Merge branch 'main' into release-defender-flip

Author: v-alje

articles/app-service/overview-access-restrictions.md

@@ -67,7 +67,7 @@ Service endpoints allow you to lock down *inbound* access to your app so that th
 > [!NOTE]
 > Access restriction rules based on service endpoints are not supported on apps that have private endpoint configured or apps that use IP-based SSL ([App-assigned address](./networking-features.md#app-assigned-address)).
 
-To learn more about configuring service endpoints with your app, see [Azure App Service access restrictions](../virtual-network/virtual-network-service-endpoints-overview.md).
+To learn more about configuring service endpoints with your app, see [Azure Virtual Network service endpoints](../virtual-network/virtual-network-service-endpoints-overview.md).
 
 #### Any service endpoint source
 

articles/application-gateway/application-gateway-troubleshooting-502.md

@@ -5,7 +5,7 @@ services: application-gateway
 author: greg-lindsay
 ms.service: azure-application-gateway
 ms.topic: troubleshooting
-ms.date: 05/19/2023
+ms.date: 04/29/2025
 ms.author: greglin
 ms.custom: devx-track-azurepowershell
 ---
@@ -87,9 +87,9 @@ The following table lists the values associated with the default health probe:
 
 ### Solution
 
-* Host value of the request will be set to 127.0.0.1. Ensure that a default site is configured and is listening at 127.0.0.1.
+* Host value of the request is set to 127.0.0.1. Ensure that a default site is configured and is listening at 127.0.0.1.
 * Protocol of the request is determined by the BackendHttpSetting protocol.
-* URI Path will be set to */*.
+* URI Path is set to */*.
 * If BackendHttpSetting specifies a port other than 80, the default site should be configured to listen at that port.
 * The call to `protocol://127.0.0.1:port` should return an HTTP result code of 200. This code should be returned within the 30-second timeout period.
 * Ensure the configured port is open and there are no firewall rules or Azure Network Security Groups blocking incoming or outgoing traffic on the port configured.
@@ -130,7 +130,7 @@ Validate that the Custom Health Probe is configured correctly, as shown in the p
 
 ### Cause
 
-When a user request is received, the application gateway applies the configured rules to the request and routes it to a backend pool instance. It waits for a configurable interval of time for a response from the backend instance. By default, this interval is **20** seconds. In Application Gateway v1, if the application gateway doesn't receive a response from backend application in this interval, the user request gets a 502 error.  In Application Gateway v2, if the application gateway doesn't receive a response from the backend application in this interval, the request will be tried against a second backend pool member.  If the second request fails the user request gets a 504 error.
+When a user request is received, the application gateway applies the configured rules to the request and routes it to a backend pool instance. It waits for a configurable interval of time for a response from the backend instance. By default, this interval is **20** seconds. In Application Gateway v1, if the application gateway doesn't receive a response from backend application in this interval, the user request gets a 502 error.  In Application Gateway v2, if the application gateway doesn't receive a response from the backend application in this interval, the request is tried against a second backend pool member.  If the second request fails the user request gets a 504 error.
 
 ### Solution
 
@@ -192,17 +192,17 @@ If all the instances of BackendAddressPool are unhealthy, then the application g
 
 Ensure that the instances are healthy and the application is properly configured. Check if the backend instances can respond to a ping from another VM in the same VNet. If configured with a public end point, ensure a browser request to the web application is serviceable.
 
-## Upstream SSL certificate does not match
+## Upstream SSL certificate doesn't match
 
 ### Cause
 
-The TLS certificate installed on backend servers does not match the hostname received in the Host request header. 
+The TLS certificate installed on backend servers doesn't match the hostname received in the Host request header. 
 
-In scenarios where End-to-end TLS is enabled, a configuration that is achieved by editing the appropriate "Backend HTTP Settings", and changing there the configuration of the "Backend protocol" setting to HTTPS, it is mandatory to ensure that the CNAME of the TLS certificate installed on backend servers matches the hostname coming to the backend in the HTTP host header request.
+In scenarios where End-to-end TLS is enabled, a configuration that is achieved by editing the appropriate "Backend HTTP Settings", and changing there the configuration of the "Backend protocol" setting to HTTPS, it's mandatory to ensure that the DNS NAME of the TLS certificate installed on backend servers matches the hostname coming to the backend in the HTTP host header request.
 
