Merge branch 'main' into iot-industrial-reviews

Author: dominicbetts

articles/api-center/synchronize-api-management-apis.md

@@ -28,7 +28,7 @@ API Management APIs automatically synchronize to the API center whenever existin
 
 > [!NOTE]
 > * There are [limits](../azure-resource-manager/management/azure-subscription-service-limits.md?toc=/azure/api-center/toc.json&bc=/azure/api-center/breadcrumb/toc.json#api-center-limits) for the number of linked API Management instances (API sources).
-> * API updates in API Management can take a few minutes to up to 24 hours to synchronize to your API center.
+> * API updates in API Management typically synchronize to your API center within minutes but synchronization can take up to 24 hours.
 
 ### Entities synchronized from API Management
 

articles/api-management/inject-vnet-v2.md

@@ -88,7 +88,7 @@ When you [create](get-started-create-service-instance.md) a Premium v2 instance
 
 1. In the **Create API Management service** wizard, select the **Networking** tab.
 1. In **Connectivity type**, select **Virtual network**.
-1. In **Type**, select **Internal**. 
+1. In **Type**, select **Virtual Network injection**. 
 1. In **Configure virtual networks**, select the virtual network and the delegated subnet that you want to inject. 
 1. Complete the wizard to create the API Management instance.
 

articles/azure-cache-for-redis/cache-how-to-premium-vnet.md

@@ -4,7 +4,7 @@ description: Learn how to create and manage virtual network support for your Pre
 
 
 ms.topic: conceptual
-ms.date: 08/29/2023
+ms.date: 12/12/2024
 
 ---
 
@@ -124,7 +124,10 @@ There are nine outbound port requirements. Outbound requests in these ranges are
 | --- | --- | --- | --- | --- | --- |
 | 80, 443 |Outbound |TCP |Redis dependencies on Azure Storage/PKI (internet) | (Redis subnet) |* <sup>4</sup> |
 | 443 | Outbound | TCP | Redis dependency on Azure Key Vault and Azure Monitor | (Redis subnet) | AzureKeyVault, AzureMonitor <sup>1</sup> |
-| 53 |Outbound |TCP/UDP |Redis dependencies on DNS (internet/virtual network) | (Redis subnet) | 168.63.129.16 and 169.254.169.254 <sup>2</sup> and any custom DNS server for the subnet <sup>3</sup> |
+| 12000 | Outbound | TCP | Redis dependency on Azure Monitor | (Redis subnet) |  AzureMonitor <sup>1</sup> |
+| 53 |Outbound |TCP/UDP | Redis dependencies on DNS (internet/virtual network) | (Redis subnet) | 168.63.129.16 and 169.254.169.254 <sup>2</sup> and any custom DNS server for the subnet <sup>3</sup> |
+| 123 | Outbound | UDP | Operating system dependency on NTP | (Redis subnet) | * |
+| 1688 | Outbound | TCP | Operating system dependency for activation | (Redis subnet) | * |
 | 8443 |Outbound |TCP |Internal communications for Redis | (Redis subnet) | (Redis subnet) |
 | 10221-10231 |Outbound |TCP |Internal communications for Redis | (Redis subnet) | (Redis subnet) |
 | 20226 |Outbound |TCP |Internal communications for Redis | (Redis subnet) |(Redis subnet) |
@@ -165,11 +168,14 @@ There are eight inbound port range requirements. Inbound requests in these range
 
 There are network connectivity requirements for Azure Cache for Redis that might not be initially met in a virtual network. Azure Cache for Redis requires all the following items to function properly when used within a virtual network:
 
