MicrosoftDocs
diff --git a/‎articles/aks/azure-cni-overlay.md
Lines changed: 22 additions & 3 deletions b/‎articles/aks/azure-cni-overlay.md
Lines changed: 22 additions & 3 deletions
diff --git a/‎articles/aks/open-ai-quickstart.md
Lines changed: 1 addition & 1 deletion b/‎articles/aks/open-ai-quickstart.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/aks/open-ai-secure-access-quickstart.md
Lines changed: 1 addition & 1 deletion b/‎articles/aks/open-ai-secure-access-quickstart.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/api-management/api-management-api-import-restrictions.md
Lines changed: 3 additions & 0 deletions b/‎articles/api-management/api-management-api-import-restrictions.md
Lines changed: 3 additions & 0 deletions
diff --git a/‎articles/api-management/backends.md
Lines changed: 125 additions & 17 deletions b/‎articles/api-management/backends.md
Lines changed: 125 additions & 17 deletions
diff --git a/‎articles/app-service/toc.yml
Lines changed: 0 additions & 2 deletions b/‎articles/app-service/toc.yml
Lines changed: 0 additions & 2 deletions
diff --git a/‎articles/azure-arc/servers/troubleshoot-agent-onboard.md
Lines changed: 0 additions & 3 deletions b/‎articles/azure-arc/servers/troubleshoot-agent-onboard.md
Lines changed: 0 additions & 3 deletions
@@ -1,6 +1,6 @@
 ---
 title: Configure Azure CNI Overlay networking in Azure Kubernetes Service (AKS)
-description: Learn how to configure Azure CNI Overlay networking in Azure Kubernetes Service (AKS), including deploying an AKS cluster into an existing virtual network and subnet.
+description: Learn how to configure Azure CNI Overlay networking in Azure Kubernetes Service (AKS), including deploying an AKS cluster into an existing virtual network and subnets.
 author: asudbring
 ms.author: allensu
 ms.subservice: aks-networking
@@ -17,7 +17,7 @@ With Azure CNI Overlay, the cluster nodes are deployed into an Azure Virtual Net
 
 ## Overview of Overlay networking
 
-In Overlay networking, only the Kubernetes cluster nodes are assigned IPs from a subnet. Pods receive IPs from a private CIDR provided at the time of cluster creation. Each node is assigned a `/24` address space carved out from the same CIDR. Extra nodes created when you scale out a cluster automatically receive `/24` address spaces from the same CIDR. Azure CNI assigns IPs to pods from this `/24` space.
+In Overlay networking, only the Kubernetes cluster nodes are assigned IPs from subnets. Pods receive IPs from a private CIDR provided at the time of cluster creation. Each node is assigned a `/24` address space carved out from the same CIDR. Extra nodes created when you scale out a cluster automatically receive `/24` address spaces from the same CIDR. Azure CNI assigns IPs to pods from this `/24` space.
 
 A separate routing domain is created in the Azure Networking stack for the pod's private CIDR space, which creates an Overlay network for direct communication between pods. There's no need to provision custom routes on the cluster subnet or use an encapsulation method to tunnel traffic between pods, which provides connectivity performance between pods on par with VMs in a VNet. Workloads running within the pods are not even aware that network address manipulation is happening.
 
@@ -43,7 +43,7 @@ Like Azure CNI Overlay, Kubenet assigns IP addresses to pods from an address spa
 
 ## IP address planning
 
-- **Cluster Nodes**: When setting up your AKS cluster, make sure your VNet subnet has enough room to grow for future scaling. Keep in mind that clusters can't scale across subnets, but you can always add new node pools in another subnet within the same VNet for extra space. A `/24`subnet can fit up to 251 nodes since the first three IP addresses are reserved for management tasks.
+- **Cluster Nodes**: When setting up your AKS cluster, make sure your VNet subnets have enough room to grow for future scaling. You can assign each node pool to a dedicated subnet. A `/24`subnet can fit up to 251 nodes since the first three IP addresses are reserved for management tasks.
