Merge branch 'release-aio-ga' of https://github.com/MicrosoftDocs/azure-docs-pr into release-aio-ga

Author: jlian

articles/iot-operations/connect-to-cloud/concept-schema-registry.md

@@ -4,7 +4,7 @@ description: Learn how schema registry handles message schemas to work with Azur
 author: kgremban
 ms.author: kgremban
 ms.topic: conceptual
-ms.date: 10/30/2024
+ms.date: 11/14/2024
 
 #CustomerIntent: As an operator, I want to understand how I can use message schemas to filter and transform messages.
 ---
@@ -62,7 +62,7 @@ JSON:
 
 Delta:
 
-```delta
+```json
 {
   "$schema": "Delta/1.0",
   "type": "object",
@@ -87,7 +87,7 @@ Message schemas are used in all three phases of a dataflow: defining the source
 
 ### Input schema
 
-Each dataflow source can optionally specify a message schema. If a schema is defined for a dataflow source, any incoming messages that don't match the schema are dropped. 
+Each dataflow source can optionally specify a message schema. Currently, dataflows doesn't perform runtime validation on source message schemas. 
 
 Asset sources have a predefined message schema that was created by the connector for OPC UA.
 
@@ -101,10 +101,19 @@ The operations experience uses the input schema as a starting point for your dat
 
 ### Output schema
 
-Output schemas are associated with dataflow destinations are only used for dataflows that select local storage, Fabric, Azure Storage (ADLS Gen2), or Azure Data Explorer as the destination endpoint. Currently, Azure IoT Operations experience only supports Parquet output for output schemas.
+Output schemas are associated with dataflow destinations.
+
+In the operations experience portal, you can configure output schemas for the following destination endpoints that support Parquet output:
+
+* local storage
+* Fabric OneLake
+* Azure Storage (ADLS Gen2)
+* Azure Data Explorer
 
 Note: The Delta schema format is used for both Parquet and Delta output.
 
+If you use Bicep or Kubernetes, you can configure output schemas using JSON output for MQTT and Kafka destination endpoints. MQTT- and Kafka-based destinations don't support Delta format.
+
 For these dataflows, the operations experience applies any transformations to the input schema then creates a new schema in Delta format. When the dataflow custom resource (CR) is created, it includes a `schemaRef` value that points to the generated schema stored in the schema registry.
 