-As a reminder, the effect of enabling on the "Backend HTTP Settings" the option of protocol HTTPS rather than HTTP, will be that the second part of the communication that happens between the instances of the Application Gateway and the backend servers will be encrypted with TLS.
+As a reminder, the effect of enabling on the "Backend HTTP Settings" the option of protocol HTTPS rather than HTTP, is that the second part of the communication that happens between the instances of the Application Gateway and the backend servers are encrypted with TLS.
 
-Due to the fact that by default Application Gateway sends the same HTTP host header to the backend as it receives from the client, you will need to ensure that the TLS certificate installed on the backend server, is issued with a CNAME that matches the host name received by that backend server in the HTTP host header.
+Due to the fact that by default Application Gateway sends the same HTTP host header to the backend as it receives from the client, you need to ensure that the TLS certificate installed on the backend server, is issued with a DNS NAME that matches the host name received by that backend server in the HTTP host header.
 Remember that, unless specified otherwise, this hostname would be the same as the one received from the client.
 
 For example:
@@ -211,16 +211,16 @@ Imagine that you have an Application Gateway to serve the https requests for dom
 
 On that Application Gateway you should have a listener for the host www.contoso.com with a rule that has the "Backed HTTP Setting" forced to use protocol HTTPS (ensuring End-to-end TLS). That same rule could have configured a backend pool with two VMs running IIS as Web servers.
 
-As we know enabling HTTPS in the "Backed HTTP Setting" of the rule will make the second part of the communication that happens between the Application Gateway instances and the servers in the backend to use TLS.
+As we know enabling HTTPS in the "Backed HTTP Setting" of the rule makes the second part of the communication that happens between the Application Gateway instances and the servers in the backend to use TLS.
 
-If the backend servers do not have a TLS certificate issued for the CNAME www.contoso.com or *.contoso.com, the request will fail with **Server Error: 502 - Web server received an invalid response while acting as a gateway or proxy server** because the upstream SSL certificate (the certificate installed on the backend servers) will not match the hostname in the host header, and hence the TLS negotiation will fail. 
+If the backend servers do not have a TLS certificate issued for the DNS NAME www.contoso.com or *.contoso.com, the request fails with **Server Error: 502 - Web server received an invalid response while acting as a gateway or proxy server** because the upstream SSL certificate (the certificate installed on the backend servers) doesn't match the hostname in the host header, and hence the TLS negotiation fails. 
 
 
 www.contoso.com --> APP GW front end IP --> Listener with a rule that configures "Backend HTTP Settings" to use protocol HTTPS rather than HTTP  --> Backend Pool --> Web server (needs to have a TLS certificate installed for www.contoso.com) 
 
 ## Solution
 
-it is required that the CNAME of the TLS certificate installed on the backend server, matches the host name configured in the HTTP backend settings, otherwise the second part of the End-to-end communication that happens between the instances of the Application Gateway and the backend, will fail with "Upstream SSL certificate does not match", and will throw back a **Server Error: 502 - Web server received an invalid response while acting as a gateway or proxy server**
+It's required that the DNS NAME of the TLS certificate installed on the backend server, matches the host name configured in the HTTP backend settings, otherwise the second part of the End-to-end communication that happens between the instances of the Application Gateway and the backend, fails with "Upstream SSL certificate doesn't match", and throws back a **Server Error: 502 - Web server received an invalid response while acting as a gateway or proxy server**
 
 
 ## Next steps

articles/devtest-labs/devtest-lab-add-vm.md

@@ -39,7 +39,7 @@ This article describes how to create Azure virtual machines (VMs) in Azure DevTe
    - **Virtual machine size**: Keep the default value for the base, or select **Change Size** to select a different size. For more information about default VM sizes, see [Default VM sizes](#default-vm-sizes).
    - **Allow hibernation**: Select this option to enable hibernation for the virtual machine.
      >[!NOTE]
-     >If you enable hibernation, you must also select **Public IP** in **Advanced Settings**. **Private** and **Shared** IPs aren't supported if hibernation is enabled.
+     >If you enable hibernation, you must also select either **Public IP** or **Private IP** in **Advanced Settings**. Hibernation for **Shared IPs** isn't currently supported.
    - **OS disk type**: Keep the default value for the base, or select a different option from the dropdown list.
    - **Security type**: You can select **Trusted launch** to enable trusted launch for Generation 2 VMs. If you select **Trusted launch**, select the **Enable secure boot**, **Enable vTPM**, and **Integrity monitoring** checkboxes as needed. For more information, see [Trusted Launch for Azure virtual machines](/azure/virtual-machines/trusted-launch).
    - **Artifacts**: Optionally, select **Add or Remove Artifacts** to select and configure artifacts to add to the VM. For instructions, see [Add artifacts](#add-artifacts).

