Merge pull request #211322 from Padmalathas/Padmalathas-migration-edits

Corrected Validation Errors

Author: Stacyrch140

articles/batch/TOC.yml

@@ -103,6 +103,18 @@
     href: high-availability-disaster-recovery.md
   - name: Task runtime environment variables
     href: batch-compute-node-environment-variables.md
+  - name: Retirements
+    items:
+    - name: Batch Certificates Migration Guide
+      href: batch-certificate-migration-guide.md
+    - name: Batch pools without public IP addresses classic Retirement Migration Guide
+      href: batch-pools-without-public-IP-addresses-classic-retirement-migration-guide.md
+    - name: Batch TLS 1.0_1 Migration Guide
+      href: batch-tls-101-migration-guide.md
+    - name: Job Pool Lifetime Statistics Migration Guide
+      href: job-pool-lifetime-statistics-migration-guide.md
+    - name: Low Priority VMs Retirement Migration Guide
+      href: low-priority-VMs-retirement-migration-guide.md
 - name: How-to guides
   items:
   - name: Manage Batch accounts

articles/batch/batch-certificate-migration-guide.md

@@ -0,0 +1,91 @@
+---
+title: Batch Certificate Migration Guide
+description: Describes the migration steps for the batch certificates and the end of support details.
+author: harperche
+ms.author: harpercheng
+ms.service: batch
+ms.topic: how-to #Required; leave this attribute/value as-is.
+ms.date: 08/15/2022
+---
+# Batch Certificate Migration Guide
+
+Securing the application and critical information has become essential in today's needs. With growing customers and increasing demand for security, managing key information plays a significant role in securing data. Many customers need to store secure data in the application, and it needs to be managed to avoid any leakage. In addition, only legitimate administrators or authorized users should access it. Azure Batch offers Certificates created and managed by the Batch service. Azure Batch also provides a Key Vault option, and it's considered an azure-standard method for delivering more controlled secure access management.
+
+Azure Batch provides certificates feature at the account level. Customers must generate the Certificate and upload it manually to the Azure Batch via the portal. To access the Certificate, it must be associated and installed for the 'Current User.' The Certificate is usually valid for one year and must follow a similar procedure every year.
+
+For Azure Batch customers, a secure way of access should be provided in a more standardized way, reducing any manual interruption and reducing the readability of key generated. Therefore, we'll retire the certificate feature on **29 February 2024** to reduce the maintenance effort and better guide customers to use Azure Key Vault as a standard and more modern method with advanced security. After it's retired, the Certificate functionality may cease working properly. Additionally, pool creation with certificates will be rejected and possibly resize up.
+
+## Retirement alternatives
+
+Azure Key Vault is the service provided by Microsoft Azure to store and manage secrets, certificates, tokens, keys, and other configuration values that authenticated users access the applications and services. The original idea was to remove the hard-coded storing of these secrets and keys in the application code.
+
+Azure Key Vault provides security at the transport layer by ensuring any data flow from the key vault to the client application is encrypted. Azure key vault stores the secrets and keys with such strong encryption that even Microsoft itself won't see the keys or secrets in any way.
+
+Azure Key Vault provides a secure way to store the information and define the fine-grained access control. All the secrets can be managed from one dashboard. Azure Key Vault can store the key in the software-protected or hardware protected by hardware security module (HSMs) mechanism. In addition, it has a mechanism to auto-renew the Key Vault certificates.
+
+## Migration steps
+
+Azure Key Vault can be created in three ways:
+
+1. Using Azure portal
+
+2. Using PowerShell
+
+3. Using CLI
+
+**Create Azure Key Vault step by step procedure using Azure portal:**
+
+__Prerequisite__: Valid Azure subscription and owner/contributor access on Key Vault service.
+
+   1. Log in to the Azure portal.
+
+   2. In the top-level search box, look for **Key Vaults**.
+
+   3. In the Key Vault dashboard, click on create and provide all the details like subscription, resource group, Key Vault name, select the pricing tier (standard/premium), and select region. Once all these details are provided, click on review, and create. This will create the Key Vault account.
+
+   4. Key Vault names need to be unique across the globe. Once any user has taken a name, it won’t be available for other users.
+
+   5. Now go to the newly created Azure Key Vault. There you can see the vault name and the vault URI used to access the vault.
+
+**Create Azure Key Vault step by step using the Azure PowerShell:**
+
+   1. Log in to the user PowerShell using the following command - Login-AzAccount
+
+   2. Create an 'azure secure' resource group in the 'eastus' location. You can change the name and location as per your need.
+``` 
+  New-AzResourceGroup -Name "azuresecure" -Location "EastUS"
+```
+   3. Create the Azure Key Vault using the cmdlet. You need to provide the key vault name, resource group, and location.
+```
+  New-AzKeyVault -Name "azuresecureKeyVault" -ResourceGroupName "azuresecure" -Location "East US"
+``` 
+
+   4. Created the Azure Key Vault successfully using the PowerShell cmdlet.
+
+**Create Azure Key Vault step by step using the Azure CLI bash:**
+
+   1. Create an 'azure secure' resource in the 'eastus' location. You can change the name and location as per your need. Use the following bash command.
+``` 
+  az group create –name "azuresecure" -l "EastUS."
+``` 
+
+   2. Create the Azure Key Vault using the bash command. You need to provide the key vault name, resource group, and location.
+``` 
+  az keyvault create –name “azuresecureKeyVault” –resource-group “azure” –location “EastUS”
+```
+   3. Successfully created the Azure Key Vault using the Azure CLI bash command.
+
+## FAQ
+
+   1. Is Certificates or Azure Key Vault recommended?  
+   Azure Key Vault is recommended and essential to protect the data in the cloud.
+
+   2. Does user subscription mode support Azure Key Vault?   
+   Yes, it's mandatory to create Key Vault while creating the Batch account in user subscription mode.
+
+   3. Are there best practices to use Azure Key Vault?   
+   Best practices are covered [here](../key-vault/general/best-practices.md).
+
+## Next steps
+
+For more information, see [Certificate Access Control](../key-vault/certificates/certificate-access-control.md).