 To upload an output schema, see [Upload schema](#upload-schema).
@@ -131,6 +140,13 @@ The following example creates a schema called `myschema` from inline content and
 az iot ops schema create -n myschema -g myresourcegroup --registry myregistry --format delta --type message --version-content '{\"hello\": \"world\"}' --ver 14 
 ```
 
+>[!TIP]
+>If you don't know your registry name, use the `schema registry list` command to query for it. For example:
+>
+>```azurecli
+>az iot ops schema registry list -g myresourcegroup --query "[].{Name:name}" -o tsv
+>```
+
 Once the `create` command is completed, you should see a blob in your storage account container with the schema content. The name for the blob is in the format `schema-namespace/schema/version`.
 
 You can see more options with the helper command `az iot ops schema -h`.

articles/iot-operations/connect-to-cloud/overview-dataflow.md

@@ -60,7 +60,7 @@ By using dataflows, you can efficiently manage your data paths. You can ensure t
 
 ## Schema registry
 
-Schema registry, a feature provided by Azure Device Registry, is a synchronized repository in the cloud and at the edge. The schema registry stores the definitions of messages coming from edge assets, and then exposes an API to access those schemas at the edge. Southbound connectors like the OPC UA connector can create message schemas and add them to the schema registry or customers can upload schemas to the operations experience web UI.
+Schema registry, a feature provided by Azure Device Registry, is a synchronized repository in the cloud and at the edge. The schema registry stores the definitions of messages coming from edge assets, and then exposes an API to access those schemas at the edge. Southbound connectors like the connector for OPC UA can create message schemas and add them to the schema registry or customers can upload schemas to the operations experience web UI.
 
 Dataflows uses messages schemas to transform the message into the format expected by the destination endpoint.
 

articles/iot-operations/deploy-iot-ops/concept-production-guidelines.md

@@ -18,7 +18,7 @@ Decide whether you're deploying Azure IoT Operations to a single-node or multi-n
 
 ## Platform
 
-Currently, K3s on Ubuntu 20.04 is the only generally available platform for deploying Azure IoT Operations in production.
+Currently, K3s on Ubuntu 24.04 is the only generally available platform for deploying Azure IoT Operations in production.
 
 ## Cluster setup
 
@@ -31,7 +31,7 @@ Create an Arc-enabled K3s cluster that meets the system requirements.
 * [Configure the cluster](./howto-prepare-cluster.md) according to documentation.
 * If you expect intermittent connectivity for your cluster, ensure that you've allocated enough disk space to the cluster cache data and messages while the [cluster is offline](../overview-iot-operations.md#offline-support).
 * If possible, have a second cluster as a staging area for testing new changes before deploying to the primary production cluster.
-* [Turn off auto-upgrade for Azure Arc](/azure/azure-arc/kubernetes/agent-upgrade#toggle-automatic-upgrade-on-or-off-when-connecting-a-cluster-to-azure-arc) to have complete control over when new updates are applied to your cluster.
+* [Turn off auto-upgrade for Azure Arc](/azure/azure-arc/kubernetes/agent-upgrade#toggle-automatic-upgrade-on-or-off-when-connecting-a-cluster-to-azure-arc) to have complete control over when new updates are applied to your cluster. Instead, [manually upgrade agents](/azure/azure-arc/kubernetes/agent-upgrade#manually-upgrade-agents) as needed.
 * *For multi-node clusters*: [Configure clusters with Edge Volumes](./howto-prepare-cluster.md#configure-multi-node-clusters-for-azure-container-storage) to prepare for enabling fault tolerance during deployment.
 
 ### Security
@@ -64,7 +64,7 @@ In the Azure portal deployment wizard, the broker resource is set up in the **Co
 
   | Setting | Single node | Multi node |
   | ------- | ----------- | ---------- |
-  | **frontendReplicas** | 2 | 5 |
+  | **frontendReplicas** | 1 | 5 |
   | **frontendWorkers** | 4 | 8 |
   | **backendRedundancyFactor** | 2 | 2 |
   | **backendWorkers** | 1 | 4 |

articles/iot-operations/deploy-iot-ops/howto-deploy-iot-operations.md

@@ -22,7 +22,7 @@ In this article, we discuss Azure IoT Operations *deployments* and *instances*,
   * Custom locations
   * Resources that you can configure in your Azure IoT Operations solution, like assets and asset endpoints.
 
-* An Azure IoT Operations *instance* is the parent resource that bundles the suite of services that are defined in [What is Azure IoT Operations?](../overview-iot-operations.md) like MQTT broker, dataflows, and OPC UA connector.
+* An Azure IoT Operations *instance* is the parent resource that bundles the suite of services that are defined in [What is Azure IoT Operations?](../overview-iot-operations.md) like MQTT broker, dataflows, and connector for OPC UA.
 
 When we talk about deploying Azure IoT Operations, we mean the full set of components that make up a *deployment*. Once the deployment exists, you can view, manage, and update the *instance*.
 
@@ -48,7 +48,7 @@ A cluster host:
 
 * Have an Azure Arc-enabled Kubernetes cluster with the custom location and workload identity features enabled. If you don't have one, follow the steps in [Prepare your Azure Arc-enabled Kubernetes cluster](./howto-prepare-cluster.md).
 
-  If you deployed Azure IoT Operations to your cluster previously, uninstall those resources before continuing. For more information, see [Update Azure IoT Operations](./howto-manage-update-uninstall.md#upgrade).
+  If you deployed Azure IoT Operations to your cluster previously, uninstall those resources before continuing. For more information, see [Update Azure IoT Operations](./howto-manage-update-uninstall.md#uninstall).
 
 * (Optional) Prepare your cluster for observability before deploying Azure IoT Operations: [Configure observability](../configure-observability-monitoring/howto-configure-observability.md).
 
@@ -178,7 +178,7 @@ Use these steps if you chose the **Secure settings** option on the **Dependency
    | Parameter | Value |
    | --------- | ----- |
    | **Subscription** | Select the subscription that contains your Azure key vault. |
-   | **Azure Key Vault** | Select an Azure key vault select **Create new**.<br><br>Ensure that your key vault has **Azure role-based access control** as its permission model. To check this setting, select **Manage selected vault** > **Settings** > **Access configuration**. |
+   | **Azure Key Vault** | Select an Azure key vault or select **Create new**.<br><br>Ensure that your key vault has **Azure role-based access control** as its permission model. To check this setting, select **Manage selected vault** > **Settings** > **Access configuration**. <br><br>Ensure to [give your user account permissions to manage secrets](/azure/key-vault/secrets/quick-create-cli#give-your-user-account-permissions-to-manage-secrets-in-key-vault) with the `Key Vault Secrets Officer` role.|
    | **User assigned managed identity for secrets** | Select an identity or select **Create new**. |
    | **User assigned managed identity for AIO components** | Select an identity or select **Create new**. Don't use the same managed identity as the one you selected for secrets. |
 

articles/iot-operations/deploy-iot-ops/howto-enable-secure-settings.md

@@ -100,7 +100,7 @@ Secrets management for Azure IoT Operations uses the Secret Store extension to s
 
 To set up secrets management:
 
-1. [Create an Azure key vault](/azure/key-vault/secrets/quick-create-cli#create-a-key-vault) that's used to store secrets, and [give your user account permissions to manage secrets](/azure/key-vault/secrets/quick-create-cli#give-your-user-account-permissions-to-manage-secrets-in-key-vault) with the `Key Vaults Secrets Officer` role.
+1. [Create an Azure key vault](/azure/key-vault/secrets/quick-create-cli#create-a-key-vault) that's used to store secrets, and [give your user account permissions to manage secrets](/azure/key-vault/secrets/quick-create-cli#give-your-user-account-permissions-to-manage-secrets-in-key-vault) with the `Key Vault Secrets Officer` role.
 1. [Create a user-assigned managed identity](/entra/identity/managed-identities-azure-resources/how-manage-user-assigned-managed-identities?pivots=identity-mi-methods-azp#create-a-user-assigned-managed-identity) for the Secret Store extension.
 1. Use the [az iot ops secretsync enable](/cli/azure/iot/ops/secretsync#az-iot-ops-secretsync-enable) command to set up the Azure IoT Operations instance for secret synchronization. This command:
 

articles/iot-operations/deploy-iot-ops/howto-manage-update-uninstall.md

@@ -131,15 +131,15 @@ az iot ops update --name <INSTANCE_NAME> --resource-group --tags ""
 
 ### Manage components
 
-Each Azure IoT Operations instance includes several components, like the MQTT broker, OPC UA connector, and dataflows. To learn more about managing these components, see their respective articles. For example, to manage the MQTT broker, start with [Broker overview](../manage-mqtt-broker/overview-broker.md).
+Each Azure IoT Operations instance includes several components, like the MQTT broker, connector for OPC UA, and dataflows. To learn more about managing these components, see their respective articles. For example, to manage the MQTT broker, start with [Broker overview](../manage-mqtt-broker/overview-broker.md).
 
 ### (Preview) Manage components using Kubernetes deployment manifests
 
 In general, Azure IoT Operations uses the Azure Arc platform to provide a hybrid cloud experience where you can manage the configuration through Azure Resource Manager (ARM) and front-end tools like the Azure portal, Bicep, and the Azure CLI.
 
 However, you can also manage the components of Azure IoT Operations using YAML Kubernetes deployment manifests. This means you can use tools like `kubectl` to manage some components of Azure IoT Operations. This feature is in preview and has some limitations:
 
-- Only some components support using Kubernetes deployment manifests. These components are the [MQTT broker](../manage-mqtt-broker/overview-broker.md) and [dataflows](../connect-to-cloud/overview-dataflow.md). Other components like the OPC UA connector and Akri don't support this feature.
+- Only some components support using Kubernetes deployment manifests. These components are the [MQTT broker](../manage-mqtt-broker/overview-broker.md) and [dataflows](../connect-to-cloud/overview-dataflow.md). Other components like the connector for OPC UA and Akri don't support this feature.
 - Unless Azure IoT Operations is [deployed with resource sync enabled using `az iot ops create --enable-rsync`](/cli/azure/iot/ops#az-iot-ops-create), changes made to the resources using Kubernetes deployment manifests are not synced to Azure. To learn more about resource sync, see [Resource sync](/azure/azure-arc/data/resource-sync).
 - Even if resource sync is enabled, brand new resources created using Kubernetes deployment manifests are not synced to Azure. Only changes to existing resources are synced.
 
@@ -186,39 +186,3 @@ az iot ops delete --name <INSTANCE_NAME> --resource-group <RESOURCE_GROUP> --inc
 ```
 
