Merge branch 'master' of https://github.com/MicrosoftDocs/azure-docs-pr into asc-melvyn-containerwork

Author: memildin

.openpublishing.redirection.json

@@ -52278,6 +52278,12 @@
       "source_path": "articles/load-balancer/azure-media-player/components-limitations.md",
       "redirect_url": "/articles/load-balancer/concepts",
       "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/virtual-machines/troubleshooting/linux-virtual-machine-cannot-start-fstab-errors.md",
+      "redirect_url": "/articles/virtual-machines/troubleshooting",
+      "redirect_document_id": false
     }
+ 
  ]
 }

articles/active-directory/app-provisioning/use-scim-to-provision-users-and-groups.md

@@ -1198,8 +1198,8 @@ The SCIM spec does not define a SCIM-specific scheme for authentication and auth
 [!NOTE] It's not recommended to leave the token field blank in the Azure AD provisioning configuration custom app UI. The token generated is primarily available for testing purposes.
 
 **OAuth authorization code grant flow:** The provisioning service supports the [authorization code grant](https://tools.ietf.org/html/rfc6749#page-24). After submitting your request for publishing your app in the gallery, our team will work with you to collect the following information:
-*  Authorization URL: A URL by the client to obtain authorization from the resource owner via user-agent redirection. The user is redirected to this URL to authorize access. 
-*  Token exchange URL: A URL by the client to exchange an authorization grant for an access token, typically with client authentication.
+*  Authorization URL: A URL by the client to obtain authorization from the resource owner via user-agent redirection. The user is redirected to this URL to authorize access. Note that this URL is currently not configurable per tenant.
+*  Token exchange URL: A URL by the client to exchange an authorization grant for an access token, typically with client authentication. Note that this URL is currently not configurable per tenant.
 *  Client ID: The authorization server issues the registered client a client identifier, which is a unique string representing the registration information provided by the client.  The client identifier is not a secret; it is exposed to the resource owner and **must not** be used alone for client authentication.  
 *  Client secret: The client secret is a secret generated by the authorization server. It should be a unique value known only to the authorization server. 
 

articles/application-gateway/configuration-overview.md

@@ -96,18 +96,18 @@ For this scenario, use NSGs on the Application Gateway subnet. Put the following
 
    You can create a UDR to send 0.0.0.0/0 traffic directly to the Internet. 
 
-  **Scenario 3**: UDR for Azure Kubernetes Service kubenet
+  **Scenario 3**: UDR for Azure Kubernetes Service with kubenet
 
-  If you're using kubenet with Azure Kubernetes Service (AKS) and Application Gateway Ingress Controller (AGIC), you need to set up a route table to allow traffic sent to the pods to be routed to the correct node. This won't be necessary if you use Azure CNI. 
+  If you're using kubenet with Azure Kubernetes Service (AKS) and Application Gateway Ingress Controller (AGIC), you'll need a route table to allow traffic sent to the pods from Application Gateway to be routed to the correct node. This won't be necessary if you use Azure CNI. 
 
-   To set up the route table to allow kubenet to work, use the following steps:
+  To use the route table to allow kubenet to work, follow the steps below:
 
-  1. Create a Route Table resource in Azure. 
-  2. Once it's created, go to the **Routes** page. 
-  3. Add a new route:
+  1. Go to the resource group created by AKS (the name of the resource group should begin with "MC_")
+  2. Find the route table created by AKS in that resource group. The route table should be populated with the following information:
      - Address prefix should be the IP range of the pods you want to reach in AKS. 
-     - Next hop type should be **Virtual Appliance**. 
-     - Next hop address should be the IP address of the node hosting the pods within the IP range defined in the address prefix field. 
+     - Next hop type should be Virtual Appliance. 
+     - Next hop address should be the IP address of the node hosting the pods.
+  3. Associate this route table to the Application Gateway subnet. 
 
   **v2 unsupported scenarios**
 

articles/application-gateway/ssl-overview.md

@@ -24,6 +24,10 @@ Application Gateway supports TLS termination at the gateway, after which traffic
 
 To configure TLS termination, a TLS/SSL certificate is required to be added to the listener to enable the application gateway to derive a symmetric key as per TLS/SSL protocol specification. The symmetric key is then used to encrypt and decrypt the traffic sent to the gateway. The TLS/SSL certificate needs to be in Personal Information Exchange (PFX) format. This file format allows you to export the private key that is required by the application gateway to perform the encryption and decryption of traffic.
 
