Merge pull request #292542 from MicrosoftDocs/main

Merge main to live, 4 AM

Author: v-ccolin

articles/app-service/overview-app-gateway-integration.md

@@ -6,7 +6,7 @@ author: madsd
 ms.assetid: 073eb49c-efa1-4760-9f0c-1fecd5c251cc
 ms.service: azure-app-service
 ms.topic: article
-ms.date: 09/29/2023
+ms.date: 01/02/2025
 ms.author: madsd
 ms.custom: devx-track-azurecli, devx-track-arm-template
 ms.devlang: azurecli
@@ -37,19 +37,19 @@ With the Azure portal, you follow four steps to create and configure the setup o
 3. Configure [App Service as a back end in Application Gateway](../application-gateway/configure-web-app.md), but skip the section about restricting access.
 4. Create the [access restriction by using service endpoints](../app-service/app-service-ip-restrictions.md#set-a-service-endpoint-based-rule).
 
-You can now access App Service through Application Gateway. If you try to access App Service directly, you should receive a 403 HTTP error that says the web app has blocked your access.
+You can now access App Service through Application Gateway. If you try to access App Service directly, you should receive a 403 HTTP error that says the web app is blocking your access.
 
 :::image type="content" source="./media/overview-app-gateway-integration/website-403-forbidden.png" alt-text="Screenshot shows the text of Error 403 - Forbidden.":::
 
 ## Set up services by using an Azure Resource Manager template
 
-The [Azure Resource Manager deployment template][template-app-gateway-app-service-complete] creates a complete scenario. The scenario consists of an App Service instance that's locked down with service endpoints and an access restriction to receive traffic only from Application Gateway. The template includes many smart defaults and unique postfixes added to the resource names to keep it simple. To override them, you have to clone the repo or download the template and edit it.
+The [Azure Resource Manager deployment template][template-app-gateway-app-service-complete] creates a complete scenario. The scenario consists of an App Service instance locked down with service endpoints and an access restriction to receive traffic only from Application Gateway. The template includes many smart defaults and unique postfixes added to the resource names to keep it simple. To override them, you have to clone the repo or download the template and edit it.
 
 To apply the template, you can use the **Deploy to Azure** button in the description of the template. Or you can use appropriate PowerShell or Azure CLI code.
 
 ## Set up services by using the Azure CLI
 
-The [Azure CLI sample](../app-service/scripts/cli-integrate-app-service-with-application-gateway.md) creates an App Service instance that's locked down with service endpoints and an access restriction to receive traffic only from Application Gateway. If you only need to isolate traffic to an existing App Service instance from an existing application gateway, use the following command:
+The [Azure CLI sample](../app-service/scripts/cli-integrate-app-service-with-application-gateway.md) creates an App Service instance locked down with service endpoints and an access restriction to receive traffic only from Application Gateway. If you only need to isolate traffic to an existing App Service instance from an existing application gateway, use the following command:
 
 ```azurecli-interactive
 az webapp config access-restriction add --resource-group myRG --name myWebApp --rule-name AppGwSubnet --priority 200 --subnet mySubNetName --vnet-name myVnetName
@@ -82,7 +82,7 @@ To isolate traffic to an individual web app, you need to use IP-based access res
 
 ## Considerations for an external App Service Environment
 
-An external App Service Environment has a public-facing load balancer like multitenant App Service. Service endpoints don't work for an App Service Environment. That's why you have to use IP-based access restrictions by using the public IP address of the application gateway. To create an external App Service Environment by using the Azure portal, you can follow [this quickstart](./environment/create-external-ase.md).
+An external App Service Environment has a public-facing load balancer like multitenant App Service. Service endpoints don't work for an App Service Environment. With App Service Environment you have to use IP-based access restrictions by using the public IP address of the application gateway. To create an external App Service Environment by using the Azure portal, you can follow [this quickstart](./environment/create-external-ase.md).
 
 [template-app-gateway-app-service-complete]: https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.web/web-app-with-app-gateway-v2/ "Azure Resource Manager template for a complete scenario"
 
@@ -127,9 +127,15 @@ To work around the default redirect, you can configure authentication to inspect
 }
 ```
 
