Merge pull request #262724 from MicrosoftDocs/repo_sync_working_branch

Confirm merge from repo_sync_working_branch to main to sync with https://github.com/MicrosoftDocs/azure-docs (branch main)

Author: Saisang

articles/aks/concepts-network.md

@@ -24,19 +24,27 @@ This article introduces the core concepts that provide networking to your applic
 * [Network policies](#network-policies)
 
 ## Kubernetes basics
+Kubernetes employs a virtual networking layer to manage access within and between your applications or their components. This involves the following key aspects:
 
-To allow access to your applications or between application components, Kubernetes provides an abstraction layer to virtual networking. Kubernetes nodes connect to a virtual network, providing inbound and outbound connectivity for pods. The *kube-proxy* component runs on each node to provide these network features.
+- **Kubernetes nodes and virtual network**: Kubernetes nodes are connected to a virtual network. This setup enables pods (basic units of deployment in Kubernetes) to have both inbound and outbound connectivity.
 
-In Kubernetes:
+- **Kube-proxy component**: Running on each node, kube-proxy is responsible for providing the necessary network features.
 
-* *Services* logically group pods to allow for direct access on a specific port via an IP address or DNS name.
-* *ServiceTypes* allow you to specify what kind of Service you want.
-* You can distribute traffic using a *load balancer*.
-* Layer 7 routing of application traffic can also be achieved with *ingress controllers*.
-* You can *control outbound (egress) traffic* for cluster nodes.
-* Security and filtering of the network traffic for pods is possible with *network policies*.
+Regarding specific Kubernetes functionalities:
 
-The Azure platform also simplifies virtual networking for AKS clusters. When you create a Kubernetes load balancer, you also create and configure the underlying Azure load balancer resource. As you open network ports to pods, the corresponding Azure network security group rules are configured. For HTTP application routing, Azure can also configure *external DNS* as new Ingress routes are configured.
+- **Services**: These are used to logically group pods, allowing direct access to them through a specific IP address or DNS name on a designated port.
+- **Service types**: This feature lets you specify the kind of Service you wish to create.
+- **Load balancer**: You can use a load balancer to distribute network traffic evenly across various resources.
+- **Ingress controllers**: These facilitate Layer 7 routing, which is essential for directing application traffic.
+- **Egress traffic control**: Kubernetes allows you to manage and control outbound traffic from cluster nodes.
+- **Network policies**: These policies enable security measures and filtering for network traffic in pods.
+
+In the context of the Azure platform:
+
+- Azure streamlines virtual networking for AKS (Azure Kubernetes Service) clusters.
+- Creating a Kubernetes load balancer on Azure simultaneously sets up the corresponding Azure load balancer resource.
+- As you open network ports to pods, Azure automatically configures the necessary network security group rules.
+- Azure can also manage external DNS configurations for HTTP application routing as new Ingress routes are established.
 
 ## Services
 

articles/azure-functions/functions-scale.md

@@ -16,7 +16,7 @@ The Azure Functions hosting plan you choose dictates the following behaviors:
 * The resources available to each function app instance.
 * Support for advanced functionality, such as Azure Virtual Network connectivity.
 
-In addition to Azure Functions hosting, you can also host containerized function apps in containers can also be deployed to Kubernetes clusters and to Azure Container Apps. If you choose to host your functions in a Kubernetes cluster, consider using an [Azure Arc-enabled Kubernetes cluster](../azure-arc/kubernetes/overview.md). To learn more about deploying custom container apps, see [Azure Container Apps hosting of Azure Functions](./functions-container-apps-hosting.md).  
+In addition to Azure Functions hosting, you can also host containerized function apps in containers that can be deployed to Kubernetes clusters or to Azure Container Apps. If you choose to host your functions in a Kubernetes cluster, consider using an [Azure Arc-enabled Kubernetes cluster](../azure-arc/kubernetes/overview.md). To learn more about deploying custom container apps, see [Azure Container Apps hosting of Azure Functions](./functions-container-apps-hosting.md).  
 
