Merge branch 'main' into release-preview-sentinel-lake

Author: v-alje

.openpublishing.redirection.json

@@ -6879,6 +6879,11 @@
       "redirect_url": "/azure/sre-agent/troubleshoot-azure-container-apps",
       "redirect_document_id": false
     },
+    {
+      "source_path": "articles/sre-agent/permissions.md",
+      "redirect_url": "/azure/sre-agent/security-context",
+      "redirect_document_id": false
+    },
     {
       "source_path": "articles/reliability/whats-new.md",
       "redirect_url": "/azure/reliability/overview",

articles/active-directory-b2c/service-limits.md

@@ -8,7 +8,7 @@ manager: CelesteDG
 ms.service: azure-active-directory
 
 ms.topic: reference
-ms.date: 05/11/2024
+ms.date: 07/15/2025
 ms.subservice: b2c
 zone_pivot_groups: b2c-policy-type
 
@@ -197,6 +197,7 @@ As a protection for our customers, Microsoft places some restrictions on telepho
 | 228 |  Togo  | 10  |  30  |
 | 233 |	Ghana|	10	| 30 |
 | 234 | Nigeria | 20 | 100 |
+| 235 | Chad | 10 | 30 |
 | 236 |	Central African Republic  |	10	| 30 |
 | 238 | Cape Verde | 10 | 30 |
 | 249 |  Sudan | 10  |  30  |
@@ -212,6 +213,7 @@ As a protection for our customers, Microsoft places some restrictions on telepho
 | 265 |	Malawi  |	10	| 30 |
 | 373 |	Moldova |	20	| 100 |
 | 375 |	Belarus   |	10	| 30 |
+| 381 | Serbia | 50 | 200 |
 | 386 | Slovenia | 10 | 50 |
 | 501 |  Belize| 10  |  30  |
 | 502 | Guatemala | 10 | 50 
@@ -236,10 +238,13 @@ As a protection for our customers, Microsoft places some restrictions on telepho
 | 95 |	Myanmar (Burma) | 10	| 30 |
 | 961 |	Lebanon  |	10	| 30 |
 | 963 |	Syria  |	10	| 30 |
+| 964 | Iraq | 50 | 200 |
 | 967 |	Yemen	|10	| 30 |
 | 970 |  State of Palestine| 10  |  30  |
 | 972 |	Israel  |	50	| 200 |
+| 975 | Bhutan | 20 | 100 |
 | 976 |	Mongolia  |	10	| 30 |
+| 977 | Nepal | 20 | 100 |
 | 992 | Tajikistan | 10 | 30 |
 | 993 | Turkmenistan | 10 | 30 |
 | 994 | Azerbaijan | 50 | 200 | 

articles/api-management/api-management-capacity.md

@@ -56,6 +56,8 @@ Available aggregations for these metrics are as follows.
 
 In the Developer, Basic, Standard, and Premium tiers, the **Capacity** metric is available for making decisions about scaling or upgrading an API Management instance. Its construction is complex and imposes certain behavior.
 
+[!INCLUDE [capacity-change.md](../../includes/api-management-capacity-change.md)]
+
 Available aggregations for this metric are as follows.
 
 * **Avg** - Average percentage of capacity used across gateway processes in every [unit](upgrade-and-scale.md) of an API Management instance. 
@@ -171,6 +173,7 @@ Use capacity metrics for making decisions whether to scale an API Management ins
 + Ignore sudden spikes that are most likely not related to an increase in load (see [Capacity metric behavior](#capacity-metric-behavior) section for explanation).
 + As a general rule, upgrade or scale your instance when a capacity metric value exceeds **60% - 70%** for a long period of time (for example, 30 minutes). Different values may work better for your service or scenario.
 + If your instance or workspace gateway is configured with only 1 unit, upgrade or scale it when a capacity metric value exceeds **40%** for a long period. This recommendation is based on the need to reserve capacity for guest OS updates in the underlying service platform.
++ Use [available diagnostics](monitor-api-management.md) to monitor the response times of API calls. Consider adjusting scaling thresholds if you notice degraded response times with increasing value of capacity metric. 
 
