrade os of terminal server
+          href: howto-upgrade-os-of-terminal-server.md
+        - name: How to restrict serial port access and set timeout on terminal-server
+          href: howto-restrict-serial-port-access-and-set-timeout-on-terminal-server.md       
     - name: Cluster
       expanded: false
       items:

articles/operator-nexus/howto-replace-a-terminal-server.md

@@ -0,0 +1,69 @@
+---
+title: How to replace a terminal server within Azure Operator Nexus Network Fabric
+description: Process of replacing a terminal server within Azure Operator Nexus Network Fabric
+author: sushantjrao 
+ms.author: sushrao
+ms.service: azure-operator-nexus
+ms.topic: how-to
+ms.date: 01/24/2025
+ms.custom: template-how-to, devx-track-azurecli
+---
+
+# Replacing a terminal server
+
+This guide provides a step-by-step process for replacing a Terminal Server (TS) within Azure Operator Nexus Network Fabric. The procedure includes cleaning up the existing TS, removing the TS, installing a new TS, and configuring the Terminal Server.
+
+## Pre-replacement cleanup (Customer action)
+
+Before initiating the Return Merchandise Authorization (RMA) for the existing Terminal Server, ensure a thorough cleanup of the device. This step is crucial if the TS is still accessible.
+
+### Manual cleanup tasks
+
+1. Verify TS password in KeyVault
+
+    Confirm that the current Terminal Server password is stored in the customer NFC KeyVault secrets.
+
+2. Stop active services
+
+    On the Terminal Server, navigate to the directory under /mnt/nvram/ that begins with the name `opengear` (ensure you select the directory for the latest version, if multiple directories are present).
+
+3. Run the following command to stop the relevant services:
+    
+    ```bash
+    sudo bash stop.sh   
+    ```
+
+4. Remove configuration and certificate files
+
+    Access the /mnt/nvram/ directory to ensure all configuration files, certificates, and the Open Gear file are deleted, leaving no traces of previous configurations.
+
+### Device removal (Customer action)
+
+Once the cleanup is complete, proceed with physically removing the existing Terminal Server from the rack.
+
+### Installation of new device (Customer action)
+
+After the old TS is removed, install the new Terminal Server in the rack. Follow the guidelines provided in the public documentation for [Terminal Server setup](howto-platform-prerequisites.md)
+
+Validate the connectivity of both Net1 and Net2 interfaces to ensure proper network functionality.
+
+Set up the terminal server device with the same password and username as before. This password can be obtained from the customer Network Fabric Controller (NFC) KeyVault secrets. The username can be obtained by doing an ARM GET on the network fabric resource.
+
+### Microsoft engineering support
+
+After the new Terminal Server is installed and configured, open a support ticket with Microsoft to complete the setup. Microsoft engineers will trigger a lockbox action for *Reprovisioning Terminal Server Device*.
+
+>[!Note]
+>The user is expected to setup the terminal server with the same username and password as stored in customer NFC key vault.
+
+Wait for the operation to complete.
+
+>[!Note] 
+> The lockbox operation will execute the following tasks:
+> - Configure's essential services, including httpd and dhcpd.<br>
+> - Set's up the Net3 interface.<br>
+> - Copies necessary OS, dhcpd configuration, device configurations, and certificate files to the appropriate directories.<br>
+> - Transfers the configuration files and certificates to the /mnt/nvram/conf directory.<br>
+> - Restarts the DHCPD service.<br>
+> - Ensures that configuration files are accessible via the HTTP service for further validation.<br>
+