Merge pull request #252753 from MicrosoftDocs/main

9/25 OOB Publish

Author: huypub

.openpublishing.redirection.active-directory.json

@@ -10,6 +10,176 @@
       "redirect_url": "/azure/active-directory/develop/enterprise-app-role-management",
       "redirect_document_id": false
     },
+    {
+      "source_path_from_root": "/articles/global-secure-access/concept-global-secure-access-logs-monitoring.md",
+      "redirect_url": "/entra/global-secure-access/concept-global-secure-access-logs-monitoring",
+      "redirect_document_id": true
+    },
+    {
+      "source_path_from_root": "/articles/global-secure-access/concept-private-access.md",
+      "redirect_url": "/entra/global-secure-access/concept-private-access",
+      "redirect_document_id": true
+    },
+    {
+      "source_path_from_root": "/articles/global-secure-access/concept-remote-network-connectivity.md",
+      "redirect_url": "/entra/global-secure-access/concept-remote-network-connectivity",
+      "redirect_document_id": true
+    },
+    {
+      "source_path_from_root": "/articles/global-secure-access/concept-traffic-dashboard.md",
+      "redirect_url": "/entra/global-secure-access/concept-traffic-dashboard",
+      "redirect_document_id": true
+    },
+    {
+      "source_path_from_root": "/articles/global-secure-access/concept-traffic-forwarding.md",
+      "redirect_url": "/entra/global-secure-access/concept-traffic-forwarding",
+      "redirect_document_id": true
+    },
+    {
+      "source_path_from_root": "/articles/global-secure-access/concept-universal-conditional-access.md",
+      "redirect_url": "/entra/global-secure-access/concept-universal-conditional-access",
+      "redirect_document_id": true
+    },
+    {
+      "source_path_from_root": "/articles/global-secure-access/how-to-access-audit-logs.md",
+      "redirect_url": "/entra/global-secure-access/how-to-access-audit-logs",
+      "redirect_document_id": true
+    },
+    {
+      "source_path_from_root": "/articles/global-secure-access/how-to-assign-traffic-profile-to-remote-network.md",
+      "redirect_url": "/entra/global-secure-access/how-to-assign-traffic-profile-to-remote-network",
+      "redirect_document_id": true
+    },
+    {
+      "source_path_from_root": "/articles/global-secure-access/how-to-compliant-network.md",
+      "redirect_url": "/entra/global-secure-access/how-to-compliant-network",
+      "redirect_document_id": true
+    },
+    {
+      "source_path_from_root": "/articles/global-secure-access/how-to-configure-connectors.md",
+      "redirect_url": "/entra/global-secure-access/how-to-configure-connectors",
+      "redirect_document_id": true
+    },
+    {
+      "source_path_from_root": "/articles/global-secure-access/how-to-configure-customer-premises-equipment.md",
+      "redirect_url": "/entra/global-secure-access/how-to-configure-customer-premises-equipment",
+      "redirect_document_id": true
+    },
+    {
+      "source_path_from_root": "/articles/global-secure-access/how-to-configure-per-app-access.md",
+      "redirect_url": "/entra/global-secure-access/how-to-configure-per-app-access",
+      "redirect_document_id": true
+    },
+    {
+      "source_path_from_root": "/articles/global-secure-access/how-to-configure-quick-access.md",
+      "redirect_url": "/entra/global-secure-access/how-to-configure-quick-access",
+      "redirect_document_id": true
+    },
+    {
+      "source_path_from_root": "/articles/global-secure-access/how-to-create-remote-network-custom-ike-policy.md",
+      "redirect_url": "/entra/global-secure-access/how-to-create-remote-network-custom-ike-policy",
+      "redirect_document_id": true
+    },
+    {
+      "source_path_from_root": "/articles/global-secure-access/how-to-create-remote-networks.md",
+      "redirect_url": "/entra/global-secure-access/how-to-create-remote-networks",
+      "redirect_document_id": true
+    },
+    {
+      "source_path_from_root": "/articles/global-secure-access/how-to-get-started-with-global-secure-access.md",
+      "redirect_url": "/entra/global-secure-access/how-to-get-started-with-global-secure-access",
+      "redirect_document_id": true
+    },
+    {
+      "source_path_from_root": "/articles/global-secure-access/how-to-install-windows-client.md",
+      "redirect_url": "/entra/global-secure-access/how-to-install-windows-client",
+      "redirect_document_id": true
+    },
+    {
+      "source_path_from_root": "/articles/global-secure-access/how-to-list-remote-networks.md",
+      "redirect_url": "/entra/global-secure-access/how-to-list-remote-networks",
+      "redirect_document_id": true
+    },
+    {
+      "source_path_from_root": "/articles/global-secure-access/how-to-manage-microsoft-365-profile.md",
+      "redirect_url": "/entra/global-secure-access/how-to-manage-microsoft-365-profile",
+      "redirect_document_id": true
+    },
+    {
+      "source_path_from_root": "/articles/global-secure-access/how-to-manage-private-access-profile.md",
+      "redirect_url": "/entra/global-secure-access/how-to-manage-private-access-profile",
+      "redirect_document_id": true
+    },
+    {
+      "source_path_from_root": "/articles/global-secure-access/how-to-manage-remote-network-device-links.md",
+      "redirect_url": "/entra/global-secure-access/how-to-manage-remote-network-device-links",
+      "redirect_document_id": true
+    },
+    {
+      "source_path_from_root": "/articles/global-secure-access/how-to-manage-remote-networks.md",
+      "redirect_url": "/entra/global-secure-access/how-to-manage-remote-networks",
+      "redirect_document_id": true
+    },
+    {
+      "source_path_from_root": "/articles/global-secure-access/how-to-simulate-remote-network.md",
+      "redirect_url": "/entra/global-secure-access/how-to-simulate-remote-network",
+      "redirect_document_id": true
+    },
+    {
+      "source_path_from_root": "/articles/global-secure-access/how-to-source-ip-restoration.md",
+      "redirect_url": "/entra/global-secure-access/how-to-source-ip-restoration",
+      "redirect_document_id": true
+    },
+    {
+      "source_path_from_root": "/articles/global-secure-access/how-to-target-resource-microsoft-365-profile.md",
+      "redirect_url": "/entra/global-secure-access/how-to-target-resource-microsoft-365-profile",
+      "redirect_document_id": true
+    },
+    {
+      "source_path_from_root": "/articles/global-secure-access/how-to-target-resource-private-access-apps.md",
+      "redirect_url": "/entra/global-secure-access/how-to-target-resource-private-access-apps",
+      "redirect_document_id": true
+    },
+    {
+      "source_path_from_root": "/articles/global-secure-access/how-to-universal-tenant-restrictions.md",
+      "redirect_url": "/entra/global-secure-access/how-to-universal-tenant-restrictions",
+      "redirect_document_id": true
+    },
+    {
+      "source_path_from_root": "/articles/global-secure-access/how-to-view-enriched-logs.md",
+      "redirect_url": "/entra/global-secure-access/how-to-view-enriched-logs",
+      "redirect_document_id": true
+    },
+    {
+      "source_path_from_root": "/articles/global-secure-access/how-to-view-traffic-logs.md",
+      "redirect_url": "/entra/global-secure-access/how-to-view-traffic-logs",
+      "redirect_document_id": true
+    },
+    {
+      "source_path_from_root": "/articles/global-secure-access/index.yml",
+      "redirect_url": "/entra/global-secure-access/index",
+      "redirect_document_id": true
+    },
+    {
+      "source_path_from_root": "/articles/global-secure-access/overview-what-is-global-secure-access.md",
+      "redirect_url": "/entra/global-secure-access/overview-what-is-global-secure-access",
+      "redirect_document_id": true
+    },
+    {
+      "source_path_from_root": "/articles/global-secure-access/reference-points-of-presence.md",
+      "redirect_url": "/entra/global-secure-access/reference-points-of-presence",
+      "redirect_document_id": true
+    },
+    {
+      "source_path_from_root": "/articles/global-secure-access/reference-remote-network-configurations.md",
+      "redirect_url": "/entra/global-secure-access/reference-remote-network-configurations",
+      "redirect_document_id": true
+    },
+    {
+      "source_path_from_root": "/articles/global-secure-access/resource-faq.yml",
+      "redirect_url": "/entra/global-secure-access/resource-faq",
+      "redirect_document_id": true
+    },
     {
       "source_path_from_root": "/articles/active-directory/governance/tutorial-prepare-azure-ad-user-accounts.md",
       "redirect_url": "/azure/active-directory/governance/tutorial-prepare-user-accounts",

