Merge branch 'main' into release-fabric-mirroring-pupr

Author: v-alje

articles/active-directory-b2c/custom-domain.md

@@ -331,14 +331,6 @@ https://<domain-name>/11111111-1111-1111-1111-111111111111/v2.0/
 ```
 ::: zone pivot="b2c-custom-policy"
 
-## (Optional) Block access to the default domain name
-
-After you add the custom domain and configure your application, users will still be able to access the &lt;tenant-name&gt;.b2clogin.com domain. If you want to prevent access, you can configure the policy to check the authorization request "host name" against an allowed list of domains. The host name is the domain name that appears in the URL. The host name is available through `{Context:HostName}` [claim resolvers](claim-resolver-overview.md). Then you can present a custom error message. 
-
-1. Get the example of a conditional access policy that checks the host name from [GitHub](https://github.com/azure-ad-b2c/samples/tree/master/policies/check-host-name).
-1. In each file, replace the string `yourtenant` with the name of your Azure AD B2C tenant. For example, if the name of your B2C tenant is *contosob2c*, all instances of `yourtenant.onmicrosoft.com` become `contosob2c.onmicrosoft.com`.
-1. Upload the policy files in the following order: `B2C_1A_TrustFrameworkExtensions_HostName.xml` and then `B2C_1A_signup_signin_HostName.xml`.
-
 ::: zone-end
 
 

articles/ai-services/document-intelligence/includes/preview-notice.md

@@ -15,8 +15,8 @@ ms.date: 02/29/2024
 >
 > * Document Intelligence public preview releases provide early access to features that are in active development.
 > * Features, approaches, and processes may change, prior to General Availability (GA), based on user feedback.
-> * The public preview version of Document Intelligence client libraries default to REST API version [**2024-02-29-preview**](https://westus.dev.cognitive.microsoft.com/docs/services/document-intelligence-api-2024-02-29-preview/operations/AnalyzeDocument).
-> * Public preview version [**2024-02-29-preview**](https://westus.dev.cognitive.microsoft.com/docs/services/document-intelligence-api-2024-02-29-preview/operations/AnalyzeDocument) is currently only available in the following Azure regions:
+> * The public preview version of Document Intelligence client libraries default to REST API version [**2024-02-29-preview**](/rest/api/aiservices/operation-groups?view=rest-aiservices-2024-02-29-preview&preserve-view=true).
+> * Public preview version [**2024-02-29-preview**](/rest/api/aiservices/operation-groups?view=rest-aiservices-2024-02-29-preview&preserve-view=true) is currently only available in the following Azure regions:
 > * **East US**
 > * **West US2**
 > * **West Europe**

articles/ai-studio/how-to/create-azure-ai-resource.md

@@ -1,7 +1,7 @@
 ---
 title: How to create and manage an Azure AI hub resource
 titleSuffix: Azure AI Studio
-description: This article describes how to create and manage an Azure AI hub resource
+description: This article describes how to create and manage an Azure AI hub resource.
 manager: scottpolly
 ms.service: azure-ai-studio
 ms.custom:
@@ -23,7 +23,7 @@ In this article, you learn how to create and manage an Azure AI hub resource in
 
 ## Create an Azure AI hub resource in AI Studio
 
-To create a new Azure AI hub resource, you need either the Owner or Contributor role on the resource group or on an existing Azure AI hub resource. If you are unable to create an Azure AI hub resource due to permissions, reach out to your administrator. If your organization is using [Azure Policy](../../governance/policy/overview.md), don't create the resource in AI Studio. Create the Azure AI hub resource [in the Azure portal](#create-a-secure-azure-ai-hub-resource-in-the-azure-portal) instead.
+To create a new Azure AI hub resource, you need either the Owner or Contributor role on the resource group or on an existing Azure AI hub resource. If you're unable to create an Azure AI hub resource due to permissions, reach out to your administrator. If your organization is using [Azure Policy](../../governance/policy/overview.md), don't create the resource in AI Studio. Create the Azure AI hub resource [in the Azure portal](#create-a-secure-azure-ai-hub-resource-in-the-azure-portal) instead.
 
 Follow these steps to create a new Azure AI hub resource in AI Studio.
 
@@ -32,7 +32,7 @@ Follow these steps to create a new Azure AI hub resource in AI Studio.
 
 1. Enter your AI hub name, subscription, resource group, and location details.
 
-1. In the **Azure OpenAI** dropdown, you can select an existing Azure OpenAI resource to bring all your deployments into AI Studio. If you do not bring one, we will create one for you.
+1. In the **Azure OpenAI** dropdown, you can select an existing Azure OpenAI resource to bring all your deployments into AI Studio. If you don't bring one, we'll create one for you.
 
     :::image type="content" source="../media/how-to/resource-create-advanced.png" alt-text="Screenshot of the Create an Azure AI hub resource wizard with the option to set basic information." lightbox="../media/how-to/resource-create-advanced.png":::
 
@@ -86,6 +86,7 @@ If your organization is using [Azure Policy](../../governance/policy/overview.md
 ## Manage your Azure AI hub resource from the Azure portal
 
 ### Azure AI hub resource keys
+
 View your keys and endpoints for your Azure AI hub resource from the overview page within the Azure portal.
 
 :::image type="content" source="../media/how-to/resource-manage-view-keys.png" alt-text="Screenshot of the Azure AI hub resource in the Azure portal showing the keys and endpoints." lightbox="../media/how-to/resource-manage-view-keys.png":::
@@ -124,6 +125,14 @@ For Azure AI hub resources that use CMK encryption mode, you can update the encr
 
 :::image type="content" source="../media/how-to/resource-manage-encryption.png" alt-text="Screenshot of the Encryption page of the Azure AI hub resource in the Azure portal." lightbox="../media/how-to/resource-manage-encryption.png":::
 
+### Update Azure Application Insights and Azure Container Registry
+
+To use custom environments for Prompt Flow, you're required to configure an Azure Container Registry for your AI hub. To use Azure Application Insights for Prompt Flow deployments, a configured Azure Application Insights resource is required for your AI hub.
+
+You can configure your AI hub for these resources during creation or update after creation. To update Azure Application Insights from the Azure portal, navigate to the **Properties** for your Azure AI hub resource in the Azure portal, then select **Change Application Insights**. You can also use the Azure SDK/CLI options or infrastructure-as-code templates to update both Azure Application Insights and Azure Container Registry for the AI Hub.
+
+:::image type="content" source="../media/how-to/resource-manage-update-associated-resources.png" alt-text="Screenshot of the properties page of the Azure AI resource in the Azure portal." lightbox="../media/how-to/resource-manage-update-associated-resources.png":::
+
 ## Manage your Azure AI hub resource from the Manage tab within the AI Studio
 
 ### Getting started with the AI Studio

articles/ai-studio/media/how-to/resource-manage-update-associated-resources.png

@@ -186,33 +186,37 @@ You can use the `nodeSelector` field in your pod specification to specify the no
 The following example pod definition file shows how to use pod anti-affinity to ensure that pods are spread across nodes:
 