 - **Pods**: The Overlay solution assigns a `/24` address space for pods on every node from the private CIDR that you specify during cluster creation. The `/24` size is fixed and can't be increased or decreased. You can run up to 250 pods on a node. When planning the pod address space, ensure the private CIDR is large enough to provide `/24` address spaces for new nodes to support future cluster expansion.
   - When planning IP address space for pods, consider the following factors:
     - The same pod CIDR space can be used on multiple independent AKS clusters in the same VNet.
@@ -112,6 +112,25 @@ az aks create -n $clusterName -g $resourceGroup \
   --pod-cidr 192.168.0.0/16
 ```
 
+## Add a new nodepool to a dedicated subnet
+
+After your have created a cluster with Azure CNI Overlay, you can create another nodepool and assign the nodes to a new subnet of the same VNet.
+This approach can be usefull if you want to control the ingress or egress IPs of the host from/ towards targets in the same VNET or peered VNets.
+
+```azurecli-interactive
+clusterName="myOverlayCluster"
+resourceGroup="myResourceGroup"
+location="westcentralus"
+nodepoolName="newpool1"
+subscriptionId=$(az account show --query id -o tsv)
+vnetName="yourVnetName"
+subnetName="yourNewSubnetName"
+subnetResourceId="/subscriptions/$subscriptionId/resourceGroups/$resourceGroup/providers/Microsoft.Network/virtualNetworks/$vnetName/subnets/$subnetName"
+az aks nodepool add  -g $resourceGroup --cluster-name $clusterName \
+  --name $nodepoolName --node-count 1 \
+  --mode system --vnet-subnet-id $subnetResourceId
+```
+
 ## Upgrade an existing cluster to CNI Overlay
 
 > [!NOTE]
 
@@ -229,7 +229,7 @@ Now that the application is deployed, you can deploy the Python-based microservi
                 memory: 50Mi
               limits:
                 cpu: 30m
-                memory: 65Mi
+                memory: 85Mi
     ---
     apiVersion: v1
     kind: Service
 
@@ -227,7 +227,7 @@ To use Microsoft Entra Workload ID on AKS, you need to make a few changes to the
                 memory: 50Mi
               limits:
                 cpu: 30m
-                memory: 65Mi
+                memory: 85Mi
     EOF
     ```
 
 
@@ -254,6 +254,9 @@ Namespaces other than the target aren't preserved on export. While you can impor
 ### Multiple endpoints
 WSDL files can define multiple services and endpoints (ports) by one or more `wsdl:service` and `wsdl:port` elements. However, the API Management gateway is able to import and proxy requests to only a single service and endpoint. If multiple services or endpoints are defined in the WSDL file, identify the target service name and endpoint when importing the API by using the [wsdlSelector](/rest/api/apimanagement/apis/create-or-update#wsdlselector) property.
 
+> [!TIP]
+> If you want to load-balance requests across multiple services and endpoints, consider configuring a [load-balanced backend pool](backends.md#load-balanced-pool-preview).
+
 ### Arrays 
 SOAP-to-REST transformation supports only wrapped arrays shown in the example below:
 
 
@@ -1,14 +1,14 @@
 ---
 title: Azure API Management backends | Microsoft Docs
-description: Learn about custom backends in API Management
+description: Learn about custom backends in Azure API Management
 services: api-management
 documentationcenter: ''
 author: dlepow
 editor: ''
 
 ms.service: api-management
 ms.topic: article
-ms.date: 08/16/2023
+ms.date: 01/09/2024
 ms.author: danlep 
 ms.custom:
 ---
@@ -26,9 +26,13 @@ API Management also supports using other Azure resources as an API backend, such
 * A [Service Fabric cluster](how-to-configure-service-fabric-backend.md).
 * A custom service. 
 
-API Management supports custom backends so you can manage the backend services of your API. Use custom backends, for example, to authorize the credentials of requests to the backend service. Configure and manage custom backends in the Azure portal, or using Azure APIs or tools.
+API Management supports custom backends so you can manage the backend services of your API. Use custom backends for one or more of the following:
 
-After creating a backend, you can reference the backend in your APIs. Use the [`set-backend-service`](set-backend-service-policy.md) policy to direct an incoming API request to the custom backend. If you already configured a backend web service for an API, you can use the `set-backend-service` policy to redirect the request to a custom backend instead of the default backend web service configured for that API.