articles/aks/limit-egress-traffic.md

@@ -147,6 +147,12 @@ You need to configure Azure Firewall inbound and outbound rules. The main purpos
 
 Azure automatically routes traffic between Azure subnets, virtual networks, and on-premises networks. If you want to change any of Azure's default routing, you can create a route table.
 
+> [!IMPORTANT]
+> Outbound type of UDR requires a route for 0.0.0.0/0 and a next hop destination of NVA in the route table.
+> The route table already has a default 0.0.0.0/0 to the Internet. Without a public IP address for Azure to use for Source Network Address Translation (SNAT), simply adding this route won't provide you outbound Internet connectivity. AKS validates that you don't create a 0.0.0.0/0 route pointing to the Internet but instead to a gateway, NVA, etc.
+> When using an outbound type of UDR, a load balancer public IP address for **inbound requests** isn't created unless you configure a service of type *loadbalancer*. AKS never creates a public IP address for **outbound requests** if you set an outbound type of UDR.
+> For more information, see [Outbound rules for Azure Load Balancer](../load-balancer/outbound-rules.md#scenario6out).
+
 1. Create an empty route table to be associated with a given subnet using the [`az network route-table create`][az-network-route-table-create] command. The route table will define the next hop as the Azure Firewall created above. Each subnet can have zero or one route table associated to it.
 
