Merge branch 'main' into release-aio-m2

Author: v-alje

articles/app-service/overview-private-endpoint.md

@@ -28,9 +28,9 @@ Using private endpoint for your app enables you to:
 
 A private endpoint is a special network interface (NIC) for your App Service app in a subnet in your virtual network.
 When you create a private endpoint for your app, it provides secure connectivity between clients on your private network and your app. The private endpoint is assigned an IP Address from the IP address range of your virtual network.
-The connection between the private endpoint and the app uses a secure [Private Link](../private-link/private-link-overview.md). Private endpoint is only used for incoming traffic to your app. Outgoing traffic won't use this private endpoint. You can inject outgoing traffic to your network in a different subnet through the [virtual network integration feature](./overview-vnet-integration.md).
+The connection between the private endpoint and the app uses a secure [Private Link](../private-link/private-link-overview.md). Private endpoint is only used for incoming traffic to your app. Outgoing traffic doesn't use this private endpoint. You can inject outgoing traffic to your network in a different subnet through the [virtual network integration feature](./overview-vnet-integration.md).
 
-Each slot of an app is configured separately. You can plug up to 100 private endpoints per slot. You can't share a private endpoint between slots. The sub-resource name of a slot is `sites-<slot-name>`.
+Each slot of an app is configured separately. You can plug up to 100 private endpoints per slot. You can't share a private endpoint between slots. The subresource name of a slot is `sites-<slot-name>`.
 
 The subnet where you plug the private endpoint can have other resources in it, you don't need a dedicated empty subnet.
 You can also deploy the private endpoint in a different region than your app. 
@@ -40,11 +40,11 @@ You can also deploy the private endpoint in a different region than your app.
 
 From a security perspective:
 
-- Private endpoint and public access can co-exist on an app. For more information, see [overview of access restrictions](./overview-access-restrictions.md#how-it-works)
+- Private endpoint and public access can coexist on an app. For more information, see [overview of access restrictions](./overview-access-restrictions.md#how-it-works)
 - When you enable private endpoints to your app, ensure that public network access is disabled to ensure isolation.
 - You can enable multiple private endpoints in others virtual networks and subnets, including virtual network in other regions.
 - The access restrictions rules of your app aren't evaluated for traffic through the private endpoint.
-- You can eliminate the data exfiltration risk from the virtual network by removing all NSG rules where destination is tag Internet or Azure services.
+- You can eliminate the data exfiltration risk from the virtual network by removing all Network Security Group (NSG) rules where destination is tag Internet or Azure services.
 
 In the Web HTTP logs of your app, you find the client source IP. This feature is implemented using the TCP Proxy protocol, forwarding the client IP property up to the app. For more information, see [Getting connection Information using TCP Proxy v2](../private-link/private-link-service-overview.md#getting-connection-information-using-tcp-proxy-v2).
 
@@ -55,10 +55,9 @@ In the Web HTTP logs of your app, you find the client source IP. This feature is
 
 ## DNS
 
-When you use private endpoint for App Service apps, the requested URL must match the name of your app. By default mywebappname.azurewebsites.net (see [note at top](#dnl-note)).
+When you use private endpoint for App Service apps, the requested URL must match the name of your app. By default `<app-name>.azurewebsites.net`. When you're using [unique default hostname](#dnl-note) your app name has the format `<app-name>-<random-hash>.<region>.azurewebsites.net`. In the examples below _mywebapp_ could also represent the full regionalized unique hostname.
 
-By default, without private endpoint, the public name of your web app is a canonical name to the cluster.
-For example, the name resolution is:
+By default, without private endpoint, the public name of your web app is a canonical name to the cluster. For example, the name resolution is:
 
 |Name |Type |Value |
 |-----|-----|------|
@@ -86,13 +85,13 @@ For example, the name resolution is:
 |mywebapp.azurewebsites.net|CNAME|mywebapp.privatelink.azurewebsites.net|<--Azure creates this CNAME entry in Azure Public DNS to point the app address to the private endpoint address|
 |mywebapp.privatelink.azurewebsites.net|A|10.10.10.8|<--You manage this entry in your DNS system to point to your private endpoint IP address|
 
-After this DNS configuration, you can reach your app privately with the default name mywebappname.azurewebsites.net. You must use this name, because the default certificate is issued for *.azurewebsites.net.
+After this DNS configuration, you can reach your app privately with the default name mywebapp.azurewebsites.net. You must use this name, because the default certificate is issued for *.azurewebsites.net.
 