+* Authorize the credentials of requests to the backend service
+* Protect your backend from too many requests
+* Route or load-balance requests to multiple backends
+
+Configure and manage custom backends in the Azure portal, or using Azure APIs or tools.
 
 ## Benefits of backends
 
@@ -38,6 +42,43 @@ A custom backend has several benefits, including:
 * Easily used by configuring a transformation policy on an existing API.
 * Takes advantage of API Management functionality to maintain secrets in Azure Key Vault if [named values](api-management-howto-properties.md) are configured for header or query parameter authentication.
 
+## Reference backend using set-backend-service policy
+
+After creating a backend, you can reference the backend in your APIs. Use the [`set-backend-service`](set-backend-service-policy.md) policy to direct an incoming API request to the custom backend. If you already configured a backend web service for an API, you can use the `set-backend-service` policy to redirect the request to a custom backend instead of the default backend web service configured for that API. For example:
+
+```xml
+<policies>
+    <inbound>
+        <base />
+        <set-backend-service backend-id="myBackend" />
+    </inbound>
+    [...]
+<policies/>
+```
+
+You can use conditional logic with the `set-backend-service` policy to change the effective backend based on location, gateway that was called, or other expressions.
+
+For example, here is a policy to route traffic to another backend based on the gateway that was called:
+
+```xml
+<policies>
+    <inbound>
+        <base />
+        <choose>
+            <when condition="@(context.Deployment.Gateway.Id == "factory-gateway")">
+                <set-backend-service backend-id="backend-on-prem" />
+            </when>
+            <when condition="@(context.Deployment.Gateway.IsManaged == false)">
+                <set-backend-service backend-id="self-hosted-backend" />
+            </when>
+            <otherwise />
+        </choose>
+    </inbound>
+    [...]
+<policies/>
+```
+
+
 ## Circuit breaker (preview)
 
 Starting in API version 2023-03-01 preview, API Management exposes a [circuit breaker](/rest/api/apimanagement/current-preview/backend/create-or-update?tabs=HTTP#backendcircuitbreaker) property in the backend resource to protect a backend service from being overwhelmed by too many requests.
@@ -50,16 +91,15 @@ The backend circuit breaker is an implementation of the [circuit breaker pattern
 
 ### Example
 
-Use the API Management REST API or a Bicep or ARM template to configure a circuit breaker in a backend. In the following example, the circuit breaker trips when there are three or more `5xx` status codes indicating server errors in a day. The circuit breaker resets after one hour.
+Use the API Management [REST API](/rest/api/apimanagement/backend) or a Bicep or ARM template to configure a circuit breaker in a backend. In the following example, the circuit breaker in *myBackend* in the API Management instance *myAPIM* trips when there are three or more `5xx` status codes indicating server errors in a day. The circuit breaker resets after one hour.
 
 #### [Bicep](#tab/bicep)
 
-Include a snippet similar to the following in your Bicep template:
+Include a snippet similar to the following in your Bicep template for a backend resource with a circuit breaker:
 
 ```bicep
 resource symbolicname 'Microsoft.ApiManagement/service/backends@2023-03-01-preview' = {
-  name: 'myBackend'
-  parent: resourceSymbolicName
+  name: 'myAPIM/myBackend'
   properties: {
     url: 'https://mybackend.com'
     protocol: 'http'
@@ -72,7 +112,6 @@ resource symbolicname 'Microsoft.ApiManagement/service/backends@2023-03-01-previ
               'Server errors'
             ]
             interval: 'P1D'
-            percentage: int
             statusCodeRanges: [
               {
                 min: 500
@@ -85,20 +124,19 @@ resource symbolicname 'Microsoft.ApiManagement/service/backends@2023-03-01-previ
         }
       ]
     }
-  }
-[...]