 ---
-
-## Upgrade
-
-Azure IoT Operations supports upgrading instances to new versions as they're released.
-
-You can't upgrade from a preview installation to a GA version.
-
-> [!NOTE]
-> There's a known issue with upgrading Azure IoT Operations if the MQTT broker only has one backend replica. Only upgrade Azure IoT Operations if the Broker has more than one backend replica.
-
-### [Azure portal](#tab/portal)
-
-1. In the [Azure portal](https://portal.azure.com), go to the resource group that contains your Azure IoT Operations instance, or search for and select **Azure IoT Operations**.
-
-1. Select the name of your Azure IoT Operations instance.
-
-1. On the **Overview** page of your instance, select **Upgrade**.
-
-1. The **Upgrade Azure IoT Operations** wizard prompts you to make sure you have the latest version for the Azure IoT Operations CLI extension. Copy and run the provided `az extension add` command.
-
-1. Update to the latest version of Azure IoT Operations instance. Copy and run the provided `az iot ops upgrade` command.
-
-1. Once the upgrade command completes successfully, you can exit the wizard and refresh your instance page.
-
-### [Azure CLI](#tab/cli)
-
-Use the `az iot ops upgrade` command to upgrade an Azure IoT Operations deployment. This command:
-
-* Upgrades Azure Arc extensions on your cluster.
-* Upgrades the Azure IoT Operations instance.
-
-```azurecli
-az iot ops upgrade --resource-group <RESOURCE_GROUP> --name <INSTANCE_NAME>
-```
-
----