 ```yaml
-apiVersion: v1
-kind: Pod
+apiVersion: apps/v1
+kind: Deployment
 metadata:
-  name: with-node-affinity
+  name: multi-zone-deployment
+  labels:
+    app: myapp
 spec:
-  affinity:
-    nodeAffinity:
-      requiredDuringSchedulingIgnoredDuringExecution:
-        nodeSelectorTerms:
-        - matchExpressions:
-          - key: topology.kubernetes.io/zone
-            operator: In
-            values:
-            - 0 # Azure Availability Zone 0
-            - 1 # Azure Availability Zone 1
-            - 2 # Azure Availability Zone 2
-      preferredDuringSchedulingIgnoredDuringExecution:
-      - weight: 1
-        preference:
-          matchExpressions:
-          - key: another-node-label-key
-            operator: In
-            values:
-            - another-node-label-value
-  containers:
-  - name: with-node-affinity
-    image: registry.k8s.io/pause:2.0
+  replicas: 3
+  selector:
+    matchLabels:
+      app: myapp
+  template:
+    metadata:
+      labels:
+        app: myapp
+    spec:
+      containers:
+      - name: myapp-container
+        image: nginx
+        ports:
+        - containerPort: 80
+      affinity:
+        podAntiAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+          - labelSelector:
+              matchExpressions:
+              - key: app
+                operator: In
+                values:
+                - myapp
+            topologyKey: topology.kubernetes.io/zone
 ```
 
 For more information, see [Affinity and anti-affinity in Kubernetes](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity).

articles/aks/best-practices-app-cluster-reliability.md

@@ -29,7 +29,23 @@ export LOCATION=<location>
 
 The add-on requires Azure CLI version 2.57.0 or later installed. You can run `az --version` to verify version. To install or upgrade, see [Install Azure CLI][azure-cli-install].
 
-## Install Istio add-on at the time of cluster creation
+## Get available Istio add-on revisions
+To find information about which Istio add-on revisions are available in a region and their compatibility with AKS cluster versions, use:
+
+```azurecli-interactive
+az aks mesh get-revisions --location <location> -o table
+```
+
+
+## Install Istio add-on
+### Revision selection
+If you enable the add-on without specifying a revision, a default supported revision is installed for you.
+
+If you wish to specify the revision instead:
+1. Use the `get-revisions` command in the [previous step](#get-available-istio-add-on-revisions) to check which revisions are available for different AKS cluster versions in a region.
+1. Based on the available revisions, you can include the `--revision asm-X-Y` (ex: `--revision asm-1-20`) flag in the enable command you use for mesh installation.
+
+### Install mesh during cluster creation
 
 To install the Istio add-on when creating the cluster, use the `--enable-azure-service-mesh` or`--enable-asm` parameter.
 
@@ -42,7 +58,7 @@ az aks create \
 --enable-asm
 ```
 