 This article provides a detailed comparison between the various hosting plans, including container-based hosting options.
 

articles/iot-operations/deploy-iot-ops/howto-manage-secrets.md

@@ -5,7 +5,7 @@ author: kgremban
 ms.author: kgremban
 # ms.subservice: orchestrator
 ms.topic: how-to
-ms.date: 12/06/2023
+ms.date: 12/19/2023
 ms.custom:
   - ignite-2023
 
@@ -26,6 +26,107 @@ Azure IoT Operations supports Azure Key Vault for storing secrets and certificat
 
 For more information, see [Deploy Azure IoT Operations extensions](./howto-deploy-iot-operations.md?tabs=cli).
 
+## Configure service principal and Azure Key Vault upfront
+
+If the Azure account executing the `az iot ops init` command does not have permissions to query the Azure Resource Graph and create service principals, you can prepare these upfront and use extra arguments when running the CLI command as described in [Deploy Azure IoT Operations extensions](./howto-deploy-iot-operations.md?tabs=cli).
+
+### Configure service principal for interacting with Azure Key Vault via Microsoft Entra ID
+
+Follow these steps to create a new Application Registration that will be used by the AIO application to authenticate to Key Vault.
+
+First, register an application with Microsoft Entra ID.
+
+1. In the Azure portal search bar, search for and select **Microsoft Entra ID**.
+
+1. Select **App registrations** from the **Manage** section of the Microsoft Entra ID menu.
+
+1. Select **New registration**.
+
+1. On the **Register an application** page, provide the following information:
+
+   | Field | Value |
+   | ----- | ----- |
+   | **Name** | Provide a name for your application. |
+   | **Supported account types** | Ensure that **Accounts in this organizational directory only (<YOUR_TENANT_NAME> only - Single tenant)** is selected. |
+   | **Redirect URI** | Select **Web** as the platform. You can leave the web address empty. |
+
+1. Select **Register**.
+
+   When your application is created, you are directed to its resource page.
+
+1. Copy the **Application (client) ID** from the app registration overview page. You'll use this value as an argument when running Azure IoT Operations deployment.
+
+Next, give your application permissions for key vault.
+
+1. On the resource page for your app, select **API permissions** from the **Manage** section of the app menu.
+
+1. Select **Add a permission**.
+
+1. On the **Request API permissions** page, scroll down and select **Azure Key Vault**.
+
+1. Select **Delegated permissions**.
+
+1. Check the box to select **user_impersonation** permissions.
+
+1. Select **Add permissions**.
+
+Create a client secret that will be added to your Kubernetes cluster to authenticate to your key vault.
+
+1. On the resource page for your app, select **Certificates & secrets** from the **Manage** section of the app menu.
+
+1. Select **New client secret**.
+
+1. Provide an optional description for the secret, then select **Add**.
+
+1. Copy the **Value** and **Secret ID** from your new secret. You'll use these values later below.
+
+Retrieve the service principal Object Id
+
+1. On the **Overview** page for your app, under the section **Essentials**, click on the **Application name** link under **Managed application in local directory**. This opens the Enterprise Application properties. Copy the Object Id to use when you run `az iot ops init`.
+
+### Create an Azure Key Vault
+
+Create a new Azure Key Vault service and ensure it has the **Permission Model** set to Vault access policy.
+
+```bash
+az keyvault create --enable-rbac-authorization false --name "<your unique key vault name>" --resource-group "<the name of the resource group>"
+```
+If you have an existing key vault, you can change the permission model by executing the following:
+
+```bash
+az keyvault update --name "<your unique key vault name>" --resource-group "<the name of the resource group>" --enable-rbac-authorization false 
+```
+You will need the Key Vault resource ID when you run `az iot ops init`. To retrieve the resource ID, run:
+
+```bash
+az keyvault show --name "<your unique key vault name>" --resource-group "<the name of the resource group>" --query id  -o tsv
+```
+
+### Set service principal access policy in Azue Key Vault
+
+The newly created service principal needs **Secret** `list` and `get` access policy for the Azure IoT Operations to work with the secret store. 
+
+Run the following to assign **secret** `get` and `list` permissions to the service principal.
+
+```bash
+az keyvault set-policy --name "<your unique key vault name>" --resource-group "<the name of the resource group>" --object-id <Object ID copied from Enterprise Application SP in Microsoft Entra ID> --secret-permissions get list --key-permissions get list
+```
+
+### Pass service principal and Key Vault arguments to Azure IoT Operations deployment
+
+When following the guide [Deploy Azure IoT Operations extensions](./howto-deploy-iot-operations.md?tabs=cli), you will need to pass in additional flags to the `az iot ops init` command in order to use the pre-configured service principal and key vault.
+
+The following example shows how to prepare the cluster for Azure IoT Operations without fully deploying it by using `--no-deploy` flag. You can also run the command without this argument for a default Azure IoT Operations deployment.
+
+```bash
+az iot ops init --name "<your unique key vault name>" --resource-group "<the name of the resource group>" \
+    --kv-id <Key Vault Resource ID> \
+    --sp-app-id <Application registration App ID (client ID) from Microsoft Entra ID> \
+    --sp-object-id <Object ID copied from Enterprise Application in Microsoft Entra ID> \
+    --sp-secret "<Client Secret from App registration in Microsoft Entra ID>" \
+    --no-deploy
+```
+
 ## Add a secret to an Azure IoT Operations component
 