-### ARR affinity
+### Session affinity
 
-In multiple-instance deployments, [ARR affinity](./configure-common.md?tabs=portal#configure-general-settings) ensures that client requests are routed to the same instance for the life of the session. ARR affinity doesn't work with host name overrides. For session affinity to work, you have to configure an identical custom domain and certificate in App Service and in Application Gateway and not override the host name.
+In multiple-instance deployments, [session affinity](./configure-common.md?tabs=portal#configure-general-settings) ensures that client requests are routed to the same instance for the life of the session. Session affinity can be configured to adapt the cookie domain to the incoming header from reverse proxy. By configuring [session affinity proxy](./configure-common.md?tabs=portal#configure-general-settings) to true, session affinity looks for `X-Original-Host` or `X-Forwarded-Host` and adapt the cookie domain to the domain found in this header. As a recommended practice when enabling session affinity proxy, you should configure your access restrictions on the site to ensure that traffic is coming from your reverse proxy.
+
+You can also configure `sessionAffinityProxyEnabled` by using the following command:
+
+```azurecli-interactive
+az resource update --resource-group myRG --name myWebApp --resource-type "Microsoft.Web/sites" --set properties.sessionAffinityProxyEnabled=true
+```
 
 ## Next steps
 

articles/automation/TOC.yml

@@ -268,7 +268,7 @@
           href: change-tracking/manage-change-tracking-monitoring-agent.md
         - name: Configure alerts
           href: change-tracking/configure-alerts.md
-    - name: Migration from Change Tracking and Inventory using AMA to Change Tracking using LA
+    - name: Migration from Change Tracking and Inventory using LA to Change Tracking using AMA
       items:
         - name: Migration from Log Analytics to Azure Monitoring Agent version
           href: change-tracking/guidance-migration-log-analytics-monitoring-agent.md

articles/automation/automation-dsc-getting-started.md

@@ -4,7 +4,7 @@ description: This article tells how to do the most common tasks in Azure Automat
 services: automation
 ms.subservice: desired-state-config
 ms.custom: devx-track-arm-template
-ms.date: 10/22/2024
+ms.date: 01/01/2025
 ms.topic: how-to
 ms.service: azure-automation
 ---
@@ -281,8 +281,7 @@ You can see the following status information for the corresponding consistency c
 You can also select **View raw report** to see the actual data that the node sends to the server. For
 more information about using that data, see [Using a DSC report server][18].
 
-It can take some time after a node is enabled before the first report is available. You might need
-to wait up to 30 minutes for the first report after you enable a node.
+It can take some time before the first report is available, after a node is enabled or restarted. You might need to wait up to 30 minutes after you enable a node or restart a node.
 
 ## Reassign a node to a different node configuration
 

articles/automation/whats-new.md

@@ -4,7 +4,7 @@ description: Significant updates to Azure Automation updated each month.
 services: automation
 ms.subservice:
 ms.topic: overview
-ms.date: 07/19/2024
+ms.date: 02/01/2025
 ms.custom: references_regions
 ---
 
@@ -21,6 +21,21 @@ Azure Automation receives improvements on an ongoing basis. To stay up to date w
 
 This page is updated monthly, so revisit it regularly. If you're looking for items older than six months, you can find them in [Archive for What's new in Azure Automation](whats-new-archive.md).
 
+## December 2024
+
+###  Final retirement notice: AzureRM modules starting February 01, 2025
+
+Azure Automation will **discontinue** execution of all runbooks that use AzureRM modules. AzureRM PowerShell module has retired on **February 29, 2024**. Refer [migration resources](https://aka.ms/azpsmigrate) for guidance on transitioning from AzureRM to Az PowerShell module.
+
+### Final retirement notice: TLS 1.0/1.1 protocols for Azure Automation
+
+Starting **March 01, 2025** all agent-based and extension-based User Hybrid Runbook Workers, Webhooks and DSC nodes using Transport Layer Security (TLS) 1.0 and 1.1 protocols would no longer be able to connect to Azure Automation. All jobs running or scheduled on Hybrid Workers using TLS 1.0 and 1.1 protocols will fail. [Learn more](automation-managing-data.md#tls-for-azure-automation).
+
+### Final retirement notice: Agent-based User Hybrid Runbook Worker
+
+Starting **April 01, 2025** all jobs running on Agent-based User Hybrid Runbook Worker (Windows and Linux) will be stopped. [Learn more](migrate-existing-agent-based-hybrid-worker-to-extension-based-workers.md).
+
+
 ## July 2024
 
 ### General Availability: Azure Automation supports PowerShell 7.2 runbooks in Government clouds

articles/backup/azure-kubernetes-service-cluster-backup-support-matrix.md

@@ -18,17 +18,17 @@ You can use [Azure Backup](./backup-overview.md) to help protect Azure Kubernete
 