+> [!IMPORTANT] 
+> Please note that the certificate on the listener requires the entire certificate chain to be uploaded. 
+
+
 > [!NOTE] 
 >
 > Application gateway does not provide any capability to create a new certificate or send a certificate request to a certification authority.

articles/azure-monitor/platform/manage-cost-storage.md

@@ -308,7 +308,7 @@ Usage
 
 ### Data volume by computer
 
-The `Usage` data type does not include information at the completer level. To see the **size** of ingested data per computer, use the `_BilledSize` [property](log-standard-properties.md#_billedsize), which provides the size in bytes:
+The `Usage` data type does not include information at the computer level. To see the **size** of ingested data per computer, use the `_BilledSize` [property](log-standard-properties.md#_billedsize), which provides the size in bytes:
 
 ```kusto
 union withsource = tt * 
@@ -599,4 +599,4 @@ There are some additional Log Analytics limits, some of which depend on the Log
 - To configure an effective   event collection policy, review [Azure Security Center filtering policy](../../security-center/security-center-enable-data-collection.md).
 - Change [performance counter configuration](data-sources-performance-counters.md).
 - To modify your event collection settings, review [event log configuration](data-sources-windows-events.md).
-- To modify your syslog collection settings, review [syslog configuration](data-sources-syslog.md).
+- To modify your syslog collection settings, review [syslog configuration](data-sources-syslog.md).

articles/backup/backup-azure-troubleshoot-vm-backup-fails-snapshot-timeout.md

@@ -40,6 +40,8 @@ After you register and schedule a VM for the Azure Backup service, Backup starts
 
 **Cause 4: [VM-Agent configuration options are not set (for Linux VMs)](#vm-agent-configuration-options-are-not-set-for-linux-vms)**
 
+**Cause 5: [Application control solution is blocking IaaSBcdrExtension.exe](#application-control-solution-is-blocking-iaasbcdrextensionexe)**
+
 ## UserErrorVmProvisioningStateFailed - The VM is in failed provisioning state
 
 **Error code**: UserErrorVmProvisioningStateFailed<br>
@@ -195,9 +197,17 @@ If you require verbose logging for waagent, follow these steps:
 
 ### VM-Agent configuration options are not set (for Linux VMs)
 
-A configuration file (/etc/waagent.conf) controls the actions of waagent. Configuration File Options **Extensions.Enable** and **Provisioning.Agent** should be set to **y** for Backup to work.
+A configuration file (/etc/waagent.conf) controls the actions of waagent. Configuration File Options **Extensions.Enable** should be set to **y** and **Provisioning.Agent** should be set to **auto** for Backup to work.
 For full list of VM-Agent Configuration File Options, see <https://github.com/Azure/WALinuxAgent#configuration-file-options>
 
+### Application control solution is blocking IaaSBcdrExtension.exe
+
+If you are running [AppLocker](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker) (or another application control solution), and the rules are publisher or path based, they may block the **IaaSBcdrExtension.exe** executable from running.
+
+#### Solution
+
+Exclude the `/var/lib` path or the **IaaSBcdrExtension.exe** executable from AppLocker (or other application control software.)
+
 ### <a name="the-snapshot-status-cannot-be-retrieved-or-a-snapshot-cannot-be-taken"></a>The snapshot status can't be retrieved, or a snapshot can't be taken
 
 The VM backup relies on issuing a snapshot command to the underlying storage account. Backup can fail either because it has no access to the storage account, or because the execution of the snapshot task is delayed.

articles/backup/backup-azure-vms-troubleshoot.md

@@ -93,6 +93,14 @@ Restart VSS writers that are in a bad state. From an elevated command prompt, ru
 * ```net stop serviceName```
 * ```net start serviceName```
 
+Another procedure that can help is to run the following command from an elevated command-prompt (as an administrator).
+
+```CMD
+REG ADD "HKLM\SOFTWARE\Microsoft\BcdrAgentPersistentKeys" /v SnapshotWithoutThreads /t REG_SZ /d True /f
+```
+
+Adding this registry key will cause the threads to be not created for blob-snapshots, and prevent the time-out.
+
 ## ExtensionConfigParsingFailure - Failure in parsing the config for the backup extension
 
 Error code: ExtensionConfigParsingFailure<br/>

articles/load-balancer/concepts.md

@@ -61,35 +61,15 @@ Availability Zones | Standard load balancer supports additional abilities in reg
 
 ## <a name = "limitations"></a>Limitations
 
-- A load balancer rule can't span two virtual networks.  Front-ends and their related backend instances must be located in the same virtual network.  
-- Web Worker Roles without a virtual network and other Microsoft platform services can be accessible from instances behind only an internal standard load balancer. Don't rely on this accessibility, as the respective service itself or the underlying platform can change without notice. If outbound connectivity is required when using a standard internal load balancer, [outbound connectivity](load-balancer-outbound-connections.md) must be configured.
-- Load balancer provides load balancing and port forwarding for specific TCP or UDP protocols. Load-balancing rules and inbound NAT rules support TCP and UDP, but not other IP protocols including ICMP.
-
-  Load balancer doesn't close, respond, or otherwise interact with the payload of a UDP or TCP flow. Load balancer doesn't function as a proxy. 
-  
-  A successful connection to a front end must take place. This connection must be with the same port used in a load balancing or inbound NAT rule. To see a response from the frontend, one virtual machine in the backend pool must respond.