articles/iot-operations/deploy-iot-ops/howto-prepare-cluster.md

@@ -84,7 +84,7 @@ This section provides steps to create clusters in validated environments on Linu
 
 To prepare a K3s Kubernetes cluster on Ubuntu:
 
-1. Install K3s following the instructions in the [K3s quick-start guide](https://docs.k3s.io/quick-start).
+1. Create a single-node or multi-node K3s cluster. For examples, see the [K3s quick-start guide](https://docs.k3s.io/quick-start) or [K3s related projects](https://docs.k3s.io/related-projects).
 
 1. Check to see that kubectl was installed as part of K3s. If not, follow the instructions to [Install kubectl on Linux](https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/).
 
@@ -161,9 +161,11 @@ Connect your cluster to Azure Arc so that it can be managed remotely.
 1. Use the [az connectedk8s connect](/cli/azure/connectedk8s#az-connectedk8s-connect) command to Arc-enable your Kubernetes cluster and manage it as part of your Azure resource group.
 
    ```azurecli
-   az connectedk8s connect --name <CLUSTER_NAME> -l <REGION> --resource-group <RESOURCE_GROUP> --subscription <SUBSCRIPTION_ID> --enable-oidc-issuer --enable-workload-identity
+   az connectedk8s connect --name <CLUSTER_NAME> -l <REGION> --resource-group <RESOURCE_GROUP> --subscription <SUBSCRIPTION_ID> --enable-oidc-issuer --enable-workload-identity --disable-auto-upgrade
    ```
 
+   To prevent unplanned updates to Azure Arc and the system Arc extensions that Azure IoT Operations uses as dependencies, this command disables auto-upgrade. Instead, [manually upgrade agents](/azure/azure-arc/kubernetes/agent-upgrade#manually-upgrade-agents) as needed.
+
 1. Get the cluster's issuer URL.
 