 > [!TIP]  
 > If you are able to estimate your traffic beforehand, test your API Management instance or workspace gateway on workloads you expect. You can increase the request load gradually and monitor the value of the capacity metric that corresponds to your peak load. Follow the steps from the previous section to use Azure portal to understand how much capacity is used at any given time.

articles/app-service/configure-ssl-certificate.md

@@ -55,7 +55,7 @@ You can add up to 1,000 private certificates per webspace.
 
 ## Create a free managed certificate
 
-The free App Service managed certificate is a turn-key solution for helping to secure your custom DNS name in App Service. Without any action from you, this TLS/SSL server certificate is fully managed by App Service and is automatically renewed continuously in six-month increments, 45 days before expiration, as long as the prerequisites that you set up stay the same. All the associated bindings are updated with the renewed certificate. You create and bind the certificate to a custom domain, and let App Service do the rest.
+The free App Service managed certificate is a turn-key solution for helping to secure your custom DNS name in App Service. Without any action from you, this TLS/SSL server certificate is fully managed by App Service and is automatically renewed, as long as the prerequisites that you set up stay the same. All the associated bindings are updated with the renewed certificate. You create and bind the certificate to a custom domain, and let App Service do the rest.
 
 Before you create a free managed certificate, make sure that you [meet the prerequisites](#prerequisites) for your app.
 

articles/application-gateway/configuration-http-settings.md

@@ -32,7 +32,7 @@ Azure Application Gateway uses gateway-managed cookies for maintaining user sess
 This feature is useful when you want to keep a user session on the same server and when session state is saved locally on the server for a user session. If the application can't handle cookie-based affinity, you can't use this feature. To use it, make sure that the clients support cookies.
 
 > [!NOTE]
-> Some vulnerability scans may flag the Application Gateway affinity cookie because the Secure or HttpOnly flags are not set. These scans don't take into account that the data in the cookie is generated using a one-way hash. The cookie doesn't contain any user information and is used purely for routing. 
+> Some vulnerability scans may flag the Application Gateway affinity cookie because the Secure or HttpOnly flags aren't set. These scans don't take into account that the data in the cookie is generated using a one-way hash. The cookie doesn't contain any user information and is used purely for routing. 
 
 
 The [Chromium browser](https://www.chromium.org/Home) [v80 update](https://chromiumdash.appspot.com/schedule) brought a mandate where HTTP cookies without [SameSite](https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-03#rfc.section.5.3.7) attribute have to be treated as SameSite=Lax. For CORS (Cross-Origin Resource Sharing) requests, if the cookie has to be sent in a third-party context, it has to use *SameSite=None; Secure* attributes and it should be sent over HTTPS only. Otherwise, in an HTTP only scenario, the browser doesn't send the cookies in the third-party context. The goal of this update from Chrome is to enhance security and to avoid Cross-Site Request Forgery (CSRF) attacks. 
@@ -78,7 +78,7 @@ By default, the Application Gateway resource includes popular CA certificates, a
 
 ### Request timeout
 
-This setting is the number of seconds that the application gateway waits to receive a response from the backend server. The default value is 20 seconds. However, you may wish to adjust this setting to the needs of your application.
+This setting is the number of seconds that the application gateway waits to receive a response from the backend server. The default value is 20 seconds. However, you may wish to adjust this setting to the needs of your application. Acceptable values are from 1 second to 86400 seconds (24 hours).
 
 ### Override backend path
 
@@ -152,7 +152,7 @@ This setting specifies the port where the backend servers listen to traffic from
 
 ### Timeout
 
-This setting is the number of seconds that the application gateway waits before closing the frontend and backend connections in case there is no transmission of any data.
+This setting is the number of seconds that the application gateway waits before closing the frontend and backend connections in case there's no transmission of any data. Acceptable values are from 1 second to 86400 seconds (24 hours).
 
 ### Trusted root certificate 
 

articles/azure-netapp-files/snapshots-introduction.md

@@ -5,7 +5,7 @@ services: azure-netapp-files
 author: b-hchen
 ms.service: azure-netapp-files
 ms.topic: concept-article
-ms.date: 01/28/2025
+ms.date: 07/17/2025
 ms.author: anfdocs
 # Customer intent: As a data administrator, I want to create and manage snapshots in Azure NetApp Files, so that I can ensure efficient data protection, quick recovery options, and scalable storage management for my organization's critical data.
 ---
@@ -104,7 +104,7 @@ The following diagram shows how snapshot data is transferred from the Azure NetA
 
 The Azure NetApp Files backup functionality is designed to keep a longer history of backups as indicated in this simplified example. Notice how the backup repository on the right contains more and older snapshots than the protected volume and snapshots on the left. 
 