-
-  Failure to receive a response from the front end indicates no virtual machines could respond. Interact with a load balancer front end will fail without a virtual machine to respond. 
-  
-  This principle also applies to outbound connections where port masquerade SNAT is only supported for TCP and UDP. Any other IP protocols, including ICMP, fail. 
-  
-  Assign a public IP address to the resource to resolve this issue. For more information, see [Understanding SNAT and PAT](load-balancer-outbound-connections.md#snat).
+- A load balancer rule can't span two virtual networks.  Frontends and their backend instances must be located in the same virtual network.  
 
-- Internal load balancers don't translate outbound originated connections to the front end of an internal load balancer because both are in private IP address space. Public load balancers provide [outbound connections](load-balancer-outbound-connections.md) from private IP addresses inside the virtual network to public IP addresses. For internal load balancers, this approach avoids potential SNAT port exhaustion inside a unique internal IP address space, where translation isn't required.
+- Web Worker Roles without a virtual network and other Microsoft platform services can be accessible from instances behind only a Standard internal Load balancer. Don't rely on this accessibility, as the respective service itself or the underlying platform can change without notice. If outbound connectivity is required when using a standard internal load balancer, [outbound connectivity](load-balancer-outbound-connections.md) must be configured.
 
-  Outbound flow from a backend VM to a frontend of an internal load balancer will fail. The failure occurs when the flow is mapped backed to itself. The two legs of the flow don't match and the flow will fail.
-  
-  When the flow maps back to itself, the outbound flow appears to originate from the VM to the front end.
-
-  The flow succeeds if it didn't map back to the same VM in the back-end that created the flow.
-  
-  The inbound and outbound parts of the flow don't match inside the VM. The TCP stack won't recognize these halves of the same flow as being part of the same flow. The source and destination don't match. The VM can respond when the flow maps to another VM in the backend. The halves for the flow match, and the connection can continue.
-
-  The symptom for this scenario is intermittent connection timeouts. Common workarounds include insertion of a proxy layer behind the internal load balancer and using Direct Server Return (DSR) style rules. For more information, see [Multiple Front ends for Azure Load Balancer](load-balancer-multivip-overview.md).
+- Load balancer provides load balancing and port forwarding for specific TCP or UDP protocols. Load-balancing rules and inbound NAT rules support TCP and UDP, but not other IP protocols including ICMP.
 
-  You can combine an internal load balancer with any third-party proxy. Use of internal [Application Gateway](../application-gateway/application-gateway-introduction.md) for proxy scenarios with HTTP/HTTPS is also available. While you could use a public load balancer to mitigate this issue, the resulting scenario is prone to [SNAT exhaustion](load-balancer-outbound-connections.md#snat). Avoid this second approach unless carefully managed.
+- Internal load balancers don't translate outbound originated connections to the frontend of an internal load balancer because both are in private IP address space. Outbound flow from a backend VM to a frontend of an internal load balancer will fail. The failure occurs when the flow is mapped backed to itself. The two legs of the flow don't match and the flow will fail.
 
-- In general, forwarding IP fragments isn't supported on load-balancing rules. IP fragmentation of UDP and TCP packets isn't supported on load-balancing rules. HA ports load-balancing rules can be used to forward existing IP fragments. For more information, see [High availability ports overview](load-balancer-ha-ports-overview.md).
+- Forwarding IP fragments isn't supported on load-balancing rules. IP fragmentation of UDP and TCP packets isn't supported on load-balancing rules. HA ports load-balancing rules can be used to forward existing IP fragments. For more information, see [High availability ports overview](load-balancer-ha-ports-overview.md).
 
 ## Next steps
 

articles/machine-learning/how-to-enable-virtual-network.md

@@ -554,7 +554,7 @@ For information on using Azure Machine Learning with Azure Firewall, see [Use Az
     
     For more information, see the [update()](https://docs.microsoft.com/python/api/azureml-core/azureml.core.workspace.workspace?view=azure-ml-py#update-friendly-name-none--description-none--tags-none--image-build-compute-none--enable-data-actions-none-) method reference.
 
-1. If you are using Private Link for your Azure Machine Learning workspace, and put the Azure Container Registry for your workspace in a virtual network, you must also apply the following Azure Resource Manager template. This template enables your workspace to communicate with ACR over the Private Link.
+1. You must apply the following Azure Resource Manager template. This template enables your workspace to communicate with ACR.
 
     ```json
     {

articles/remote-rendering/how-tos/conversion/conversion-rest-api.md

@@ -116,6 +116,7 @@ The status of an ongoing conversion started with one of the REST calls above can
 
 Returns a JSON document with a "status" field that can have the following values:
 
+- "Created"
 - "Running"
 - "Success"
 - "Failure"