 ## Supported regions
 
-- Operational Tier support for AKS backup is supported in all the following Azure public cloud regions: East US, North Europe, West Europe, South East Asia, West US 2, East US 2, West US, North Central US, Central US, France Central, Korea Central, Australia East, UK South, East Asia, West Central US, Japan East, South Central US, West US 3, Canada Central, Canada East, Australia South East, Central India, Norway East, Germany West Central, Switzerland North, Sweden Central, Japan West, UK West, Korea South, South Africa North, South India, France South, Brazil South, UAE North, China East 2, China East 3, China North 2, China North 3, USGov Virginia, USGov Arizona and USGov Texas.
+- Operational Tier support for AKS backup is supported in all the following Azure public cloud regions: East US, North Europe, West Europe, South East Asia, West US 2, East US 2, West US, North Central US, Central US, France Central, Korea Central, Australia East, UK South, East Asia, West Central US, Japan East, South Central US, West US 3, Canada Central, Canada East, Australia South East, Central India, Norway East, Germany West Central, Switzerland North, Sweden Central, Japan West, UK West, Korea South, South Africa North, South India, France South, Brazil South, UAE North, China East 2, China East 3, China North 2, China North 3, USGov Virginia, USGov Arizona, and USGov Texas.
 
-- Vault Tier and Cross Region Restore support for AKS backup are available in the following regions: East US, West US, West US 3, North Europe, West Europe, North Central US, South Central US, West Central US, East US 2, Central US, UK South, UK West, East Asia, South-East Asia, Japan East South India, Central India, Canada Central and Norway East.
+- Vault Tier and Cross Region Restore support for AKS backup are available in the following regions: East US, West US, West US 3, North Europe, West Europe, North Central US, South Central US, West Central US, East US 2, Central US, UK South, UK West, East Asia, South-East Asia, Japan East South India, Central India, Canada Central, and Norway East.
 
 
   >[!Note]
   >Enable Cross Region Restore capability for your Backup Vault to have your backups available in an Azure paired region. See the [list of Azure Paired Region](../reliability/cross-region-replication-azure.md#azure-paired-regions).
 
 ## Limitations
 
-- AKS backup supports AKS clusters with Kubernetes version *1.22* or later. This version has Container Storage Interface (CSI) drivers installed.
+- Azure Backup won't address failures occurring during backup or restore operations for Kubernetes clusters running unsupported Kubernetes versions. While backup operations continue to run, please upgrade your clusters to a supported version, validate the backup operations, and reach out if the issue persists. [Here's the list of the supported Kubernetes versions](/azure/aks/supported-kubernetes-versions.md)
 
 - Before you install the backup extension in an AKS cluster, ensure that the CSI drivers and snapshot are enabled for your cluster. If they're disabled, [enable these settings](/azure/aks/csi-storage-drivers#enable-csi-storage-drivers-on-an-existing-cluster).
 
@@ -52,6 +52,8 @@ You can use [Azure Backup](./backup-overview.md) to help protect Azure Kubernete
 
 - You must install the backup extension in the AKS cluster. If you're using Azure CLI to install the backup extension, ensure that the version is 2.41 or later. Use `az upgrade` command to upgrade the Azure CLI.
 
+- In case you're using Terraform to enable Azure Backup for AKS, ensure that the Terraform version being used in 3.99 or above.
+
 - The blob container provided as input during installation of the backup extension should be in the same region and subscription as that of the AKS cluster. Only blob containers in a General-purpose V2 Storage Account are supported and Premium Storage Account aren't supported.   
 
 - The Backup vault and the AKS cluster should be in the same region and subscription.
@@ -81,22 +83,25 @@ You can use [Azure Backup](./backup-overview.md) to help protect Azure Kubernete
 - Configuration of a storage account with private endpoint is supported.
 - To enable Azure Backup for AKS via Terraform, its version should be >= 3.99.
 
-### Additional limitations for Vaulted backup and Cross Region Restore
+### Other limitations for Vaulted backup and Cross Region Restore
+
+- Currently, Azure Disks with Persistent Volumes of size <= 1 TB are eligible to be moved to the Vault Tier; disks with the higher size are skipped in the backup data moved to the Vault Tier. 
+
+- Currently, backup instances with <= 100 disks attached as persistent volume are supported. Backup and restore operations might fail if number of disks are higher than the limit. 
 
-- Only Azure Disk with Persistent Volumes of size <= 1 TB are eligible to be moved to the Vault Tier; disks with the higher size are skipped in the backup data moved to the Vault Tier. 
+- Only Azure Disks with public access enabled from all networks are eligible to be moved to the Vault Tier; if their are disks with network access apart from public access, tiering operation will fail. 
 