-Most use cases require that you keep online snapshots on the Azure NetApp Files volume for a relatively short amount of time (usually several months) to serve the most common recoveries of lost data due to application or user error. The Azure NetApp Files backup functionality is used to extend the data-protection period to a year or longer by sending the snapshots over to cost-efficient Azure storage. As indicated by the blue color in the diagram, the very first transfer is the baseline, which copies all consumed data blocks in the source Azure NetApp Files volume and snapshots. Consecutive backups use the snapshot mechanism to update the backup repository with only block-incremental updates.
+Most use cases require that you keep online snapshots on the Azure NetApp Files volume for a relatively short amount of time (usually several days, maybe weeks) to serve the most common recoveries of lost data due to application or user error. The Azure NetApp Files backup functionality is used to extend the data-protection period to a year or longer by sending the snapshots over to cost-efficient Azure storage. As indicated by the blue color in the diagram, the very first transfer is the baseline, which copies all consumed data blocks in the source Azure NetApp Files volume and snapshots. Consecutive backups use the snapshot mechanism to update the backup repository with only block-incremental updates.
 
 ## Ways to restore data from snapshots  
 

articles/azure-vmware/native-connect-on-premises.md

@@ -31,7 +31,7 @@ Connectivity to on-premises is performed using a standard ExpressRoute connectio
 ## Related topics
 
 - [Connectivity to an Azure Virtual Network](native-network-connectivity.md)
-(native-internet-connectivity-design-considerations.md)
+- [Internet connectivity options](native-internet-connectivity-design-considerations.md)
 - [Connect multiple Gen 2 private clouds](native-connect-multiple-private-clouds.md)
 - [Connect Gen 2 private clouds and Gen 1 private clouds](native-connect-private-cloud-previous-edition.md)
 - [Public and Private DNS forward lookup zone configuration](native-dns-forward-lookup-zone.md)

articles/azure-vmware/native-internet-connectivity-design-considerations.md

@@ -30,7 +30,7 @@ Internet connectivity using Azure Firewall is similar to the way Azure virtual n
 
 1. Have or create Azure Firewall or a third-party Network Virtual Appliance in the virtual network local to the private cloud or in the peered virtual network.
 2. Define an Azure route table with a 0.0.0.0/0 route pointing to the next-hop type Virtual Appliance with the next-hop IP address of the Azure Firewall private IP or IP of the Network Virtual Appliance.
-3. Associate the route table to the Azure VMware Solution specific virtual network subnets named “esx-lrnsxuplink” and “esx-lrnsxuplink-1”, which are part of the virtual network associated with private cloud.
+3. Associate the route table to the Azure VMware Solution specific virtual network subnets named “avs-nsx-gw-1” and “avs-nsx-gw-2”, which are part of the virtual network associated with private cloud.
     >[!Note] 
     >The Azure route tables (UDR), associated with private cloud uplink subnets, and private cloud VNet need to be in the same Azure resource group.
 4. Have necessary firewall rules to allow traffic to and from the internet.

articles/azure-vmware/native-network-design-consideration.md

@@ -29,7 +29,7 @@ The following functionality is limited during this time. These limitations will
 - Virtual Network Service Endpoints direct connectivity from Azure VMware Solution workloads is not supported.
 - **vCloud Director** using Private Endpoints is supported. However, vCloud Director using Public Endpoints is not supported.
 - **vSAN Stretched Clusters** is not supported.
-- Public IP down to the VMware NSX Microsoft Edge for configuring internet will not be supported.
+- Public IP down to the VMware NSX Microsoft Edge for configuring internet will not be supported. You can find what internet options are supported in [Internet connectivity options](native-internet-connectivity-design-considerations.md)
 - Support for **AzCLI**, **PowerShell**, and **.NET SDK** are not available during Public Preview.
 - **Run commands** interacting with customer segments aren't supported, including Zerto, JetStream, and other 3rd-party integrations.
 