articles/batch/batch-pools-without-public-ip-addresses-classic-retirement-migration-guide.md

@@ -0,0 +1,74 @@
+---
+title: Batch Pools without Public IP Addresses Classic Retirement Migration Guide
+description: Describes the migration steps for the batch pool without public ip addresses and the end of support details.
+author: harperche
+ms.author: harpercheng
+ms.service: batch
+ms.topic: how-to #Required; leave this attribute/value as-is.
+ms.date: 09/01/2022
+---
+# Batch Pools without Public IP Addresses Classic Retirement Migration Guide
+
+By default, all the compute nodes in an Azure Batch virtual machine (VM) configuration pool are assigned a public IP address. This address is used by the Batch service to schedule tasks and for communication with compute nodes, including outbound access to the internet. To restrict access to these nodes and reduce the discoverability of these nodes from the internet, we released [Batch pools without public IP addresses (classic)](./batch-pool-no-public-ip-address.md).
+
+In late 2021, we launched a simplified compute node communication model for Azure Batch. The new communication model improves security and simplifies the user experience. Batch pools no longer require inbound Internet access and outbound access to Azure Storage, only outbound access to the Batch service. As a result, Batch pools without public IP addresses (classic) which is currently in public preview will be retired on **31 March 2023**, and will be replaced with simplified compute node communication pools without public IPs.
+
+## Retirement alternatives
+
+[Simplified Compute Node Communication Pools without Public IPs](./simplified-node-communication-pool-no-public-ip.md) requires using simplified compute node communication. It provides customers with enhanced security for their workload environments on network isolation and data exfiltration to Azure Batch accounts. Its key benefits include:
+
+* Allow creating simplified node communication pool without public IP addresses.
+* Support Batch private pool using a new private endpoint (sub-resource nodeManagement) for Azure Batch account.
+* Simplified private link DNS zone for Batch account private endpoints: changed from **privatelink.\<region>.batch.azure.com** to **privatelink.batch.azure.com**.
+* Mutable public network access for Batch accounts.
+* Firewall support for Batch account public endpoints: configure IP address network rules to restrict public network access with Batch accounts.
+
+## Migration steps
+
+Batch pool without public IP addresses (classic) will retire on **31/2023 and will be updated to simplified compute node communication pools without public IPs. For existing pools that use the previous preview version of Batch pool without public IP addresses (classic), it's only possible to migrate pools created in a virtual network. To migrate the pool, follow the opt-in process for simplified compute node communication:
+
+1. Opt in to [use simplified compute node communication](./simplified-compute-node-communication.md#opt-your-batch-account-in-or-out-of-simplified-compute-node-communication).
+
+   ![Support Request](../batch/media/certificates/opt-in.png)
+
+2. Create a private endpoint for Batch node management in the virtual network.
+
+   ![Create Endpoint](../batch/media/certificates/private-endpoint.png)
+
+3. Scale down the pool to zero nodes.
+
+   ![Scale Down](../batch/media/certificates/scale-down-pool.png)
+
+4. Scale out the pool again. The pool is then automatically migrated to the new version of the preview.
+
+   ![Scale Out](../batch/media/certificates/scale-out-pool.png)
+
+## FAQ
+
+* How can I migrate my Batch pool without public IP addresses (classic) to simplified compute node communication pools without public IPs?
+
+    You can only migrate your pool to simplified compute node communication pools if it was created in a virtual network. Otherwise, you’d need to create a new simplified compute node communication pool without public IPs.
+
+* What differences will I see in billing?
+
+    Compared with Batch pools without public IP addresses (classic), the simplified compute node communication pools without public IPs support will reduce costs because it won’t need to create network resources the following: load balancer, network security groups, and private link service with the Batch pool deployments. However, there will be a [cost associated with  private link](https://azure.microsoft.com/pricing/details/private-link/) or other outbound network connectivity used by pools, as controlled by the user, to allow communication with the Batch service without public IP addresses.
