Merge pull request #290200 from MicrosoftDocs/main

11/8/2024 AM Publish

Author: Taojunshen

articles/app-service/overview-vnet-integration.md

@@ -76,6 +76,12 @@ Because subnet size can't be changed after assignment, use a subnet that's large
 
 With multi plan subnet join (MPSJ), you can join multiple App Service plans in to the same subnet. All App Service plans must be in the same subscription but the virtual network/subnet can be in a different subscription. Each instance from each App Service plan requires an IP address from the subnet and to use MPSJ a minimum size of `/26` subnet is required. If you plan to join many and/or large scale plans, you should plan for larger subnet ranges.
 
+> [!IMPORTANT]
+> Due to a known bug, MPSJ fails if multiple sites are created and attempt to integrate with the virtual network at the same time. A fix will be deployed soon. In the meantime, you can work around the issue with either of the following methods:
+> * If you create sites manually, create and integrate the sites one by one.
+> * If you create sites programmatically, for example using Terraform or ARM templates, add a [dependsOn](/azure/azure-resource-manager/templates/resource-dependency#dependson) element to each site in your templates to depend on the creation of the previous site for all but the first site in the template. This creates a delay between the site creation and the virtual network integration for each site and therefore isn't blocked by the known bug. For more information see, [Define the order for deploying resources in ARM templates](/azure/azure-resource-manager/templates/resource-dependency).
+>
+
 ### Windows Containers specific limits
 
 Windows Containers uses an extra IP address per app for each App Service plan instance, and you need to size the subnet accordingly. If you have, for example, 10 Windows Container App Service plan instances with four apps running, you need 50 IP addresses and extra addresses to support horizontal (in/out) scale.

articles/application-gateway/for-containers/alb-controller-release-notes.md

@@ -5,7 +5,7 @@ services: application-gateway
 author: greglin
 ms.service: azure-appgw-for-containers
 ms.topic: release-notes
-ms.date: 5/9/2024
+ms.date: 11/7/2024
 ms.author: greglin
 ---
 
@@ -26,12 +26,13 @@ Instructions for new or existing deployments of ALB Controller are found in the
 
 | ALB Controller Version | Gateway API Version | Kubernetes Version | Release Notes |
 | ---------------------- | ------------------- | ------------------ | ------------- |
-| 1.2.3| v1.1 | v1.26, v1.27, v1.28, v1.29, v1.30 | Gateway API v1.1, gRPC support, frontend mutual authentication, readiness probe fixes, custom health probe port and TLS mode  |
+| 1.3.7| v1.1 | v1.26, v1.27, v1.28, v1.29, v1.30 | Minor fixes and improvements |
 
 ## Release history
 
 | ALB Controller Version | Gateway API Version | Kubernetes Version | Release Notes |
 | ---------------------- | ------------------- | ------------------ | ------------- |
+| 1.2.3| v1.1 | v1.26, v1.27, v1.28, v1.29, v1.30 | Gateway API v1.1, gRPC support, frontend mutual authentication, readiness probe fixes, custom health probe port and TLS mode  |
 | 1.0.2| v1 | v1.26, v1.27, v1.28, v1.29 | ECDSA + RSA certificate support for both Ingress and Gateway API, Ingress fixes, Server-sent events support |
 | 1.0.0| v1 | v1.26, v1.27, v1.28 | General Availability! URL redirect for both Gateway and Ingress API, v1beta1 -> v1 of Gateway API, quality improvements<br/>Breaking Changes: TLS Policy for Gateway API [PolicyTargetReference](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io%2fv1alpha2.PolicyTargetReferenceWithSectionName)<br/>Listener is now referred to as [SectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.SectionName)<br/>Fixes: Request timeout of 3 seconds, [HealthCheckPolicy interval](https://github.com/Azure/AKS/issues/4086), [pod crash for missing API fields](https://github.com/Azure/AKS/issues/4087) |
 | 0.6.3 | v1beta1 | v1.25 | Hotfix to address handling of Application Gateway for Containers frontends during controller restart in managed scenario |

articles/application-gateway/for-containers/examples/http-scenario/deployment.yaml

@@ -0,0 +1,103 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: test-infra
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: backend-v1
+  namespace: test-infra
+spec:
+  selector:
+    app: backend-v1
+  ports:
+    - protocol: TCP
+      port: 8080
+      targetPort: 3000
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: backend-v1
+  namespace: test-infra
+  labels:
+    app: backend-v1
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: backend-v1
+  template:
+    metadata:
+      labels:
+        app: backend-v1
+    spec:
+      containers:
+      - name: backend-v1
+        image: gcr.io/k8s-staging-ingressconformance/echoserver:v20221109-7ee2f3e
+        lifecycle:
+          preStop:
+            exec:
+              command: ["sleep", "10"]
+        env:
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        resources:
+          requests:
+            cpu: 10m
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: backend-v2
+  namespace: test-infra
+spec:
+  selector:
+    app: backend-v2
+  ports:
+    - protocol: TCP
+      port: 8080
+      targetPort: 3000
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: backend-v2
+  namespace: test-infra
+  labels:
+    app: backend-v2
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: backend-v2
+  template:
+    metadata:
+      labels:
+        app: backend-v2
+    spec:
+      containers:
+      - name: backend-v2
+        image: gcr.io/k8s-staging-ingressconformance/echoserver:v20221109-7ee2f3e
+        env:
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        resources:
+          requests:
+            cpu: 10m

articles/application-gateway/for-containers/examples/https-scenario/end-to-end-ssl-with-backend-mtls/deployment.yaml

@@ -0,0 +1,131 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: test-infra
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: mtls-app
+  name: mtls-app
+  namespace: test-infra
+spec:
+  ports:
+  - port: 443
+    protocol: TCP
+    targetPort: 8443
+  selector:
+    app: mtls-app
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: mtls-app
+  namespace: test-infra
+spec:
+  selector:
+    matchLabels:
+      app: mtls-app
+  replicas: 2
+  template:
+    metadata:
+      labels:
+        app: mtls-app
+    spec:
+      containers:
+        - name: mtls-app
+          imagePullPolicy: Always
+          image: nginx:1.23.2
+          ports:
+            - containerPort: 8443
+          volumeMounts:
+          - mountPath: /etc/nginx/ssl
+            name: secret-volume
+          - mountPath: /etc/nginx/client_certs
+            name: ca-volume
+          - mountPath: /etc/nginx/conf.d
+            name: configmap-volume
+          resources:
+            limits:
+              cpu: 700m
+              memory: 300Mi
+            requests:
+              cpu: 100m
+              memory: 20Mi
+      volumes:
+      - name: secret-volume
+        secret:
+          secretName: backend.com
+      - name: ca-volume
+        secret:
+          secretName: ca.bundle
+      - name: configmap-volume
+        configMap:
+          name: mtls-app-nginx-cm
+---
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: mtls-app-nginx-cm
+  namespace: test-infra
+data:
+  default.conf: |-
+    server {
+        listen 8443 ssl;
+        server_name backend.com;
+        root /usr/share/nginx/html;
+        index index.html;
+        ssl_certificate /etc/nginx/ssl/tls.crt;
+        ssl_certificate_key /etc/nginx/ssl/tls.key;
+        ssl_client_certificate /etc/nginx/client_certs/ca.crt;
+        location / {
+          return 200 "Hello World!";
+        }
+    }
+---
+
+apiVersion: v1
+data:
+  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUIrekNDQWFHZ0F3SUJBZ0lVTkxLSUNDQTJBcWdRWjVNbDFLQ1kvOGVUL0Njd0NnWUlLb1pJemowRUF3UXcKRGpFTU1Bb0dBMVVFQXd3RFptOXZNQjRYRFRJek1ERXdOREl5TVRFd01sb1hEVEkxTVRBeU5ESXlNVEV3TWxvdwpGakVVTUJJR0ExVUVBd3dMWW1GamEyVnVaQzVqYjIwd1dUQVRCZ2NxaGtqT1BRSUJCZ2dxaGtqT1BRTUJCd05DCkFBU0ZnWkU2d2NSek1adzNRZFgxdTBkekJpdmpsRUNpSFBEZFY5OWhHeUJ4dEVQekVhYXFBK3RCb2kxQ2FrbmMKS1FHSHZTbGF1SXdlNDJiUm81ZFE3cng0bzRIVU1JSFJNQWtHQTFVZEV3UUNNQUF3RVFZSllJWklBWWI0UWdFQgpCQVFEQWdaQU1DTUdDV0NHU0FHRytFSUJEUVFXRmhSTmVTQkdhWEp6ZENCRFpYSjBhV1pwWTJGMFpUQWRCZ05WCkhRNEVGZ1FVOEw2bGQ4VHh3Qmt4NXU2WkhGN3lFMDBpcUc0d013WURWUjBqQkN3d0txRVNwQkF3RGpFTU1Bb0cKQTFVRUF3d0RabTl2Z2hRbVpVaElVSGk2MVpoSkxuTEYwT0R3VWhSMXdqQUxCZ05WSFE4RUJBTUNCZUF3RXdZRApWUjBsQkF3d0NnWUlLd1lCQlFVSEF3RXdGZ1lEVlIwUkJBOHdEWUlMWW1GamEyVnVaQzVqYjIwd0NnWUlLb1pJCnpqMEVBd1FEU0FBd1JRSWhBTUZkWkdudkYyN09ScFdqN2d0UW10SXAwb0hsa2Q3Si83MFFXRUdWblR6dkFpQlcKdTRmNURENzMyTVRlMzh3aHFPZndwRXU4WnlNeTgxWTJ5OTBrVktZMUFnPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
+  tls.key: LS0tLS1CRUdJTiBFQyBQQVJBTUVURVJTLS0tLS0KQmdncWhrak9QUU1CQnc9PQotLS0tLUVORCBFQyBQQVJBTUVURVJTLS0tLS0KLS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUs3cGxVS3dJVEFuTzh3ZXFWYk9uNkhhYmpjVWltQU5CcHdPNnRUMTdzL29vQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFaFlHUk9zSEVjekdjTjBIVjlidEhjd1lyNDVSQW9oenczVmZmWVJzZ2NiUkQ4eEdtcWdQcgpRYUl0UW1wSjNDa0JoNzBwV3JpTUh1Tm0wYU9YVU82OGVBPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
+kind: Secret
+metadata:
+  name: backend.com
+  namespace: test-infra
+type: kubernetes.io/tls
+---
+
+apiVersion: v1
+data:
+  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUIvVENDQWFPZ0F3SUJBZ0lVTkxLSUNDQTJBcWdRWjVNbDFLQ1kvOGVUL0Nnd0NnWUlLb1pJemowRUF3UXcKRGpFTU1Bb0dBMVVFQXd3RFptOXZNQjRYRFRJek1ERXdOREl5TVRFeE5Wb1hEVEkxTVRBeU5ESXlNVEV4TlZvdwpGekVWTUJNR0ExVUVBd3dNWm5KdmJuUmxibVF1WTI5dE1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEClFnQUUvb1NUSGVKTy92S095WXNQS3pmR09Ec1J1c3NlLzhOOWxZcVE2TmdzZUdlaXlJNzV0UHJxUWpZNzhIa2IKL3gxWTIrcXY4YnAzbzhlR1ExVXEyV2VvamFPQjFUQ0IwakFKQmdOVkhSTUVBakFBTUJFR0NXQ0dTQUdHK0VJQgpBUVFFQXdJR1FEQWpCZ2xnaGtnQmh2aENBUTBFRmhZVVRYa2dSbWx5YzNRZ1EyVnlkR2xtYVdOaGRHVXdIUVlEClZSME9CQllFRkRmWFFXQzMxbDFGbEJUMEp1QWhhU3VUa2Jic01ETUdBMVVkSXdRc01DcWhFcVFRTUE0eEREQUsKQmdOVkJBTU1BMlp2YjRJVUptVklTRkI0dXRXWVNTNXl4ZERnOEZJVWRjSXdDd1lEVlIwUEJBUURBZ1hnTUJNRwpBMVVkSlFRTU1Bb0dDQ3NHQVFVRkJ3TUJNQmNHQTFVZEVRUVFNQTZDREdaeWIyNTBaVzVrTG1OdmJUQUtCZ2dxCmhrak9QUVFEQkFOSUFEQkZBaUVBbTYvaS9oUlQ2OEh4VTdLRmF3WElDSHhTSi9ic3gxalFUS1hEakgxbjFja0MKSUhlN3lBcm0rWFdCTFF1WEFhbzJQNmNzNHA3bW9CNXFGRGQ3M2RDZEFWSzQKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
+  tls.key: LS0tLS1CRUdJTiBFQyBQQVJBTUVURVJTLS0tLS0KQmdncWhrak9QUU1CQnc9PQotLS0tLUVORCBFQyBQQVJBTUVURVJTLS0tLS0KLS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUhOOGl1R2hIb25ReHhJUWV1a0VVTllXYnRhWGFtSDFseTBCcmtNTXI1eVFvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFL29TVEhlSk8vdktPeVlzUEt6ZkdPRHNSdXNzZS84TjlsWXFRNk5nc2VHZWl5STc1dFBycQpRalk3OEhrYi94MVkyK3F2OGJwM284ZUdRMVVxMldlb2pRPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
+kind: Secret
+metadata:
+  name: frontend.com
+  namespace: test-infra
+type: kubernetes.io/tls
+---
+
+apiVersion: v1
+data:
+  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNERENDQWJHZ0F3SUJBZ0lVTkxLSUNDQTJBcWdRWjVNbDFLQ1kvOGVUL0Nrd0NnWUlLb1pJemowRUF3UXcKRGpFTU1Bb0dBMVVFQXd3RFptOXZNQjRYRFRJek1ERXdOREl5TVRJeE5Gb1hEVEkxTVRBeU5ESXlNVEl4TkZvdwpIakVjTUJvR0ExVUVBd3dUWjJGMFpYZGhlUzFqYkdsbGJuUXRZMlZ5ZERCWk1CTUdCeXFHU000OUFnRUdDQ3FHClNNNDlBd0VIQTBJQUJMYVVieXBOR0FITWVyNy91NlhhMGJyRXdUS09HNTFHelZSTlpTL2pGelVnMXd4WSsxb1oKcWdzb1lXeWQyZDQwejM1dXd4OGpBaFFCRmdtL3FJd1N2ZFdqZ2R3d2dka3dDUVlEVlIwVEJBSXdBREFSQmdsZwpoa2dCaHZoQ0FRRUVCQU1DQmtBd0l3WUpZSVpJQVliNFFnRU5CQllXRkUxNUlFWnBjbk4wSUVObGNuUnBabWxqCllYUmxNQjBHQTFVZERnUVdCQlNmbmRvSFdreDcySHo1MTkxY0pUUG91TnlpNGpBekJnTlZIU01FTERBcW9SS2sKRURBT01Rd3dDZ1lEVlFRRERBTm1iMitDRkNabFNFaFFlTHJWbUVrdWNzWFE0UEJTRkhYQ01Bc0dBMVVkRHdRRQpBd0lGNERBVEJnTlZIU1VFRERBS0JnZ3JCZ0VGQlFjREFUQWVCZ05WSFJFRUZ6QVZnaE5uWVhSbGQyRjVMV05zCmFXVnVkQzFqWlhKME1Bb0dDQ3FHU000OUJBTUVBMGtBTUVZQ0lRRHpFeFBNMk5GTStjZmJaZXZhT1dFcGJ3d0UKeVBtdytCc2pycFIvTElrM0hBSWhBS0cyYXQ0cDd5bGdrdVUra2NPYmZYM0Rta1hsMnNiMVJYb2g4NWxkbVJUSAotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+  tls.key: LS0tLS1CRUdJTiBFQyBQQVJBTUVURVJTLS0tLS0KQmdncWhrak9QUU1CQnc9PQotLS0tLUVORCBFQyBQQVJBTUVURVJTLS0tLS0KLS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUUxZEF6SUJDVkhDY0p3WlBrU0ZVTWtIaXVMRENqRk1nMEwyRm5Dck9kOXhvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFdHBSdktrMFlBY3g2dnYrN3BkclJ1c1RCTW80Ym5VYk5WRTFsTCtNWE5TRFhERmo3V2htcQpDeWhoYkozWjNqVFBmbTdESHlNQ0ZBRVdDYitvakJLOTFRPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
+kind: Secret
+metadata:
+  name: gateway-client-cert
+  namespace: test-infra
+type: kubernetes.io/tls
+---
+
+apiVersion: v1
+data:
+  ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJGakNCdlFJVUptVklTRkI0dXRXWVNTNXl4ZERnOEZJVWRjSXdDZ1lJS29aSXpqMEVBd1F3RGpFTU1Bb0cKQTFVRUF3d0RabTl2TUI0WERUSXpNREV3TkRJeE5UWXpNbG9YRFRRek1ERXdOakl4TlRZek1sb3dEakVNTUFvRwpBMVVFQXd3RFptOXZNRmt3RXdZSEtvWkl6ajBDQVFZSUtvWkl6ajBEQVFjRFFnQUVsK1NyVVpBcXRSVHVYb05ECnA0UTMxcE82bFlxUFFOSE8vVTNpdVNqWjRSZ09NMVM2SnZCMkd5ekttVHhSQ3ZxY2x3Yks0NXl3WTd3a1BLa1kKaGh0WkVUQUtCZ2dxaGtqT1BRUURCQU5JQURCRkFpQU9sd1N3QmMwT1VxRko3U2l5T3lLOXVCRWQ1a29PcjdZVQo1YXZmY3lpaVV3SWhBTDRjRlFvMXVjYkpnT2VOenM5MXZja1BEcGR1by9KbjFtMlh6ejRWVUZYQQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+kind: Secret
+metadata:
+  name: ca.bundle
+  namespace: test-infra
+