Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into liveResizeLimits

Author: roygara

articles/app-service/environment/create-from-template.md

@@ -5,7 +5,7 @@ author: madsd
 
 ms.assetid: 6eb7d43d-e820-4a47-818c-80ff7d3b6f8e
 ms.topic: article
-ms.date: 01/20/2023
+ms.date: 03/27/2023
 ms.author: madsd
 ms.custom: seodec18
 ---
@@ -49,7 +49,7 @@ If you want to make an ASE, use this Resource Manager template [ASEv2][quickstar
 * *existingVirtualNetworkResourceGroup*: his parameter defines the resource group name of the existing virtual network and subnet where ASE will reside.
 * *subnetName*: This parameter defines the subnet name of the existing virtual network and subnet where ASE will reside.
 * *internalLoadBalancingMode*: In most cases, set this to 3, which means both HTTP/HTTPS traffic on ports 80/443, and the control/data channel ports listened to by the FTP service on the ASE, will be bound to an ILB-allocated virtual network internal address. If this property is set to 2, only the FTP service-related ports (both control and data channels) are bound to an ILB address. If this property is set to 0, the HTTP/HTTPS traffic remains on the public VIP.
-* *dnsSuffix*: This parameter defines the default root domain that's assigned to the ASE. In the public variation of Azure App Service, the default root domain for all web apps is *azurewebsites.net*. Because an ILB ASE is internal to a customer's virtual network, it doesn't make sense to use the public service's default root domain. Instead, an ILB ASE should have a default root domain that makes sense for use within a company's internal virtual network. For example, Contoso Corporation might use a default root domain of *internal-contoso.com* for apps that are intended to be resolvable and accessible only within Contoso's virtual network. 
+* *dnsSuffix*: This parameter defines the default root domain that's assigned to the ASE. In the public variation of Azure App Service, the default root domain for all web apps is *azurewebsites.net*. Because an ILB ASE is internal to a customer's virtual network, it doesn't make sense to use the public service's default root domain. Instead, an ILB ASE should have a default root domain that makes sense for use within a company's internal virtual network. For example, Contoso Corporation might use a default root domain of *internal-contoso.com* for apps that are intended to be resolvable and accessible only within Contoso's virtual network. To specify custom root domain you need to use api version `2018-11-01` or earlier versions.
 * *ipSslAddressCount*: This parameter automatically defaults to a value of 0 in the *azuredeploy.json* file because ILB ASEs only have a single ILB address. There are no explicit IP-SSL addresses for an ILB ASE. Hence, the IP-SSL address pool for an ILB ASE must be set to zero. Otherwise, a provisioning error occurs.
 
 After the *azuredeploy.parameters.json* file is filled in, create the ASE by using the PowerShell code snippet. Change the file paths to match the Resource Manager template-file locations on your machine. Remember to supply your own values for the Resource Manager deployment name and the resource group name:

articles/app-service/environment/create-ilb-ase.md

@@ -4,7 +4,7 @@ description: Learn how to create an App Service environment with an internal loa
 author: madsd
 ms.assetid: 0f4c1fa4-e344-46e7-8d24-a25e247ae138
 ms.topic: quickstart
-ms.date: 02/28/2023
+ms.date: 03/27/2023
 ms.author: madsd
 ms.custom: mvc, seodec18, mode-other
 ---
@@ -139,7 +139,7 @@ To learn more about how to configure your ILB ASE with a  WAF device, see [Confi
 
 ## ILB ASEs made before May 2019
 
-ILB ASEs that were made before May 2019 required you to set the domain suffix during ASE creation. They also required you to upload a default certificate that was based on that domain suffix. Also, with an older ILB ASE you can't perform single sign-on to the Kudu console with apps in that ILB ASE. When configuring DNS for an older ILB ASE, you need to set the wildcard A record in a zone that matches to your domain suffix. 
+ILB ASEs that were made before May 2019 required you to set the domain suffix during ASE creation. They also required you to upload a default certificate that was based on that domain suffix. Also, with an older ILB ASE you can't perform single sign-on to the Kudu console with apps in that ILB ASE. When configuring DNS for an older ILB ASE, you need to set the wildcard A record in a zone that matches to your domain suffix. Creating or changing ILB ASE with custom domain suffix requires you to use Azure Resource Manager templates and an api version prior to 2019. Last support api version is `2018-11-01`.
 
 ## Get started ##
 

articles/app-service/environment/using.md

@@ -3,7 +3,7 @@ title: Use an App Service Environment
 description: Learn how to use your App Service Environment to host isolated applications.
 author: madsd
 ms.topic: article
-ms.date: 02/14/2022
+ms.date: 03/27/2023
 ms.author: madsd
 ---
 
@@ -92,7 +92,7 @@ To configure DNS in Azure DNS private zones:
 1. Create an A record in that zone that points @ to the inbound IP address.
 1. Create an A record in that zone that points *.scm to the inbound IP address.
 