+
+* Will there be any performance changes?
+
+    No known performance differences compared to Batch pools without public IP addresses (classic).
+
+* How can I connect to my pool nodes for troubleshooting?
+
+    Similar to Batch pools without public IP addresses (classic). As there is no public IP address for the Batch pool, users will need to connect their pool nodes from within the virtual network. You can create a jump box VM in the virtual network or use other remote connectivity solutions like [Azure Bastion](../bastion/bastion-overview.md).
+
+* Will there be any change to how my workloads are downloaded from Azure Storage?
+
+    Similar to Batch pools without public IP addresses (classic), users will need to provide their own internet outbound connectivity if their workloads need access to other resources like Azure Storage.
+
+* What if I don’t migrate to simplified compute node communication pools without public IPs?
+
+    After **31 March 2023**, we will stop supporting Batch pool without public IP addresses. The functionality of the existing pool in that configuration may break, such as scale out operations, or may be actively scaled down to zero at any point in time after that date.
+
+## Next steps
+
+For more information, refer to [Simplified compute node communication](./simplified-compute-node-communication.md).

articles/batch/batch-tls-101-migration-guide.md

@@ -0,0 +1,44 @@
+---
+title: Batch Tls 1.0 Migration Guide
+description: Describes the migration steps for the batch TLS 1.0 and the end of support details.
+author: harperche
+ms.author: harpercheng
+ms.service: batch
+ms.topic: how-to #Required; leave this attribute/value as-is.
+ms.date: 08/16/2022
+---
+# Batch TLS 1.0 Migration Guide
+
+Transport Layer Security (TLS) versions 1.0 and 1.1 are known to be susceptible to attacks such as BEAST and POODLE, and to have other Common Vulnerabilities and Exposures (CVE) weaknesses. They also don't support the modern encryption methods and cipher suites recommended by Payment Card Industry (PCI) compliance standards. There's an industry-wide push toward the exclusive use of TLS version 1.2 or later.
+
+To follow security best practices and remain in compliance with industry standards, Azure Batch will retire Batch TLS 1.0/1.1 on **31 March 2023**. Most customers have already migrated to TLS 1.2. Customers who continue to use TLS 1.0/1.1 can be identified via existing BatchOperation telemetry. Customers will need to adjust their existing workflows to ensure that they're using TLS 1.2. Failure to migrate to TLS 1.2 will break existing Batch workflows.
+
+## Migration strategy
+
+Customers must update client code before the TLS 1.0/1.1 retirement. 
+
+- Customers using native WinHTTP for client code can follow this [guide](https://support.microsoft.com/topic/update-to-enable-tls-1-1-and-tls-1-2-as-default-secure-protocols-in-winhttp-in-windows-c4bd73d2-31d7-761e-0178-11268bb10392). 
+
+- Customers using .NET framework for their client code should upgrade to .NET > 4.7, that which enforces TLS 1.2 by default. 
+
+- For customers on .NET framework who are unable to upgrade to > 4.7, please follow this [guide](https://docs.microsoft.com/dotnet/framework/network-programming/tls) to enforce TLS 1.2.
+
+For TLS best practices, refer to [TLS best practices for .NET framework](https://docs.microsoft.com/dotnet/framework/network-programming/tls).
+
+## FAQ
+
+* Why must we upgrade to TLS 1.2?<br>
+   TLS 1.0/1.1 has security issues that are fixed in TLS 1.2. TLS 1.2 has been available since 2008 and is the current default version in most frameworks.
+
+* What happens if I don’t upgrade?<br>
+   After the feature retirement, our client application won't work until you upgrade.<br>
+
+* Will Upgrading to TLS 1.2 affect the performance?<br>
+   Upgrading to TLS 1.2 won't affect performance.<br>
+
+* How do I know if I’m using TLS 1.0/1.1?<br>
+   You can check the Audit Log to determine the TLS version you're using.
+
+## Next steps
+
+For more information, see [How to enable TLS 1.2 on clients](https://docs.microsoft.com/mem/configmgr/core/plan-design/security/enable-tls-1-2-client).