articles/devtest-labs/devtest-lab-gen2-vm.md

@@ -45,7 +45,7 @@ You need at least [user](devtest-lab-add-devtest-user.md#devtest-labs-user) acce
    - **Password**: If you don't choose to use a secret, enter a VM password between 8 and 123 characters long.
    - **Save as default password**: Select this checkbox to save the password in the Key Vault associated with the lab.
    - **Virtual machine size**: Keep the default value for the base, or select **Change Size** to select different sizes.
-   - **Allow hibernation**: Select this option to enable hibernation for the virtual machine. If you enable Hibernation, you also must select **Public IP** in the Advanced settings as Private and Shared IP are currently not supported if Hibernation is enabled.
+   - **Allow hibernation**: Select this option to enable hibernation for the virtual machine. If you enable Hibernation, you also must select either **Public IP** or **Private IP** in the Advanced settings. Hibernation for **Shared IPs** isn't currently supported.
    - **OS disk type**: Keep the default value for the base, or select a different option from the dropdown list.
    - **Security type**: Select **Trusted Launch** to enable it for Generation 2 VMs. On selecting Trusted Launch, the options Secure boot, vTPM, and Integrity Monitoring will appear. Based on your needs, select the appropriate options among them for your deployment. For more information, see [Trusted Launch-enabled security features](/azure/virtual-machines/trusted-launch#secure-boot).
    - **Artifacts**: This field shows the number of artifacts already configured for this VM base. Optionally, select **Add or Remove Artifacts** to select and configure artifacts to add to the VM.

articles/devtest-labs/devtest-lab-hibernate-vm.md

@@ -55,7 +55,7 @@ You need at least [user](devtest-lab-add-devtest-user.md#devtest-labs-user) acce
    - **Password**: If you don't choose to use a secret, enter a VM password between 8 and 123 characters long.
    - **Save as default password**: Select this checkbox to save the password in the Key Vault associated with the lab.
    - **Virtual machine size**: Keep the default value for the base, or select **Change Size** to select different sizes.
-   - **Allow hibernation**: Select this option to enable hibernation for the virtual machine. If you enable Hibernation, you also must select **Public IP** in the Advanced settings as Private and Shared IP are currently not supported if Hibernation is enabled.
+   - **Allow hibernation**: Select this option to enable hibernation for the virtual machine. If you enable Hibernation, you also must select either **Public IP** or **Private IP** in the Advanced settings. Hibernation for **Shared IPs** isn't currently supported.
    - **OS disk type**: Keep the default value for the base, or select a different option from the dropdown list.
    - **Security type**: Select **Trusted Launch** to enable it for Gen2 VMs. On selecting Trusted Launch When the options Secure boot, vTPM, and Integrity Monitoring appear, select the appropriate options for your deployment. For more information, see [Trusted Launch-enabled security features](/azure/virtual-machines/trusted-launch#secure-boot).
    - **Artifacts**: This field shows the number of artifacts already configured for this VM base. Optionally, select **Add or Remove Artifacts** to select and configure artifacts to add to the VM.