 
 If you need to use a custom DNS name, you must add the custom name in your app and you must validate the custom name like any custom name, using public DNS resolution. 
 For more information, see [custom DNS validation](./app-service-web-tutorial-custom-domain.md).
 
-For the Kudu console, or Kudu REST API (deployment with Azure DevOps self-hosted agents for example), you must create two records pointing to the private endpoint IP in your Azure DNS private zone or your custom DNS server. The first is for your app, the second is for the SCM of your app.
+For the Kudu console, or Kudu REST API (deployment with Azure DevOps Services self-hosted agents for example) you must create two records pointing to the private endpoint IP in your Azure DNS private zone or your custom DNS server. The first is for your app, the second is for the SCM of your app.
 
 | Name | Type | Value |
 |-----|-----|-----|
@@ -111,7 +110,7 @@ az appservice ase update --name myasename --allow-new-private-endpoint-connectio
 
 ## Specific requirements
 
-If the virtual network is in a different subscription than the app, you must ensure that the subscription with the virtual network is registered for the `Microsoft.Web` resource provider. You can explicitly register the provider [by following this documentation](../azure-resource-manager/management/resource-providers-and-types.md#register-resource-provider), but you also automatically register the provider when you create the first web app in a subscription.
+If the virtual network is in a different subscription than the app, you must ensure that the subscription with the virtual network is registered for the `Microsoft.Web` resource provider. You can explicitly register the provider [by following this documentation](../azure-resource-manager/management/resource-providers-and-types.md#register-resource-provider) but you also automatically register the provider when you create the first web app in a subscription.
 
 ## Pricing
 
@@ -120,12 +119,12 @@ For pricing details, see [Azure Private Link pricing](https://azure.microsoft.co
 
 ## Limitations
 
-* When you use Azure Function in Elastic Premium plan with private endpoint, to run or execute the function in Azure portal, you must have direct network access or you receive an HTTP 403 error. In other words, your browser must be able to reach the private endpoint to execute the function from the Azure portal. 
+* When you use Azure Function in Elastic Premium plan with private endpoint, to run or execute the function in Azure portal you must have direct network access or you receive an HTTP 403 error. In other words, your browser must be able to reach the private endpoint to execute the function from the Azure portal. 
 * You can connect up to 100 private endpoints to a particular app.
 * Remote Debugging functionality isn't available through the private endpoint. The recommendation is to deploy the code to a slot and remote debug it there.
 * FTP access is provided through the inbound public IP address. Private endpoint doesn't support FTP access to the app.
 * IP-Based SSL isn't supported with private endpoints.
-* Apps that you configure with private endpoints cannot receive public traffic coming from subnets with `Microsoft.Web` service endpoint enabled and cannot use [service endpoint-based access restriction rules](./overview-access-restrictions.md#access-restriction-rules-based-on-service-endpoints).
+* Apps that you configure with private endpoints can't receive public traffic coming from subnets with `Microsoft.Web` service endpoint enabled and can't use [service endpoint-based access restriction rules](./overview-access-restrictions.md#access-restriction-rules-based-on-service-endpoints).
 * Private endpoint naming must follow the rules defined for resources of type `Microsoft.Network/privateEndpoints`. Naming rules can be found [here](../azure-resource-manager/management/resource-name-rules.md#microsoftnetwork). 
 
 We're improving Azure Private Link feature and private endpoint regularly, check [this article](../private-link/private-endpoint-overview.md#limitations) for up-to-date information about limitations.

articles/application-gateway/application-gateway-metrics.md

@@ -30,6 +30,10 @@ Application Gateway provides several built‑in timing metrics related to the re
 >
 > If there is more than one listener in the Application Gateway, then always filter by *Listener* dimension while comparing different latency metrics in order to get meaningful inference.
 
+> [!NOTE]
+>
+> Latency might be observed in the metric data, as all metrics are aggregated at one-minute intervals. This latency may vary for different application gateway instances based on the metric start time.
+
 You can use timing metrics to determine whether the observed slowdown is due to the client network, Application Gateway performance, the backend network and backend server TCP stack saturation, backend application performance, or large file size. For more information, see [Timing metrics](monitor-application-gateway-reference.md#timing-metrics-for-application-gateway-v2-sku).
 