-The DNS settings for the default domain suffix of your App Service Environment don't restrict your apps to only being accessible by those names. You can set a custom domain name without any validation on your apps in an App Service Environment. If you then want to create a zone named `contoso.net`, you can do so and point it to the inbound IP address. The custom domain name works for app requests, but doesn't work for the `scm` site. The `scm` site is only available at *<appname>.scm.<asename>.appserviceenvironment.net*. 
+The DNS settings for the default domain suffix of your App Service Environment don't restrict your apps to only being accessible by those names. You can set a custom domain name without any validation on your apps in an App Service Environment. If you then want to create a zone named `contoso.net`, you can do so and point it to the inbound IP address. The custom domain name works for app requests, and if the custom domain suffix certificate includes a wildcard SAN for scm, custom domain name also work for `scm` site and you can create a `*.scm` record and point it to the inbound IP address.
 
 ## Publishing
 
@@ -173,6 +173,7 @@ If you have multiple App Service Environments, you might want some of them to be
 - **None**: Azure upgrades in no particular batch. This value is the default.
 - **Early**: Upgrade in the first half of the App Service upgrades.
 - **Late**: Upgrade in the second half of the App Service upgrades.
+- **Manual**: Get [15 days window](./how-to-upgrade-preference.md) to deploy the upgrade manually.
 
 Select the value you want, and then select **Save**.
 

articles/confidential-computing/quick-create-confidential-vm-azure-cli-amd.md

@@ -84,31 +84,42 @@ Make a note of the `publicIpAddress` to use later.
 
 Create a confidential [disk encryption set](../virtual-machines/linux/disks-enable-customer-managed-keys-cli.md) using [Azure Key Vault](../key-vault/general/quick-create-cli.md) or [Azure Key Vault managed Hardware Security Module (HSM)](../key-vault/managed-hsm/quick-create-cli.md). Based on your security and compliance needs you can choose either option. The following example uses Azure Key Vault Premium. 
 
-1.  Create an Azure Key Vault using the [az keyvault create](/cli/azure/keyvault) command. For the pricing tier, select Premium (includes support for HSM backed keys). Make sure that you have an owner role in this key vault.
+1. Grant confidential VM Service Principal `Confidential VM Orchestrator` to tenant
+For this step you need to be a Global Admin or you need to have the User Access Administrator RBAC role.
+  ```azurecli
+  Connect-AzureAD -Tenant "your tenant ID"
+  New-AzureADServicePrincipal -AppId bf7b6499-ff71-4aa2-97a4-f372087be7f0 -DisplayName "Confidential VM Orchestrator"    
+  ```
+2.  Create an Azure Key Vault using the [az keyvault create](/cli/azure/keyvault) command. For the pricing tier, select Premium (includes support for HSM backed keys). Make sure that you have an owner role in this key vault.
   ```azurecli-interactive
   az keyvault create -n keyVaultName -g myResourceGroup --enabled-for-disk-encryption true --sku premium --enable-purge-protection true
   ```
-2. Create a key in the key vault using [az keyvault key create](/cli/azure/keyvault). For the key type, use RSA-HSM.
+3. Give `Confidential VM Orchestrator` permissions to `get` and `release` the key vault.
+  ```azurecli
+  $cvmAgent = az ad sp show --id "bf7b6499-ff71-4aa2-97a4-f372087be7f0" | Out-String | ConvertFrom-Json
+  az keyvault set-policy --name $KeyVault --object-id $cvmAgent.objectId --key-permissions get release
+  ```
+4. Create a key in the key vault using [az keyvault key create](/cli/azure/keyvault). For the key type, use RSA-HSM.
   ```azurecli-interactive
   az keyvault key create --name mykey --vault-name keyVaultName --default-cvm-policy --exportable --kty RSA-HSM
   ```
-3. Create the disk encryption set using [az disk-encryption-set create](/cli/azure/disk-encryption-set). Set the encryption type to `ConfidentialVmEncryptedWithCustomerKey`.
+5. Create the disk encryption set using [az disk-encryption-set create](/cli/azure/disk-encryption-set). Set the encryption type to `ConfidentialVmEncryptedWithCustomerKey`.
   ```azurecli-interactive
 $keyVaultKeyUrl=(az keyvault key show --vault-name keyVaultName --name mykey--query [key.kid] -o tsv)
 
 az disk-encryption-set create --resource-group myResourceGroup --name diskEncryptionSetName --key-url $keyVaultKeyUrl  --encryption-type ConfidentialVmEncryptedWithCustomerKey
   ```
-4. Grant the disk encryption set resource access to the key vault using [az key vault set-policy](/cli/azure/keyvault).
+6. Grant the disk encryption set resource access to the key vault using [az key vault set-policy](/cli/azure/keyvault).
   ```azurecli-interactive
 $desIdentity=(az disk-encryption-set show -n diskEncryptionSetName -g myResourceGroup --query [identity.principalId] -o tsv)
 
 az keyvault set-policy -n keyVaultName -g myResourceGroup --object-id $desIdentity --key-permissions wrapkey unwrapkey get
   ```
-5. Use the disk encryption set ID to create the VM.
+7. Use the disk encryption set ID to create the VM.
   ```azurecli-interactive
 $diskEncryptionSetID=(az disk-encryption-set show -n diskEncryptionSetName -g myResourceGroup --query [id] -o tsv)
   ```
-6. Create a VM with the [az vm create](/cli/azure/vm) command. Choose `DiskWithVMGuestState` for OS disk confidential encryption with a customer-managed key. Enabling secure boot is optional, but recommended.  For more information, see [secure boot and vTPM](../virtual-machines/trusted-launch.md). For more information on disk encryption, see [confidential OS disk encryption](confidential-vm-overview.md).
+8. Create a VM with the [az vm create](/cli/azure/vm) command. Choose `DiskWithVMGuestState` for OS disk confidential encryption with a customer-managed key. Enabling secure boot is optional, but recommended.  For more information, see [secure boot and vTPM](../virtual-machines/trusted-launch.md). For more information on disk encryption, see [confidential OS disk encryption](confidential-vm-overview.md).
 