-- Outbound network connectivity to Azure Key Vault endpoints worldwide. Azure Key Vault endpoints resolve under the DNS domain `vault.azure.net`.
-- Outbound network connectivity to Azure Storage endpoints worldwide. Endpoints located in the same region as the Azure Cache for Redis instance and storage endpoints located in _other_ Azure regions are included. Azure Storage endpoints resolve under the following DNS domains: `table.core.windows.net`, `blob.core.windows.net`, `queue.core.windows.net`, and `file.core.windows.net`.
+- Outbound network connectivity to Azure Key Vault endpoints worldwide. Azure Key Vault endpoints resolve under the DNS domain `*.vault.azure.net`.
+- Outbound network connectivity to Azure Storage endpoints worldwide. Endpoints located in the same region as the Azure Cache for Redis instance and storage endpoints located in _other_ Azure regions are included. Azure Storage endpoints resolve under the following DNS domains: `*.table.core.windows.net`, `*.blob.core.windows.net`, `*.queue.core.windows.net`, and `*.file.core.windows.net`.
 - Outbound network connectivity to `ocsp.digicert.com`, `crl4.digicert.com`, `ocsp.msocsp.com`, `mscrl.microsoft.com`, `crl3.digicert.com`, `cacerts.digicert.com`, `oneocsp.microsoft.com`, and `crl.microsoft.com`, `cacerts.geotrust.com`, `www.microsoft.com`, `cdp.geotrust.com`, `status.geotrust.com`. This connectivity is needed to support TLS/SSL functionality.
+- Outbound network connectivity to the following Azure Monitor endpoints, which resolve under the following DNS domains: `shoebox3.prod.microsoftmetrics.com`, `shoebox3-red.prod.microsoftmetrics.com`, `shoebox3-black.prod.microsoftmetrics.com`, `azredis.prod.microsoftmetrics.com`, `azredis-red.prod.microsoftmetrics.com`, `azredis-black.prod.microsoftmetrics.com`, `global.prod.microsoftmetrics.com`, `gcs.prod.monitoring.core.windows.net`, and `*.prod.warm.ingest.monitor.core.windows.net`.
+- Outbound network connectivity to the following endpoints for internal diagnostics, which resolve under the following DNS domains: `azurewatsonanalysis-prod.core.windows.net`, `*.data.microsoft.com`,  `shavamanifestazurecdnprod1.azureedge.net`, and `shavamanifestcdnprod1.azureedge.net`.
+- Outbound network connectivity to the following endpoints for the operating system update service, which resolve under the following DNS domains: `*.update.microsoft.com`, `*.ctldl.windowsupdate.com`, and `ctldl.windowsupdate.com`, `*.delivery.mp.microsoft.com`, and `download.windowsupdate.com`.
+- Outbound network connectivity to the following endpoints for the antivirus, which resolve under the following DNS domains: `go.microsoft.com`, `wdcp.microsoft.com`, `wdcpalt.microsoft.com`, and `definitionupdates.microsoft.com`.
 - The DNS configuration for the virtual network must be able to resolve all of the endpoints and domains mentioned in the earlier points. These DNS requirements can be met by ensuring a valid DNS infrastructure is configured and maintained for the virtual network.
-- Outbound network connectivity to the following Azure Monitor endpoints, which resolve under the following DNS domains: `shoebox3.prod.microsoftmetrics.com`, `shoebox3-red.prod.microsoftmetrics.com`, `shoebox3-black.prod.microsoftmetrics.com`, `azredis.prod.microsoftmetrics.com`, `azredis-red.prod.microsoftmetrics.com`, and `azredis-black.prod.microsoftmetrics.com`.
 
 ### How can I verify that my cache is working in a virtual network?
 

articles/azure-cache-for-redis/managed-redis/managed-redis-best-practices-connection.md

@@ -9,7 +9,7 @@ ms.topic: conceptual
 ms.date: 11/15/2024
 ---
 
-# Connection resilience with Azure Managed Redis(preview)
+# Connection resilience with Azure Managed Redis (preview)
 
 ## Retry commands
 

articles/azure-resource-manager/management/preview-features.md

@@ -2,7 +2,7 @@
 title: Set up preview features in Azure subscription
 description: Describes how to list, register, or unregister preview features in your Azure subscription for a resource provider.
 ms.topic: how-to
-ms.date: 09/26/2024
+ms.date: 12/12/2024
 ms.custom: devx-track-azurepowershell, devx-track-azurecli
 # Customer intent: As an Azure user, I want to use preview features in my subscription so that I can expose a resource provider's preview functionality.
 ---
@@ -25,7 +25,8 @@ You can list all the preview features and their registration states for an Azure
 
 # [Portal](#tab/azure-portal)
 
-The portal only shows a preview feature when the service that owns the feature has explicitly opted in to the preview features management experience.
+> [!NOTE]
+> The portal only shows a preview feature when the service that owns the feature has explicitly opted in to the preview features management experience. In case the feature you are looking for doesn't appear on the list available, we recommend using [Azure CLI](./preview-features.md?tabs=azure-cli#list-preview-features) and [Azure Powershell](./preview-features.md?tabs=azure-powershell#list-preview-features).
 