     ```azurecli

articles/application-gateway/for-containers/media/how-to-path-header-query-string-routing-gateway-api/routing.png

@@ -20,15 +20,15 @@ ms.subservice: calling
 Call Recording enables you to record multiple calling scenarios available in Azure Communication Services by providing you with a set of APIs to start, stop, pause and resume recording. Whether it's a PSTN, WebRTC, or SIP call, these APIs can be accessed from your server-side business logic. Also, recordings can be triggered by a user action that tells the server application to start recording. 
 
 Depending on your business needs, you can use Call Recording for different Azure Communication Services calling implementations.
-For example, you can record 1:1 or 1:N scenarios for audio and video calls enabled by [Calling Client SDK](./calling-sdk-features.md). 
+For example, you can record 1:1 or 1:N audio and video calls:
 
 ![Diagram showing a call that it's being recorded.](../media/call-recording-client.png)
 
 But also, you can use Call Recording to record complex PSTN or VoIP inbound and outbound calling workflows managed by [Call Automation](../call-automation/call-automation.md).
 Regardless of how you established the call, Call Recording allows you to produce mixed or unmixed media files that are stored for 48 hours on a built-in temporary storage. You can retrieve the files and take them to the long-term storage solution of your choice. Call Recording supports all Azure Communication Services data regions.
 
 
-![Diagram showing call recording architecture using calling client sdk.](../media/call-recording-with-call-automation.png)
+![Diagram showing call recording architecture.](../media/call-recording-with-call-automation.png)
 
 ## Call Recording that supports your business needs
 Call Recording supports multiple media outputs and content types to address your business needs and use cases. You might use mixed formats for scenarios such as keeping records, meeting notes, coaching and training, or even compliance and adherence. Or, you can use unmixed audio format to address quality assurance use cases or even more complex scenarios like advanced analytics or AI-based (Artificial Intelligence) sophisticated post-call processes.

articles/communication-services/concepts/voice-video-calling/call-recording.md

@@ -146,6 +146,8 @@
         href: harden-the-linux-image-to-remove-sudo-users.md
       - name: Harden a Linux image to remove Azure guest agent
         href: harden-a-linux-image-to-remove-azure-guest-agent.md
+      - name: Deploy a virtual machine scale set using hardened image
+        href: vmss-deployment-from-hardened-linux-image.md
     - name: Secure Key Release (SKR) with Azure Key Vault
       items:
       - name: SKR with Azure Confidential Computing Concept

articles/confidential-computing/TOC.yml

@@ -98,6 +98,8 @@ landingContent:
             url: harden-the-linux-image-to-remove-sudo-users.md
           - text: Harden a Linux image to remove azure guest agent
             url: harden-a-linux-image-to-remove-azure-guest-agent.md
+          - text: Deploy a virtual machine scale set using hardened image
+            url: vmss-deployment-from-hardened-linux-image.md
       - linkListType: reference
         links:
           - text: AMD confidential VMs FAQ 