 For example, if there's a spike in *Backend first byte response time* trend but the *Backend connect time* trend is stable, you can infer that the application gateway to backend latency and the time taken to establish the connection is stable. The spike is caused due to an increase in the response time of backend application. On the other hand, if the spike in *Backend first byte response time* is associated with a corresponding spike in *Backend connect time*, you can deduce that either the network between Application Gateway and backend server or the backend server TCP stack has saturated.

articles/azure-app-configuration/media/access-keys-blade.png

@@ -12,6 +12,12 @@ zone_pivot_groups: facility-ontology-schema
 
 # Facility Ontology
 
+> [!NOTE]
+>
+> **Azure Maps Creator retirement**
+>
+> The Azure Maps Creator indoor map service is now deprecated and will be retired on 9/30/25. For more information, see [End of Life Announcement of Azure Maps Creator](https://aka.ms/AzureMapsCreatorDeprecation).
+
 Facility ontology defines how Azure Maps Creator internally stores facility data in a Creator dataset.  In addition to defining internal facility data structure, facility ontology is also exposed externally through the WFS API. When WFS API is used to query facility data in a dataset, the response format is defined by the ontology supplied to that dataset.
 
 ## Changes and Revisions

articles/azure-app-configuration/media/enable-dynamic-configuration-python.png

@@ -13,6 +13,12 @@ ms.subservice: creator
 
 # Drawing conversion errors and warnings
 
+> [!NOTE]
+>
+> **Azure Maps Creator retirement**
+>
+> The Azure Maps Creator indoor map service is now deprecated and will be retired on 9/30/25. For more information, see [End of Life Announcement of Azure Maps Creator](https://aka.ms/AzureMapsCreatorDeprecation).
+
 The Azure Maps [Conversion service] lets you convert uploaded drawing packages into map data. Drawing packages must adhere to the [Drawing package requirements]. If one or more requirements aren't met, then the Conversion service returns errors or warnings. This article lists the conversion error and warning codes, with recommendations on how to resolve them. It also provides some examples of drawings that can cause the Conversion service to return these codes.
 
 The Conversion service succeeds if there are any conversion warnings. However, it's recommended that you review and resolve all warnings. A warning means part of the conversion was ignored or automatically fixed. Failing to resolve the warnings could result in errors in latter processes.

articles/azure-app-configuration/media/feature-filters/updated-feature-flag.png

@@ -12,6 +12,12 @@ ms.subservice: creator
 
 # Using the Azure Maps Drawing Error Visualizer with Creator
 
+> [!NOTE]
+>
+> **Azure Maps Creator retirement**
+>
+> The Azure Maps Creator indoor map service is now deprecated and will be retired on 9/30/25. For more information, see [End of Life Announcement of Azure Maps Creator](https://aka.ms/AzureMapsCreatorDeprecation).
+
 The *Drawing Error Visualizer* is a stand-alone web application that displays [Drawing package warnings and errors] detected during the conversion process. The Error Visualizer web application consists of a static page that you can use without connecting to the internet.  You can use the Error Visualizer to fix errors and warnings in accordance with [Drawing package requirements]. The [Azure Maps Conversion API] returns a response with a link to the Error Visualizer only when an error is detected.
 
 ## Prerequisites

articles/azure-maps/creator-facility-ontology.md

@@ -13,6 +13,12 @@ zone_pivot_groups: drawing-package-version
 
 # Drawing package requirements
 
+> [!NOTE]
+>
+> **Azure Maps Creator retirement**
+>
+> The Azure Maps Creator indoor map service is now deprecated and will be retired on 9/30/25. For more information, see [End of Life Announcement of Azure Maps Creator](https://aka.ms/AzureMapsCreatorDeprecation).
+
 :::zone pivot="drawing-package-v1"
 
 You can convert uploaded drawing packages into map data by using the Azure Maps [Conversion service]. This article describes the drawing package requirements for the Conversion API. To view a sample package, you can download the sample [Drawing package].

articles/azure-maps/drawing-conversion-error-codes.md

@@ -12,12 +12,6 @@ ms.subservice: web-sdk
 
 # Spatial IO Module release notes
 
-> [!NOTE]
->
-> **Azure Maps Spatial service retirement**
->
-> The Azure Maps Spatial service is now deprecated and will be retired on 9/30/25. For more information, see [End of Life Announcement of Azure Maps Spatial](https://aka.ms/AzureMapsSpatialDeprecation).
-
 This document contains information about new features and other changes to the Azure Maps Spatial IO Module.
 
 ## [0.1.8] (February 22, 2024)