@@ -64,11 +64,11 @@ Example /22 CIDR network address block **10.31.0.0/22** is divided into the foll
 | :-- | :-- | :-- | :-- |
 | VMware NSX Network | /27 | NSX Manager network. | 10.31.0.0/27 |
 | vCSA Network | /27 | vCenter Server network. | 10.31.0.32/27  |
-| esx-cust-fdc | /27 | The management appliances (vCenter Server and NSX manager) are behind the "esx-cust-fdc” subnet, programmed as secondary IP ranges on this subnet. | 10.31.0.64/27  |
-| cust-fds | /27 | Used by Azure VMware Solution Gen 2 to program routes created in VMware NSX into the virtual network. | 10.31.0.96/27 |
-| services | /27 | Used for Azure VMware Solution Gen 2 provider services. Also used to configure private DNS resolution for your private cloud. | 10.31.0.160/27  |
-| esx-lrnsxuplink, esx-lrnsxuplink-1 | /28 | Subnets off each of the T0 Gateways per edge. These subnets are used to program VMware NSX network segments as secondary IPs addresses. | 10.31.0.224/28, 10.31.0.240/28 |  
-| esx-cust-vmk1 | /24 | vmk1 is the management interface used by customers to access the host. IPs from the vmk1 interface come from these subnets. All of the vmk1 traffic for all hosts comes from this subnet range. | 10.31.1.0/24  |
+| avs-mgmt| /27 | The management appliances (vCenter Server and NSX manager) are behind the "avs-mgmt” subnet, programmed as secondary IP ranges on this subnet. | 10.31.0.64/27  |
+| avs-vnet-sync| /27 | Used by Azure VMware Solution Gen 2 to program routes created in VMware NSX into the virtual network. | 10.31.0.96/27 |
+| avs-services | /27 | Used for Azure VMware Solution Gen 2 provider services. Also used to configure private DNS resolution for your private cloud. | 10.31.0.160/27  |
+|avs-nsx-gw-1, avs-nsx-gw-2| /28 | Subnets off each of the T0 Gateways per edge. These subnets are used to program VMware NSX network segments as secondary IPs addresses. | 10.31.0.224/28, 10.31.0.240/28 |
+| esx-mgmt-vmk1 | /24 | vmk1 is the management interface used by customers to access the host. IPs from the vmk1 interface come from these subnets. All of the vmk1 traffic for all hosts comes from this subnet range. | 10.31.1.0/24  |
 | esx-vmotion-vmk2 | /24 | vMotion VMkernel interfaces. | 10.31.2.0/24  |
 | esx-vsan-vmk3  | /24 | vSAN VMkernel interfaces and node communication. | 10.31.3.0/24 |
 | Reserved | /27 | Reserved Space. | 10.31.0.128/27 |

articles/backup/azure-elastic-san-backup-configure.md

@@ -2,9 +2,9 @@
 title: Configure Azure Elastic SAN backup using Azure portal (preview)
 description: Learn how to configure Azure Elastic SAN backup (preview) using Azure portal.
 ms.topic: how-to
-ms.date: 06/20/2025
-author: jyothisuri
-ms.author: jsuri
+ms.date: 07/15/2025
+author: AbhishekMallick-MS
+ms.author: v-mallicka
 # Customer intent: "As an IT administrator, I want to configure backup for Azure Elastic SAN using the Azure portal, so that I can ensure data protection and recovery for my storage resources."
 ---
 
@@ -39,7 +39,7 @@ To create a backup policy for Elastic SAN from Azure Business Continuity Center,
 1. On the **Schedule + retention** tab, under the **Backup schedule** section, set the schedule for creating recovery points for backups.
 
    >[!Note]
-   >Azure Backup currently supports **Daily** backup frequency only, which is selected by default.
+   >Azure Backup currently supports **Daily** and **Weekly**backup frequency. **Daily** backup is selected by default.
 
    :::image type="content" source="./media/azure-elastic-storage-area-network-backup-configure/set-backup-schedule.png" alt-text="Screenshot shows how to configure the backup schedule." lightbox="./media/azure-elastic-storage-area-network-backup-configure/set-backup-schedule.png":::