    ```azurecli
@@ -216,7 +218,9 @@ For instructions on running the script, see [Configure an AKS Edge Essentials cl
 
 ### [AKS on Azure Local](#tab/azure-local)
 
-For instructions on creating and Arc-enabling a cluster on Azure Local, see [Create Kubernetes clusters using Azure CLI](/azure/aks/hybrid/aks-create-clusters-cli).
+For instructions on creating and Arc-enabling an AKS cluster on Azure Local, see [Create Kubernetes clusters using Azure CLI](/azure/aks/hybrid/aks-create-clusters-cli).
+
+Then, once you have an Azure Arc-enabled Kubernetes cluster, you can [deploy Azure IoT Operations](howto-deploy-iot-operations.md).
 
 ---
 

articles/iot-operations/deploy-iot-ops/howto-upgrade.md

@@ -0,0 +1,33 @@
+---
+title: Upgrade or rollback
+description: Upgrade an Azure IoT Operations instance or rollback to a previous version.
+author: kgremban
+ms.author: kgremban
+ms.topic: how-to
+ms.custom: devx-track-azurecli
+ms.date: 11/11/2024
+
+#CustomerIntent: As an OT professional, I want to manage Azure IoT Operations instances.
+---
+
+# Upgrade or rollback between versions
+
+Upgrade an Azure IoT Operations instance to a newer version or rollback to a previous version. Azure IoT Operations supports upgrade and rollback from version 1.0.x onwards. There is no support for upgrading from any preview version of Azure IoT Operations to any generally available (GA) version.
+
+>[!NOTE]
+>Currently, Azure IoT Operations has only one generally available version. Upgrade and rollback will be available once there are additional versions to upgrade or rollback between.
+
+## Understand upgrade support
+
+Upgrade and rollback are supported between N+2 or N-2 minor versions of Azure IoT Operations, or between any patch versions of the same minor version. The following table provides examples:
+
+| Current version | Upgrade range | Rollback range |
+| --------------- | ------------- | -------------- |
+| 1.0.0           | 1.0.1 through 1.2.x | None     |
+| 1.1.0           | 1.1.1 through 1.3.x | 1.0.x    |
+
+## Upgrade
+
+Azure IoT Operations supports upgrading instances to new GA versions as they're released.
+
+You can't upgrade from a preview installation to a GA version. To move to version 1.0.x, [uninstall Azure IoT Operations](howto-manage-update-uninstall.md#uninstall) and reinstall the new version.

articles/iot-operations/deploy-iot-ops/overview-deploy.md

@@ -79,21 +79,6 @@ If you use the Azure portal to assign privileged admin roles to a user or princi
 
 :::image type="content" source="./media/howto-deploy-iot-operations/add-role-assignment-conditions.png" alt-text="Screenshot that shows assigning users highly privileged role access in the Azure portal.":::
 
-## Included components
-
-Azure IoT Operations is a suite of data services that run on Azure Arc-enabled edge Kubernetes clusters. It also depends on a set of support services that are also installed as part of a deployment.
-
-* Azure IoT Operations core services
-  * Dataflows
-  * MQTT Broker
-  * Connector for OPC UA
-  * Akri
-
-* Installed dependencies
-  * [Azure Device Registry](../discover-manage-assets/overview-manage-assets.md#store-assets-as-azure-resources-in-a-centralized-registry)
-  * [Azure Container Storage enabled by Azure Arc](/azure/azure-arc/container-storage/overview)
-  * [Azure Key Vault Secret Store extension](/azure/azure-arc/kubernetes/secret-store-extension)
-
 ## Organize instances by using sites
 
 Azure IoT Operations supports Azure Arc sites for organizing instances. A _site_ is a cluster resource in Azure like a resource group, but sites typically group instances by physical location and make it easier for OT users to locate and manage assets. An IT administrator creates sites and scopes them to a subscription or resource group. Then, any Azure IoT Operations deployed to an Arc-enabled cluster is automatically collected in the site associated with its subscription or resource group