articles/devtest-labs/devtest-lab-trusted-launch.md

@@ -45,7 +45,7 @@ You need at least [user](devtest-lab-add-devtest-user.md#devtest-labs-user) acce
    - **Password**: If you don't choose to use a secret, enter a VM password between 8 and 123 characters long.
    - **Save as default password**: Select this checkbox to save the password in the Key Vault associated with the lab.
    - **Virtual machine size**: Keep the default value for the base, or select **Change Size** to select different sizes.
-   - **Allow hibernation**: Select this option to enable hibernation for this virtual machine. If you enable Hibernation, you also must select **Public IP** in the Advanced settings as Private and Shared IP are currently not supported if Hibernation is enabled.
+   - **Allow hibernation**: Select this option to enable hibernation for this virtual machine. If you enable Hibernation, you also must select either **Public IP** or **Private IP** in the Advanced settings. Hibernation for **Shared IPs** isn't currently supported.
    - **OS disk type**: Keep the default value for the base, or select a different option from the dropdown list.
    - **Security type**: Select **Trusted Launch** to enable it for Generation 2 VMs. On selecting Trusted Launch, the options Secure boot, vTPM, and Integrity Monitoring will appear. Based on your needs, select the appropriate options among them for your deployment. For more information, see [Trusted Launch-enabled security features](/azure/virtual-machines/trusted-launch#secure-boot).
    - **Artifacts**: This field shows the number of artifacts already configured for this VM base. Optionally, select **Add or Remove Artifacts** to select and configure artifacts to add to the VM.

articles/devtest-labs/tutorial-create-custom-lab.md

@@ -80,7 +80,7 @@ To add a VM to the lab, follow these steps. For more information, see [Create la
    - **Virtual machine size**: Keep the default value for the base, or select **Change Size** to select a different size.
    - **Allow hibernation**: You can select this checkbox to enable hibernation for this VM. For this tutorial, keep the checkbox deselected.
      >[!NOTE]
-     >If you enable hibernation, you must also select **Public** for **IP Address** in the **Advanced settings**, because **Private** and **Shared** IPs aren't supported if hibernation is enabled.
+     >If you enable hibernation, you must also select either **Public** or **Private** for **IP Address** in the **Advanced settings**, because hibernation for **Shared** IPs isn't currently supported.
    - **OS disk type**: You can select a disk type from the dropdown list. For this tutorial, keep the default value.
    - **Artifacts**: You can select **Add or Remove Artifacts** to select and configure artifacts to add to the VM. For more information, see [Add artifacts](devtest-lab-add-vm.md#add-optional-artifacts).
 

articles/event-hubs/compare-tiers.md

@@ -2,7 +2,7 @@
 title: Compare Azure Event Hubs tiers
 description: This article compares supported tiers of Azure Event Hubs.
 ms.topic: article
-ms.date: 02/15/2024
+ms.date: 04/29/2025
 ---
 
 # Compare Azure Event Hubs tiers

articles/event-hubs/includes/event-hubs-tier-features.md

@@ -18,7 +18,7 @@ The following table shows the list of features that are available (or not availa
 | Private link | N/A | Yes | Yes | Yes |
 | Customer-managed key <br/>(bring your own key) | N/A | N/A | Yes | Yes |
 | Capture | N/A | Priced separately | Included | Included |
-| Dynamic partition scale-out | N/A | N/A | Yes | Yes |
+| Dynamic partitions scale-out | N/A | N/A | Yes | Yes |
 | Ingress events | Pay per million events | Pay per million events | Included | Included |
 | Runtime audit logs | N/A | N/A | Yes | Yes |
 | Availability zone | Yes | Yes | Yes | Yes |

articles/expressroute/expressroute-locations-providers.md

@@ -5,7 +5,7 @@ services: expressroute
 author: duongau
 ms.service: azure-expressroute
 ms.topic: concept-article
-ms.date: 04/18/2025
+ms.date: 04/29/2025
 ms.author: duau
 ms.custom: references_regions, template-concept, engagement-fy23
 ---
@@ -20,7 +20,6 @@ The tables in this article provide information on ExpressRoute geographical cove
 
 > [!NOTE]
 > Azure regions and ExpressRoute locations are two distinct and different concepts, understanding the difference between the two is critical to exploring Azure hybrid networking connectivity. 
->
 
 ## Azure regions
 
@@ -44,6 +43,9 @@ The following table shows connectivity locations and the service providers for e
 
 * **ER Direct** refers to [ExpressRoute Direct](expressroute-erdirect-about.md) support at each peering location. If you want to view the available bandwidth at a location, see [Determine available bandwidth](expressroute-howto-erdirect.md#resources)
 
+> [!NOTE]
+> If you are a service provider interested in becoming an ExpressRoute partner, please complete and submit this [Microsoft Form](https://aka.ms/erproviderform). 
+
 ### Global commercial Azure
 
 #### [A-C](#tab/a-c)