 - *Disaster Recovery* feature is only available between Azure Paired Regions (if backup is configured in a Geo Redundant Backup vault). The backup data is only available in an Azure paired region. For example, if you have an AKS cluster in East US that is backed up in a Geo Redundant Backup vault, the backup data is also available in West US for restore.
 
 - Only one scheduled recovery point is available in Vault Tier per day that is providing an RPO of 24 hours in the primary region. For secondary region, the recovery point can take up to 12 hours, thus providing an RPO of 36 hours.
 
-- During restore from Vault Tier, the hydrated resources in the staging location which includes a storage account and a resource group aren't cleaned after restore. They will have to be deleted manually.
+- During restore from Vault Tier, the hydrated resources in the staging location which includes a storage account and a resource group aren't cleaned after restore. They have to be deleted manually.
 
-- In case the target cluster is within a virtual network, enable a private endpoint between the cluster and the 
- staging storage account.
+- In case the target cluster is within a virtual network, enable a private endpoint between the cluster and the staging storage account.
 
 - If the target AKS cluster version differs from the version used during backup, the restore operation may fail or complete with warnings for various scenarios like deprecated resources in the newer cluster version. In case of restoring from Vault tier, you can use the hydrated resources in the staging location to restore application resources to the target cluster.
 
-- Currently Vault Tier based backup is not supported with Terraform deployment.
+- Currently Vault Tier based backup isn't supported with Terraform deployment.
 
 ## Next steps
 

articles/data-factory/connector-rest.md

@@ -6,7 +6,7 @@ author: jianleishen
 ms.subservice: data-movement
 ms.custom: synapse
 ms.topic: conceptual
-ms.date: 08/29/2024
+ms.date: 01/02/2025
 ms.author: makromer
 ---
 
@@ -596,6 +596,9 @@ AlterRow1 sink(allowSchemaDrift: true,
 	skipDuplicateMapInputs: true,
 	skipDuplicateMapOutputs: true) ~> sink1
 ```
+>[!NOTE]
+> Data Flow generates a total of N+1 API calls when processing N pages. This includes one initial call to infer the schema, followed by N calls corresponding to the number of pages fetched from the source.
+
 
 ## Pagination support
 

articles/sentinel/TOC.yml

@@ -115,6 +115,8 @@
     href: sentinel-solutions-deploy.md
   - name: Delete out-of-the-box content
     href: sentinel-solutions-delete.md
+  - name: Manage solution deprecation lifecycle
+    href: sentinel-solution-deprecation.md
   - name: Partner integrations best practices
     href: partner-integrations.md
   - name: Solution catalog

articles/sentinel/connect-azure-functions-template.md

@@ -45,7 +45,7 @@ Make sure that you have the following permissions and credentials before using A
 > [!NOTE]
 > - You can securely store workspace and API authorization keys or tokens in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](../app-service/app-service-key-vault-references.md) to use Azure Key Vault with an Azure Function App.
 >
-> - Some data connectors depend on a parser based on a [Kusto Function](/azure/data-explorer/kusto/query/functions/user-defined-functions) to work as expected. See the section for your service in the [Microsoft Sentinel data connectors reference](data-connectors-reference.md) page for links to instructions to create the Kusto function and alias.
+> - Some data connectors depend on a parser based on a [Kusto Function](/kusto/query/functions/user-defined-functions?view=microsoft-sentinel&preserve-view=true) to work as expected. See the section for your service in the [Microsoft Sentinel data connectors reference](data-connectors-reference.md) page for links to instructions to create the Kusto function and alias.
 
 
 ### Step 1: Get your source system's API credentials

articles/sentinel/create-analytics-rules.md

@@ -46,7 +46,7 @@ Before you do anything else, you should design and build a query in Kusto Query
 
 For some helpful tips for building Kusto queries, see [Best practices for analytics rule queries](scheduled-rules-overview.md#best-practices-for-analytics-rule-queries).
 
-For more help building Kusto queries, see [Kusto Query Language in Microsoft Sentinel](kusto-overview.md) and [Best practices for Kusto Query Language queries](/azure/data-explorer/kusto/query/best-practices?toc=%2Fazure%2Fsentinel%2FTOC.json&bc=%2Fazure%2Fsentinel%2Fbreadcrumb%2Ftoc.json).
+For more help building Kusto queries, see [Kusto Query Language in Microsoft Sentinel](kusto-overview.md) and [Best practices for Kusto Query Language queries](/kusto/query/best-practices?view=microsoft-sentinel&preserve-view=true&toc=%2Fazure%2Fsentinel%2FTOC.json&bc=%2Fazure%2Fsentinel%2Fbreadcrumb%2Ftoc.json).
 
 ## Create your analytics rule