 Once you have the secret store set up on your cluster, you can create and add Azure Key Vault secrets.

articles/operator-service-manager/publisher-resource-preview-management.md

@@ -64,37 +64,15 @@ Immutable artifacts are tested artifacts that can't be modified or overwritten.
 
 
  ### Update Artifact Manifest state
+ Use the following Azure CLI command to change the state of a artifact manifest resource.
 
- ### HTTP Method: POST URL
-
-```http
-https://management.azure.com/{artifactManifestResourceId}/updateState?api-version=2023-09-01
-``` 
-
- Where artifactManifestResourceId is the full resource ID of the Artifact Manifest resource
- 
- ### Request body
-
-```json
-{
-      "artifactManifestState": "Uploaded"
-}
-```
-
-### Submit POST
-
-Submit the POST using `az rest` in the Azure CLI.
-
 ```azurecli
-az rest --method post --uri {artifactManifestResourceId}/updateState?api-version=2023-09-01 --body "{\"artifactManifestState\": \"Uploaded\"}"
-```
-
- Where *{artifactManifestResourceId}* is the full resource ID of the Artifact Manifest resource
-
- Then issue the get command to check that the artifactManifestState change is complete.
-
-```azurecli
-  az rest --method get --uri {artifactManifestResourceId}?api-version=2023-09-01
+  az aosm publisher artifact-manifest update-state \
+    --resource-group <myResourceGroupName> \
+    --publisher-name <myPublisherName> \
+    --artifact-store-name <myArtifactStoreName> \
+    --name <myArtifactManifestName> \
+    --state Uploaded
 ```
 
 ## Network Function Definition and Network Service Design state machine
@@ -103,93 +81,25 @@ az rest --method post --uri {artifactManifestResourceId}/updateState?api-version
 - Deprecated state is a terminal state but can be reversed.
 
 ## Update Network Function definition version state
-
-Use the following API to update the state of a Network Function Definition Version (NFDV).
-
-### HTTP Method: POST URL
-
-```http
-https://management.azure.com/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/Microsoft.HybridNetwork/publishers/{publisherName}/networkfunctiondefinitiongroups/{networkfunctiondefinitiongroups}/networkfunctiondefinitionversions/{networkfunctiondefinitionversions}/updateState?api-version=2023-09-01
-```
-
-### URI parameters
-
-The following table describes the parameters used with the preceding URL.
-
-|Name  |Description |
-|---------|---------|
-|subscriptionId     |  The subscription ID.
-|resourceGroupName    |       The name of the resource group.  |
-|publisherName    |      The name of the publisher.   |
-|networkfunctiondefinitiongroups | The name of the network function definition groups.
-|networkfunctiondefinitionversions | The network function definition version. |
-|api-version | The API version to use for this operation. |
-
-
-### Request body
-
-```json
-{
-    "versionState": "Active | Deprecated"
-}
-```
-### Submit post
-
-Submit the POST using `az rest` in the Azure CLI.
-
-```azurecli
- az rest --method post --uri {nfdvresourceId}/updateState?api-version=2023-09-01 --body "{\"versionState\": \"Active\"}"
-```
- Where *{nfdvresourceId}* is the full resource ID of the Network Function Definition Version 
-
-Then issue the get command to check that the versionState change is complete.
+Use the following Azure CLI command to change the state of a Network Function Definition Version resource.
 
 ```azurecli
-  az rest --method get --uri {nfdvresourceId}?api-version=2023-09-01
+  az aosm publisher network-function-definition version update-state \
+    --resource-group <myResourceGroup> \
+    --publisher-name <myPublisherName> \
+    --group-name <myNetworkFunctionDefinitionGroupName> \
+    --version-name <myNetworkFunctionDefinitionVersionName> \
+    --version-state Active | Deprecated
 ```
 
 ## Update Network Service Design Version (NSDV) version state
-
-Use the following API to update the state of a Network Service Design Version (NSDV).
-
-### HTTP Method: POST URL
-
-```http
-https://management.azure.com/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/Microsoft.HybridNetwork/publishers/{publisherName}/networkservicedesigngroups/{nsdName}/networkservicedesignversions/{nsdVersion}/updateState?api-version=2023-09-01
-```
-
-### URI parameters
-
-The following table describes the parameters used with the preceding URL.
-
-|Name  |Description |
-|---------|---------|
-|subscriptionId     |  The subscription ID.
-|resourceGroupName    |       The name of the resource group.  |
-|publisherName    |      The name of the publisher.   |
-|nsdName | The name of the network service design.
-|nsdVersion | The network service design version. |
-|api-version | The API version to use for this operation. |
-
-
-### Request body
-
-```json
-{
-    "versionState": "Active | Deprecated"
-}
-```
-### Submit post
-
-Submit the POST using `az rest` in the Azure CLI.
-
-```azurecli
-az rest --method post --uri {nsdvresourceId}/updateState?api-version=2023-09-01 --body "{\"versionState\": \"Active\"}"
-```
-Where *{nsdvresourceId}* is the full resource ID of the Network Service Design
-
-Then issue the get command to check that the versionState change is complete.
+Use the following Azure CLI command to change the state of a Network Service Design Version resource.
 
 ```azurecli
-  az rest --method get --uri {nsdvresourceId}?api-version=2023-09-01
+  az aosm publisher network-service-design version update-state \
+    --resource-group <myResourceGroup> \
+    --publisher-name <myPublisherName> \
+    --group-name <myNetworkServiceDesignGroupName> \
+    --version-name <myNetworkServiceDesignVersionName> \
+    --version-state Active | Deprecated
 ```

includes/container-apps-get-fully-qualified-domain-name.md

@@ -22,7 +22,7 @@ az containerapp show \
 # [PowerShell](#tab/powershell)
 
 ```powershell
-(Get-AzContainerApp -Name <CONTAINER_APP_NAME> -ResourceGroupName <RESOURCE_GROUP_NAME>).IngressFqdn
+(Get-AzContainerApp -Name <CONTAINER_APP_NAME> -ResourceGroupName <RESOURCE_GROUP_NAME>).Configuration.IngressFqdn
 ```
 
 ---