   ```azurecli-interactive
 az vm create \
@@ -186,4 +197,4 @@ echo -n $JWT | cut -d "." -f 2 | base64 -d 2>/dev/null | jq .
 ## Next steps
 
 > [!div class="nextstepaction"]
-> [Create a confidential VM on AMD with an ARM template](quick-create-confidential-vm-arm-amd.md)
+> [Create a confidential VM on AMD with an ARM template](quick-create-confidential-vm-arm-amd.md)

articles/spring-apps/toc.yml

@@ -16,6 +16,8 @@ items:
   items:
   - name: Launch your first app
     href: quickstart.md
+  - name: Launch your first event-driven app
+    href: quickstart-deploy-event-driven-app-standard-consumption.md
   - name: Run apps on Standard consumption plan
     expanded: true
     items:
@@ -25,8 +27,6 @@ items:
       href: quickstart-provision-standard-consumption-app-environment-with-virtual-network.md
     - name: Access apps in a VNet
       href: quickstart-access-standard-consumption-within-virtual-network.md
-    - name: Launch your first event-driven app
-      href: quickstart-deploy-event-driven-app-standard-consumption.md
     - name: Set up autoscale
       href: quickstart-apps-autoscale-standard-consumption.md
     - name: Map a custom domain to Azure Spring Apps

articles/virtual-machines/delete.md

@@ -53,13 +53,13 @@ To specify what happens to the attached resources when you delete a VM, use the
 - `--data-disk-delete-option` - data disk.
 - `--nic-delete-option` - NIC.
 
-In this example, we create a VM and set the OS disk and NIC to be deleted when we delete the VM.
+In this example, we create a VM named *myVM* in the resource group named *myResourceGroup* using an image named *myImage*, and set the OS disk and NIC to be deleted when we delete the VM.
 
 ```azurecli-interactive
 az vm create \
     --resource-group myResourceGroup \
     --name myVM \
-    --image UbuntuLTS \
+    --image myImage \
     --public-ip-sku Standard \
     --nic-delete-option delete \
     --os-disk-delete-option delete \
@@ -363,14 +363,14 @@ You can use the Azure REST API to apply force delete to your scale set. Use the
 
 ## FAQ
 
-### Q: Does this feature work with shared disks?
+### Q: Does this feature work with shared disks?
 
-A: For shared disks, you can't set the ‘deleteOption’ property to ‘Delete’. You can leave it blank or set it to ‘Detach’
+A: For shared disks, you can't set the ‘deleteOption’ property to ‘Delete’. You can leave it blank or set it to ‘Detach’
 
 
 ### Q: Which Azure resources support this feature?
 
-A: This feature is supported on all managed disk types used as OS disks and Data disks, NICs, and Public IPs
+A: This feature is supported on all managed disk types used as OS disks and Data disks, NICs, and Public IPs
 
 
 ### Q: Can I use this feature on disks and NICs that aren't associated with a VM?