-}
+   }
+ }
 ```
 
 #### [ARM](#tab/arm)
 
-Include a JSON snippet similar to the following in your ARM template:
+Include a JSON snippet similar to the following in your ARM template for a backend resource with a circuit breaker:
 
 ```JSON
 {
   "type": "Microsoft.ApiManagement/service/backends",
   "apiVersion": "2023-03-01-preview",
-  "name": "myBackend",
+  "name": "myAPIM/myBackend",
   "properties": {
     "url": "https://mybackend.com",
     "protocol": "http",
@@ -122,18 +160,88 @@ Include a JSON snippet similar to the following in your ARM template:
       ]
     }
   }
-[...]
 }
 ```
 
 ---
 
+## Load-balanced pool (preview)
+
+Starting in API version 2023-05-01 preview, API Management supports backend *pools*, when you want to implement multiple backends for an API and load-balance requests across those backends. Currently, the backend pool supports round-robin load balancing.
+
+Use a backend pool for scenarios such as the following:
+
+* Spread the load to multiple backends, which may have individual backend circuit breakers.
+* Shift the load from one set of backends to another for upgrade (blue-green deployment).
 
+To create a backend pool, set the `type` property of the backend to `pool` and specify a list of backends that make up the pool.
+
+> [!NOTE]
+> Currently, you can only include single backends in a backend pool. You can't add a backend of type `pool` to another backend pool.
+
+### Example
+
+Use the API Management [REST API](/rest/api/apimanagement/backend) or a Bicep or ARM template to configure a backend pool. In the following example, the backend *myBackendPool* in the API Management instance *myAPIM* is configured with a backend pool. Example backends in the pool are named *backend-1* and *backend-2*. 
+
+#### [Bicep](#tab/bicep)
+
+Include a snippet similar to the following in your Bicep template for a backend resource with a load-balanced pool:
+
+```bicep
+resource symbolicname 'Microsoft.ApiManagement/service/backends@2023-05-01-preview' = {
+  name: 'myAPIM/myBackendPool'
+  properties: {
+    description: 'Load balancer for multiple backends'
+    type: 'Pool'
+    protocol: 'http'
+    url: 'http://unused'
+    pool: {
+      services: [
+        {
+          id: '/backends/backend-1'
+        }
+        {
+          id: '/backends/backend-2'
+        }
+      ]
+    }
+  }
+}
+```
+#### [ARM](#tab/arm)
+
+Include a JSON snippet similar to the following in your ARM template for a backend resource with a load-balanced pool:
+
+```json
+{
+  "type": "Microsoft.ApiManagement/service/backends",
+  "apiVersion": "2023-05-01-preview",
+  "name": "myAPIM/myBackendPool",
+  "properties": {
+    "description": "Load balancer for multiple backends",
+    "type": "Pool",
+    "protocol": "http",
+    "url": "http://unused",
+    "pool": {
+      "services": [
+        {
+          "id": "/backends/backend-1"
+        },
+        {
+          "id": "/backends/backend-2"
+        }
+      ]
+    }
+  }
+}
+```
+
+---
 ## Limitation
 
 For **Developer** and **Premium** tiers, an API Management instance deployed in an [internal virtual network](api-management-using-with-internal-vnet.md) can throw HTTP 500 `BackendConnectionFailure` errors when the gateway endpoint URL and backend URL are the same. If you encounter this limitation, follow the instructions in the [Self-Chained API Management request limitation in internal virtual network mode](https://techcommunity.microsoft.com/t5/azure-paas-blog/self-chained-apim-request-limitation-in-internal-virtual-network/ba-p/1940417) article in the Tech Community blog. 
 
-## Next steps
+## Related content
 
 * Set up a [Service Fabric backend](how-to-configure-service-fabric-backend.md) using the Azure portal.
-* Backends can also be configured using the API Management [REST API](/rest/api/apimanagement), [Azure PowerShell](/powershell/module/az.apimanagement/new-azapimanagementbackend), or [Azure Resource Manager templates](../service-fabric/service-fabric-tutorial-deploy-api-management.md).