 1. Sign in to the [Azure portal](https://portal.azure.com/).
 1. In the search box, enter _subscriptions_ and select **Subscriptions**.
@@ -101,7 +102,7 @@ Name                                     RegistrationState
 Microsoft.Compute/InGuestPatchVMPreview  NotRegistered
 ```
 
-# [PowerShell](#tab/azure-powershell)
+# [Azure PowerShell](#tab/azure-powershell)
 
 To list all the subscription's preview features, use the [Get-AzProviderFeature](/powershell/module/az.resources/get-azproviderfeature) cmdlet.
 
@@ -210,7 +211,7 @@ Microsoft.Compute/InGuestPatchVMPreview  Registered
 > [!NOTE]
 > When the register command runs, a message is displayed that after the feature is registered, to run `az provider register --namespace <provider-name>` to propagate the changes.
 
-# [PowerShell](#tab/azure-powershell)
+# [Azure PowerShell](#tab/azure-powershell)
 
 To register a preview feature, use the [Register-AzProviderFeature](/powershell/module/az.resources/register-azproviderfeature) cmdlet.
 
@@ -306,7 +307,7 @@ Name                                     RegistrationState
 Microsoft.Compute/InGuestPatchVMPreview  Unregistered
 ```
 
-# [PowerShell](#tab/azure-powershell)
+# [Azure PowerShell](#tab/azure-powershell)
 
 To unregister a preview feature, use the [Unregister-AzProviderFeature](/powershell/module/az.resources/unregister-azproviderfeature) cmdlet. The `RegistrationState` state changes to **Unregistered**.
 

articles/azure-vmware/azure-vmware-solution-platform-updates.md

@@ -4,7 +4,7 @@ description: Learn about the platform updates to Azure VMware Solution.
 ms.topic: reference
 ms.custom: "references_regions, engagement-fy23"
 ms.service: azure-vmware
-ms.date: 11/22/2024
+ms.date: 12/12/2024
 ---
 
 # What's new in Azure VMware Solution
@@ -17,7 +17,7 @@ Azure VMware Solution is now ready to update all existing Azure Commercial custo
 
 All new Azure VMware Solution private clouds are being deployed with VMware vSphere 8.0 version in [Microsoft Azure Government](https://azure.microsoft.com/explore/global-infrastructure/government/#why-azure). [Learn more](architecture-private-clouds.md#vmware-software-versions)
 
-Trusted Launch is now available in all Azure VMware Solution regions. This enables Virtual Trusted Platform Module (vTPM) on virtual machines, ensuring compliance with the latest security standards and unlocking the potential to run modern operating systems like Microsoft Windows 11. [Learn more](https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.vm_admin.doc/GUID-A43B6914-E5F9-4CB1-9277-448AC9C467FB.html)
+Trusted Launch is now available in all Azure VMware Solution regions. This enables Virtual Trusted Platform Module (vTPM) on virtual machines, ensuring compliance with the latest security standards and unlocking the potential to run modern operating systems like Microsoft Windows 11. [Learn more](configure-virtual-trusted-platform-module.md#configure-virtual-trusted-platform-module-vtpm-on-virtual-machines-with-azure-vmware-solution)
 
 ## October 2024
 

articles/azure-vmware/configure-site-to-site-vpn-gateway.md

@@ -82,8 +82,6 @@ A virtual hub is a virtual network that is created and used by Azure Virtual WAN
 
 2. Select the VPN Site for which you want to set up a custom IPsec policy.
 
-   :::image type="content" source="../virtual-wan/media/virtual-wan-custom-ipsec-portal/locate.png" alt-text="Screenshot showing the existing VPN sites to set up customer IPsec policies." lightbox="../virtual-wan/media/virtual-wan-custom-ipsec-portal/locate.png":::
-
 3. Select your VPN site name, select **More** (...) at the far right, and then select **Edit VPN Connection**.
 