articles/confidential-computing/index.yml

@@ -0,0 +1,105 @@
+---
+title: Deploy a virtual machine scale set using a hardened Linux image
+description: Learn how to use vmss to deploy a scale set using the hardened linux image.
+author: samyaktelsang-msft
+ms.service: virtual-machines
+mms.subservice: confidential-computing
+ms.topic: how-to
+ms.workload: infrastructure
+ms.date: 9/12/2023
+ms.author: satelsan
+ms.custom: devx-track-azurecli
+---
+
+# Deploy a virtual machine scale set using a hardened Linux image
+
+**Applies to:** :heavy_check_mark: Hardened Linux Images
+
+Virtual machine scale set deployments using images from Azure marketplace can be done following the steps described for standard [VMSS deployments](/azure/virtual-machine-scale-sets/flexible-virtual-machine-scale-sets-cli). 
+
+However, if you have chosen to create a hardened linux image by removing the Azure guest agents, it's crucial to comprehend what functionalities the VM loses before you decide to remove the Azure Linux Agent, and how it affects vmss deployment.
+
+This "how to" document describes the steps to deploy a virtual machine scale set instance while comprehending the functional limitations of the hardened image on deploying the vmss instance.
+## Prerequisites
+
+- Azure subscription - If you don't have an Azure subscription, [create a free Azure account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.
+- If your free trial accounts don't have access to the VMs used in this tutorial, one option is to use a [pay as you go subscription](https://azure.microsoft.com/pricing/purchase-options/pay-as-you-go/).
+- A hardened linux image - you can create one from this [article](harden-a-linux-image-to-remove-azure-guest-agent.md).
+  
+### VMSS confidential VM deployment from a hardened Linux image
+
+Steps to deploy a scale set using VMSS and a hardened image are as follows:
+
+1. Follow the steps to harden a Linux image.
+
+    [Harden a Linux image to remove Azure guest agent](harden-a-linux-image-to-remove-azure-guest-agent.md).
+   
+    [Harden a Linux image to remove sudo users](harden-the-linux-image-to-remove-sudo-users.md).
+
+2. Log in to the Azure CLI.
+
+    Make sure that you've installed the latest [Azure CLI](/cli/azure/install-azure-cli) and are logged in to an Azure account with [az login](/cli/azure/reference-index).
+
+3. Launch Azure Cloud Shell.
+
+    The [Azure Cloud Shell](https://shell.azure.com/cli) is a free interactive shell that you can use to run the steps in this article. It has common Azure tools preinstalled and configured to use with your account.
+
+    To open the Cloud Shell, just select Try it from the upper right corner of a code block. You can also open Cloud Shell in a separate browser tab by going to https://shell.azure.com/bash. Select Copy to copy the blocks of code, paste it into the Cloud Shell, and select Enter to run it.
+
+    If you prefer to install and use the CLI locally, this quickstart requires Azure CLI version 2.0.30 or later. Run az--version to find the version. If you need to install or upgrade, see Install Azure CLI.
+    
+4.  Create a resource group.
+
+    Create a resource group with the [az group create](/cli/azure/group) command. An Azure resource group is a logical container into which Azure resources are deployed and managed. The following example creates a resource group named myResourceGroup in the eastus location:
+    
+   
+    ```Azure CLI
+    az group create --name myResourceGroup --location eastus
+    ```
+
+    > [!NOTE]
+    > Confidential VMs are not available in all locations. For currently supported locations, see which [VM products are available by Azure region](https://azure.microsoft.com/global-infrastructure/services/?products=virtual-machines).
+
+5. Create a Virtual Machine Scale Set.
+
+    Now create a Virtual Machine Scale Set with az vmss create az cli. The following example creates a scale set called myScaleSet with an instance count of 2.
+   
+    If you are looking to set an admin username, ensure that it isn't part of the [reserved words](/rest/api/compute/virtualmachines/createorupdate#osprofile) list for vmss.
+    In this case, the username is auto set to azureuser.
+    For the admin credentials, you will be able to use the credentials that you set from the hardened image while you create the vm.
+
+    > [!NOTE]
+    > For specalized images, [osprofile properties](/azure/virtual-machines/shared-image-galleries) are handled differently than generalized images.
+    > Using a [load balancer](/azure/load-balancer/load-balancer-overview) is optional but is encouraged for these reasons.
+    
+    ```azurecli-interactive
+    az vmss create \
+      --resource-group myResourceGroup \
+      --name myScaleSet \
+      --vm-sku "Standard_DC4as_v5" \
+      --security-type ConfidentialVM \
+      --os-disk-security-encryption-type DiskwithVMGuestState \
+      --os-disk-secure-vm-disk-encryption-set "/subscriptions/.../disk-encryption-sets/<des-name>" \
+      --image "/subscriptions/.../images/<imageName>/versions/<version>" \
+      --enable-vtpm true \
+      --enable-secure-boot true \
+      --vnet-name <virtual-network-name> \
+      --subnet <subnet-name> \
+      --lb "/subscriptions/.../loadBalancers/<lb-name>" \
+      --specialized true \
+      --instance-count 2 \
+      --admin-username "azureuser" \
+      --admin-password ""
+    ```
+
+6. Access the virtual machine scale set from the portal.
+
+    You can access your cvm scale set and use the admin username and password set previously to log in. Please note that if you choose to update the admin credentials, do so directly in the scale set model using the cli.
+
+    > [!NOTE]
+    > If you are looking to deploy cvm scaled scale using the custom hardened image, please note that some features related to auto scaling will be restricted. Will manual scaling rules continue to work as expected, the autoscaling ability will be limited due to the agentless custom image. More details on the restrictions can be found here for the [provisioning agent](/azure/virtual-machines/linux/disable-provisioning). Alternatively, you can navigate to the metrics tab on the azure portal and confirm the same.
+    > However, you can continue to set up custom rules based on load balancer metrics such as SYN count, SNAT connection count, etc. 
+
+## Next Steps
+
+In this article, you learned how to deploy a virtual machine scale set instance with a hardened linux image. For more information about CVM, see [DCasv5 and ECasv5 series confidential VMs](confidential-vm-overview.md).