+
@@ -25,8 +25,6 @@
       href: quickstart-python.md
     - name: Deploy WordPress
       href: quickstart-wordpress.md
-    - name: Deploy Go (experimental)
-      href: quickstart-golang.md
     - name: Deploy a custom container
       href: quickstart-custom-container.md
     - name: Use ARM template
 
@@ -104,16 +104,13 @@ The following table lists some of the known errors and suggestions on how to tro
 |--------|------|---------------|---------|
 |Failed to acquire authorization token device flow |`Error occurred while sending request for Device Authorization Code: Post https://login.windows.net/fb84ce97-b875-4d12-b031-ef5e7edf9c8e/oauth2/devicecode?api-version=1.0:  dial tcp 40.126.9.7:443: connect: network is unreachable.` |Can't reach `login.windows.net` endpoint | Run [azcmagent check](azcmagent-check.md) to see if a firewall is blocking access to Microsoft Entra ID. |
 |Failed to acquire authorization token device flow |`Error occurred while sending request for Device Authorization Code: Post https://login.windows.net/fb84ce97-b875-4d12-b031-ef5e7edf9c8e/oauth2/devicecode?api-version=1.0:  dial tcp 40.126.9.7:443: connect: network is Forbidden`. |Proxy or firewall is blocking access to `login.windows.net` endpoint. | Run [azcmagent check](azcmagent-check.md) to see if a firewall is blocking access to Microsoft Entra ID.|
-|Failed to acquire authorization token device flow  |`Error occurred while sending request for Device Authorization Code: Post https://login.windows.net/fb84ce97-b875-4d12-b031-ef5e7edf9c8e/oauth2/devicecode?api-version=1.0:  dial tcp lookup login.windows.net: no such host`. | Group Policy Object *Computer Configuration\ Administrative Templates\ System\ User Profiles\ Delete user profiles older than a specified number of days on system restart* is enabled. | Verify the GPO is enabled and targeting the affected machine. See footnote <sup>[1](#footnote1)</sup> for further details. |
 |Failed to acquire authorization token from SPN |`Failed to execute the refresh request. Error = 'Post https://login.windows.net/fb84ce97-b875-4d12-b031-ef5e7edf9c8e/oauth2/token?api-version=1.0: Forbidden'` |Proxy or firewall is blocking access to `login.windows.net` endpoint. |Run [azcmagent check](azcmagent-check.md) to see if a firewall is blocking access to Microsoft Entra ID. |
 |Failed to acquire authorization token from SPN |`Invalid client secret is provided` |Wrong or invalid service principal secret. |Verify the service principal secret. |
 | Failed to acquire authorization token from SPN |`Application with identifier 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' wasn't found in the directory 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant` |Incorrect service principal and/or Tenant ID. |Verify the service principal and/or the tenant ID.|
 |Get ARM Resource Response |`The client '[email protected]' with object id 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' does not have authorization to perform action 'Microsoft.HybridCompute/machines/read' over scope '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourcegroups/myResourceGroup/providers/Microsoft.HybridCompute/machines/MSJC01' or the scope is invalid. If access was recently granted, please refresh your credentials."}}" Status Code=403` |Wrong credentials and/or permissions |Verify you or the service principal is a member of the **Azure Connected Machine Onboarding** role. |
 |Failed to AzcmagentConnect ARM resource |`The subscription isn't registered to use namespace 'Microsoft.HybridCompute'` |Azure resource providers aren't registered. |Register the [resource providers](prerequisites.md#azure-resource-providers). |
 |Failed to AzcmagentConnect ARM resource |`Get https://management.azure.com/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourcegroups/myResourceGroup/providers/Microsoft.HybridCompute/machines/MSJC01?api-version=2019-03-18-preview:  Forbidden` |Proxy server or firewall is blocking access to `management.azure.com` endpoint. | Run [azcmagent check](azcmagent-check.md) to see if a firewall is blocking access to Azure Resource Manager. |
 
-<a name="footnote1"></a><sup>1</sup>If this GPO is enabled and applies to machines with the Connected Machine agent, it deletes the user profile associated with the built-in account specified for the *himds* service. As a result, it also deletes the authentication certificate used to communicate with the service that is cached in the local certificate store for 30 days. Before the 30-day limit, an attempt is made to renew the certificate. To resolve this issue, follow the steps to [disconnect the agent](azcmagent-disconnect.md) and then re-register it with the service running `azcmagent connect`.
-
 ## Next steps
 
 If you don't see your problem here or you can't resolve your issue, try one of the following channels for more support: