Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into aks-networking-additions

Author: asudbring

articles/app-service/environment/ase-multi-tenant-comparison.md

@@ -74,7 +74,7 @@ App Service Environment v3 tends to be more expensive than the public multitenan
 |Pricing     |[Pay per instance](overview.md#pricing)|[Pay per instance](../../app-service/overview-hosting-plans.md)|
 |Reserved instances|[Available](overview.md#pricing)|[Available](../../app-service/overview-hosting-plans.md)|
 |Savings plans|[Available](overview.md#pricing)|[Available](../../app-service/overview-hosting-plans.md)|
-|Availability zone pricing|[There's a minimum charge of 18 cores.](overview.md#pricing) There's no added charge for availability zone support if you have 18 or more cores across your App Service plan instances. If you have fewer than 18 cores across your App Service plans in the zone redundant App Service Environment, the difference between 18 cores and the sum of the cores from the running instance count is charged as Windows I1v2 instances.|[Three instance minimum enforced per App Service plan](../../reliability/reliability-app-service.md#pricing).|
+|Availability zone pricing|[There's a minimum charge of 18 cores.](overview.md#pricing) There's no added charge for availability zone support if you have 18 or more cores across your App Service plan instances. If you have fewer than 18 cores across your App Service plans in the zone redundant App Service Environment, the difference between 18 cores and the sum of the cores from the running instance count is charged as Windows I1v2 instances.|[Three instance minimum enforced per App Service plan](../../reliability/reliability-app-service.md#cost).|
 
 ### Frequently asked questions
 

articles/bastion/session-recording.md

@@ -65,14 +65,18 @@ In this section, you set up and specify the container for session recordings.
 
 1. Within the storage account, create a **Container**. This is the container you'll use to store your Bastion session recordings. We recommend that you create an exclusive container for session recordings. For steps, see [Create a container](../storage/blobs/storage-quickstart-blobs-portal.md#create-a-container).
 1. On the page for your storage account, in the left pane, expand **Settings**. Select **Resource sharing (CORS)**.
-1. Create a new policy under Blob service.
-    * For **Allowed origins**, type `HTTPS://` followed by the DNS name of your bastion.
-    * For **Allowed Methods**, select GET.
-    * For **Max Age**, use ***86400***.
-    * You can leave the other fields blank.
-
-      :::image type="content" source="./media/session-recording/service.png" alt-text="Screenshot shows the Resource sharing page for Blob service configuration." lightbox="./media/session-recording/service.png":::
-1. **Save** your changes at the top of the page.
+1. Create a new policy under Blob service and save your changes at the top of the page.
+
+| Name |  Value |
+|---|---|
+ |Allowed origins | `https://` followed by the full DNS name of your bastion, starting with `bst-`. Keep in mind, these values are case-sensitive. |
+|Allowed methods | GET|
+|Allowed headers |*|
+|Exposed headers|*|
+|Max age| 86400|
+
+
+
 
 ## Add or update the SAS URL
 

articles/batch/pool-endpoint-configuration.md

@@ -2,28 +2,39 @@
 title: Configure node endpoints in Azure Batch pool
 description: How to configure or disable access to SSH or RDP ports on compute nodes in an Azure Batch pool.
 ms.topic: how-to
-ms.date: 06/13/2024
+ms.date: 11/08/2024
 ---
 
 # Configure or disable remote access to compute nodes in an Azure Batch pool
 
-By default, Batch allows a [node user](/rest/api/batchservice/computenode/adduser) with network connectivity to connect externally to a compute node in a Batch pool. For example, a user can connect by Remote Desktop (RDP) on port 3389 to a compute node in a Windows pool. Similarly, by default, a user can connect by Secure Shell (SSH) on port 22 to a compute node in a Linux pool. 
+If configured, you can allow a [node user](/rest/api/batchservice/computenode/adduser) with network connectivity to connect
+externally to a compute node in a Batch pool. For example, a user can connect by Remote Desktop (RDP) on port 3389 to a
+compute node in a Windows pool. Similarly, by default, a user can connect by Secure Shell (SSH) on port 22 to a compute
+node in a Linux pool.
 
-In your environment, you might need to restrict or disable these default external access settings. You can modify these settings by using the Batch APIs to set the [PoolEndpointConfiguration](/rest/api/batchservice/pool/add#poolendpointconfiguration) property. 
+> [!TIP]
+> As of API version `2024-07-01`, Batch no longer automatically maps common remote access ports for SSH and RDP.
+> If you wish to allow remote access to your Batch compute nodes with pools created with API version `2024-07-01` or later,
+> then you must manually configure the pool endpoint configuration to enable such access.
 
-## About the pool endpoint configuration
-The endpoint configuration consists of one or more [network address translation (NAT) pools](/rest/api/batchservice/pool/add#inboundnatpool) of frontend ports. (Do not confuse a NAT pool with the Batch pool of compute nodes.) You set up each NAT pool to override the default connection settings on the pool's compute nodes. 
+In your environment, you might need to enable, restrict, or disable external access settings or any other ports you wish
+on the Batch pool. You can modify these settings by using the Batch APIs to set the
+[PoolEndpointConfiguration](/rest/api/batchservice/pool/add#poolendpointconfiguration) property.
+
+## Batch pool endpoint configuration
+The endpoint configuration consists of one or more [network address translation (NAT) pools](/rest/api/batchservice/pool/add#inboundnatpool)
+of frontend ports. Don't confuse a NAT pool with the Batch pool of compute nodes. You set up each NAT pool to override
+the default connection settings on the pool's compute nodes.
 
 Each NAT pool configuration includes one or more [network security group (NSG) rules](/rest/api/batchservice/pool/add#networksecuritygrouprule). Each NSG rule allows or denies certain network traffic to the endpoint. You can choose to allow or deny all traffic, traffic identified by a [service tag](../virtual-network/network-security-groups-overview.md#service-tags) (such as "Internet"), or traffic from specific IP addresses or subnets.
 
 ### Considerations
 * The pool endpoint configuration is part of the pool's [network configuration](/rest/api/batchservice/pool/add#networkconfiguration). The network configuration can optionally include settings to join the pool to an [Azure virtual network](batch-virtual-network.md). If you set up the pool in a virtual network, you can create NSG rules that use address settings in the virtual network.
 * You can configure multiple NSG rules when you configure a NAT pool. The rules are checked in the order of priority. Once a rule applies, no more rules are tested for matching.
 
+## Example: Allow RDP traffic from a specific IP address
 
-## Example: Deny all RDP traffic
-
-The following C# snippet shows how to configure the RDP endpoint on compute nodes in a Windows pool to deny all network traffic. The endpoint uses a frontend pool of ports in the range *60000 - 60099*. 
+The following C# snippet shows how to configure the RDP endpoint on compute nodes in a Windows pool to allow RDP access only from IP address *198.168.100.7*. The second NSG rule denies traffic that doesn't match the IP address.
 
 ```csharp
 using Microsoft.Azure.Batch;
@@ -32,24 +43,25 @@ using Microsoft.Azure.Batch.Common;
 namespace AzureBatch
 {
     public void SetPortsPool()
-    {   
+    {
         pool.NetworkConfiguration = new NetworkConfiguration
         {
-            EndpointConfiguration = new PoolEndpointConfiguratio(new InboundNatPool[]
+            EndpointConfiguration = new PoolEndpointConfiguration(new InboundNatPool[]
             {
-              new InboundNatPool("RDP", InboundEndpointProtocol.Tcp, 3389, 60000, 60099, new NetworkSecurityGroupRule[]
+                new InboundNatPool("RDP", InboundEndpointProtocol.Tcp, 3389, 7500, 8000, new NetworkSecurityGroupRule[]
                 {
-                    new NetworkSecurityGroupRule(162, NetworkSecurityGroupRuleAccess.Deny, "*"),
+                    new NetworkSecurityGroupRule(179, NetworkSecurityGroupRuleAccess.Allow, "198.168.100.7"),
+                    new NetworkSecurityGroupRule(180, NetworkSecurityGroupRuleAccess.Deny, "*")
                 })
-            })    
+            })
         };
     }
 }
 ```
 
-## Example: Deny all SSH traffic from the internet
+## Example: Allow SSH traffic from a specific subnet
 
-The following Python snippet shows how to configure the SSH endpoint on compute nodes in a Linux pool to deny all internet traffic. The endpoint uses a frontend pool of ports in the range *4000 - 4100*. 
+The following Python snippet shows how to configure the SSH endpoint on compute nodes in a Linux pool to allow access only from the subnet *192.168.1.0/24*. The second NSG rule denies traffic that doesn't match the subnet.
 
 ```python
 from azure.batch import models as batchmodels
@@ -67,8 +79,13 @@ class AzureBatch(object):
                     network_security_group_rules=[
                         batchmodels.NetworkSecurityGroupRule(
                             priority=170,
-                            access=batchmodels.NetworkSecurityGroupRuleAccess.deny,
-                            source_address_prefix='Internet'
+                            access='allow',
+                            source_address_prefix='192.168.1.0/24'
+                        ),
+                        batchmodels.NetworkSecurityGroupRule(
+                            priority=175,
+                            access='deny',
+                            source_address_prefix='*'
                         )
                     ]
                 )
@@ -77,9 +94,17 @@ class AzureBatch(object):
         )
 ```
 
-## Example: Allow RDP traffic from a specific IP address
 
-The following C# snippet shows how to configure the RDP endpoint on compute nodes in a Windows pool to allow RDP access only from IP address *198.51.100.7*. The second NSG rule denies traffic that does not match the IP address.
+
+## Example: Deny all RDP traffic
+
+The following C# snippet shows how to configure the RDP endpoint on compute nodes in a Windows pool to deny all network traffic. The endpoint uses a frontend pool of ports in the range *60000 - 60099*.
+
+> [!NOTE]
+> As of Batch API version `2024-07-01`, port 3389 typically associated with RDP is no longer mapped by default.
+> Creating an explicit deny rule is no longer required if access is not needed from the Internet for Batch pools
+> created with this API version or later. You may still need to specify explicit deny rules to restrict access
+> from other sources.
 
 ```csharp
 using Microsoft.Azure.Batch;
@@ -91,22 +116,27 @@ namespace AzureBatch
     {
         pool.NetworkConfiguration = new NetworkConfiguration
         {
-            EndpointConfiguration = new PoolEndpointConfiguration(new InboundNatPool[]
+            EndpointConfiguration = new PoolEndpointConfiguratio(new InboundNatPool[]
             {
-                new InboundNatPool("RDP", InboundEndpointProtocol.Tcp, 3389, 7500, 8000, new NetworkSecurityGroupRule[]
-                {   
-                    new NetworkSecurityGroupRule(179, NetworkSecurityGroupRuleAccess.Allow, "198.51.100.7"),
-                    new NetworkSecurityGroupRule(180, NetworkSecurityGroupRuleAccess.Deny, "*")
+              new InboundNatPool("RDP", InboundEndpointProtocol.Tcp, 3389, 60000, 60099, new NetworkSecurityGroupRule[]
+                {
+                    new NetworkSecurityGroupRule(162, NetworkSecurityGroupRuleAccess.Deny, "*"),
                 })
-            })    
+            })
         };
     }
 }
 ```
 
-## Example: Allow SSH traffic from a specific subnet
+## Example: Deny all SSH traffic from the internet
+
+The following Python snippet shows how to configure the SSH endpoint on compute nodes in a Linux pool to deny all internet traffic. The endpoint uses a frontend pool of ports in the range *4000 - 4100*.
 
-The following Python snippet shows how to configure the SSH endpoint on compute nodes in a Linux pool to allow access only from the subnet *192.168.1.0/24*. The second NSG rule denies traffic that does not match the subnet.
+> [!NOTE]
+> As of Batch API version `2024-07-01`, port 22 typically associated with SSH is no longer mapped by default.
+> Creating an explicit deny rule is no longer required if access is not needed from the Internet for Batch pools
+> created with this API version or later. You may still need to specify explicit deny rules to restrict access
+> from other sources.
 
 ```python
 from azure.batch import models as batchmodels
@@ -124,13 +154,8 @@ class AzureBatch(object):
                     network_security_group_rules=[
                         batchmodels.NetworkSecurityGroupRule(
                             priority=170,
-                            access='allow',
-                            source_address_prefix='192.168.1.0/24'
-                        ),
-                        batchmodels.NetworkSecurityGroupRule(
-                            priority=175,
-                            access='deny',
-                            source_address_prefix='*'
+                            access=batchmodels.NetworkSecurityGroupRuleAccess.deny,
+                            source_address_prefix='Internet'
                         )
                     ]
                 )
@@ -142,4 +167,4 @@ class AzureBatch(object):
 ## Next steps
 
 - Learn about the [Batch service workflow and primary resources](batch-service-workflow-features.md) such as pools, nodes, jobs, and tasks.
-- For more information about NSG rules in Azure, see [Filter network traffic with network security groups](../virtual-network/network-security-groups-overview.md).
+- For more information about NSG rules in Azure, see [Filter network traffic with network security groups](../virtual-network/network-security-groups-overview.md).

articles/reliability/TOC.yml

@@ -23,7 +23,7 @@
       - name: Azure Application Gateway
         href: migrate-app-gateway-v2.md
       - name: Azure App Service
-        href: reliability-app-service.md#availability-zone-migration
+        href: reliability-app-service.md#configure-availability-zone-support
       - name: Azure Functions
         href: migrate-functions.md
       - name: Azure Cache for Redis