    :::image type="content" source="../virtual-wan/media/virtual-wan-custom-ipsec-portal/contextmenu.png" alt-text="Screenshot showing the context menu for an existing VPN site." lightbox="../virtual-wan/media/virtual-wan-custom-ipsec-portal/contextmenu.png":::

articles/azure-vmware/media/nsxt/nsx-create-tier-1.png

@@ -33,13 +33,15 @@ items:
     href: tutorial-configure-networking.md
   - name: 4 - Access a private cloud
     href: tutorial-access-private-cloud.md
-  - name: 5 - Create an NSX network segment
+  - name: 5 - Create an NSX Tier-1 Gateway
+    href: tutorial-nsx-tier-1-gateway.md
+  - name: 6 - Create an NSX network segment
     href: tutorial-nsx-t-network-segment.md
-  - name: 6 - Peer on-premises to private cloud
+  - name: 7 - Peer on-premises to private cloud
     href: tutorial-expressroute-global-reach-private-cloud.md
-  - name: 7 - Scale a private cloud
+  - name: 8 - Scale a private cloud
     href: tutorial-scale-private-cloud.md
-  - name: 8 - Delete a private cloud
+  - name: 9 - Delete a private cloud
     href: tutorial-delete-private-cloud.md
 - name: Cost optimization
   items:

articles/azure-vmware/toc.yml

@@ -0,0 +1,64 @@
+---
+title:  Tutorial - NSX-Tier-1-Gateway
+description: Learn how to create a Tier-1 Gateway
+ms.topic: tutorial
+ms.service: azure-vmware
+ms.date: 12/11/2024
+ms.custom: engagement-fy25
+---
+
+# Tutorial: Create an NSX Tier-1 Gateway 
+
+After deploying the Azure VMware Solution, you can create additional Tier-1 Gateways from the NSX Manager. Once configured, the additional Tier-1 Gateway is visible in the NSX Manager. NSX comes pre-provisioned by default with an NSX Tier-0 Gateway in **Active/Active** mode and a default Tier-1 Gateway in **Active/Standby** mode. 
+
+In this tutorial, you learn how to:
+
+> [!div class="checklist"]
+> * Create an additional NSX Tier-1 Gateway in the NSX Manager
+> * Configure the High Availability (HA) mode on a Tier-1 Gateway 
+
+## Prerequisites
+
+An Azure VMware Solution private cloud with access to the NSX Manager interface. For more information, see the [Configure networking](tutorial-configure-networking.md) tutorial. 
+
+## Use NSX Manager to create a Tier-1 Gateway
+
+A Tier-1 Gateway is typically added to a Tier-0 Gateway in the northbound direction and to segments in the southbound direction. 
+
+1. With the CloudAdmin account, sign-in to the NSX Manager.
+
+2. In NSX Manager, select **Networking** > **Tier-1 Gateways**.
+
+3. Select **Add Tier-1 Gateway**. 
+
+4. Enter a name for the gateway. 
+
+5. Select the **HA Mode** for the Tier-1 Gateway. Choose between **Active/Standby**, **Active/Active**, or **Distributed Only**:
+ 
+    | HA Mode | Description |
+    | :--------- | :------------- |
+    | Active Standby | One active instance and one standby instance. The Standby takes over is the active fails. |
+    | Active Active | Both instances are active and can handle traffic simultaneously. |
+    | Distributed Only | No centralized instances; routing is distributed across all transport nodes. |
+
+6. Select a Tier-0 Gateway to connect to this Tier-1 Gateway to create a multi-tier topology. 
+
+7. Select an NSX Edge cluster if you want this Tier-1 Gateway to host stateful services such as NAT, load balancer, or firewall. 
+
+8. After you select an NSX Edge cluster, a toggle gives you the option to select NSX Edge Nodes. 
+
+9. If you selected an NSX Edge cluster, select a failover mode or accept the default. 
+
+     | Option | Description | 
+     | :----- | :---------- |
+     | Preemptive | If the preferred NSX Edge node fails and recovers, it preempts its peer and becomes the active node. The peer changes its state to standby. |
+     | Non-preemptive  | If the preferred NSX Edge node fails and recovers, it checks if its peer is the active node. If so, the preferred node will not preempt its peer and will be the standby node. This is the default option. |
+
+:::image type="content" source="media/nsxt/nsx-create-tier-1.png" alt-text="Diagram showing the creation of a new Tier-1 Gateway in NSX Manager." border="false" lightbox="media/nsxt/nsx-create-tier-1.png":::
+
+10. Select **Save**. 
+
+## Next steps
+
+In this tutorial, you created an additional Tier-1 Gateway to use in your Azure VMware Solution private cloud. 
+