articles/batch/job-pool-lifetime-statistics-migration-guide.md

@@ -0,0 +1,34 @@
+---
+title: Batch job pool lifetime statistics migration guide
+description: Describes the migration steps for the batch job pool lifetime statistics and the end of support details.
+author: harperche
+ms.author: harpercheng
+ms.service: batch
+ms.topic: how-to #Required; leave this attribute/value as-is.
+ms.date: 08/15/2022
+---
+# Batch Job Pool Lifetime Statistics Migration Guide
+
+The Azure Batch service currently supports API for Job/Pool to retrieve lifetime statistics. The API is used to get lifetime statistics for all the Pools/Jobs in the specified batch account or for a specified Pool/Job. The API collects the statistical data from when the Batch account was created until the last time updated or entire lifetime of the specified Job/Pool. Job/Pool lifetime statistics API is helpful for customers to analyze and evaluate their usage.
+
+To make the statistical data available for customers, the Batch service allocates batch pools and schedule jobs with an in-house MapReduce implementation to perform background periodic roll-up of statistics. The aggregation is performed for all accounts/pools/jobs in each region, no matter if customer needs or queries the stats for their account/pool/job. The operating cost includes eleven VMs allocated in each region to execute MapReduce aggregation jobs. For busy regions, we had to increase the pool size further to accommodate the extra aggregation load.
+
+The MapReduce aggregation logic was implemented with legacy code, and no new features are being added or improvised due to technical challenges with legacy code. Still, the legacy code and its hosting repo need to be updated frequently to accommodate ever growing load in production and to meet security/compliance requirements. In addition, since the API is featured to provide lifetime statistics, the data is growing and demands more storage and performance issues, even though most customers aren't using the API. Batch service currently eats up all the compute and storage usage charges associated with MapReduce pools and jobs.
+
+The purpose of the API is designed and maintained to serve the customer in troubleshooting. However, not many customers use it in real life, and the customers are interested in extracting the details for not more than a month. Now more advanced ways of log/job/pool data can be collected and used on a need basis using Azure portal logs, Alerts, Log export, and other methods. Therefore, we are retire Job/Pool Lifetime.
+
+Job/Pool Lifetime Statistics API will be retired on **30 April 2023**. Once complete, the API will no longer work and will return an appropriate HTTP response error code back to the client.
+
+## FAQ
+
+* Is there an alternate way to view logs of Pool/Jobs?
+
+   Azure portal has various options to enable the logs, namely system logs, diagnostic logs. Refer [Monitor Batch Solutions](./monitoring-overview.md) for more information.
+
+* Can customers extract logs to their system if the API doesn't exist? 
+
+   Azure portal log feature allows every customer to extract the output and error logs to their workspace. Refer [Monitor with Application Insights](./monitor-application-insights.md) for more information.
+
+## Next steps
+
+For more information, refer to [Azure Monitor Logs](../azure-monitor/logs/data-platform-logs.md).