-## Install Istio add-on for existing cluster
+### Install mesh for existing cluster
 
 The following example enables Istio add-on for an existing AKS cluster:
 
@@ -86,23 +102,44 @@ istiod-asm-1-18-74f7f7c46c-xfdtl   1/1     Running   0          2m
 
 ## Enable sidecar injection
 
-To automatically install sidecar to any new pods, annotate your namespaces:
+To automatically install sidecar to any new pods, you will need to annotate your namespaces with the revision label corresponding to the control plane revision currently installed. 
+
+If you're unsure which revision is installed, use:
+```bash
+az aks show --resource-group ${RESOURCE_GROUP} --name ${CLUSTER}  --query 'serviceMeshProfile.istio.revisions'
+```
 
+Apply the revision label:
 ```bash
-kubectl label namespace default istio.io/rev=asm-1-18
+kubectl label namespace default istio.io/rev=asm-X-Y
 ```
 
 > [!IMPORTANT]
->  The default `istio-injection=enabled` labeling doesn't work. Explicit versioning (`istio.io/rev=asm-1-18`) is required.
+>  The default `istio-injection=enabled` labeling doesn't work. Explicit versioning matching the control plane revision (ex: `istio.io/rev=asm-1-18`) is required. 
 
+For manual injection of sidecar using `istioctl kube-inject`, you need to specify extra parameters for `istioNamespace` (`-i`) and `revision` (`-r`). For example:
 
-For manual injection of sidecar using `istioctl kube-inject`, you need to specify extra parameters for `istioNamespace` (`-i`) and `revision` (`-r`). Example:
+```bash
+kubectl apply -f <(istioctl kube-inject -f sample.yaml -i aks-istio-system -r asm-X-Y) -n foo
+```
+
+## Trigger sidecar injection
+You can either deploy the sample application provided for testing, or trigger sidecar injection for existing workloads.
+
+### Existing applications
+If you have existing applications to be added to the mesh, ensure their namespaces are labeled as in the previous step, and then restart their deployments to trigger sidecar injection:
+```bash
+kubectl rollout restart -n <namespace> <deployment name>
+```
 
+Verify that sidecar injection succeeded by ensuring all containers are ready and looking for the `istio-proxy` container in the `kubectl describe` output, for example:
 ```bash
-kubectl apply -f <(istioctl kube-inject -f sample.yaml -i aks-istio-system -r asm-1-18) -n foo
+kubectl describe pod -n namespace <pod name>
 ```
 
-## Deploy sample application
+The `istio-proxy` container is the Envoy sidecar. Your application is now part of the data plane.
+
+### Deploy sample application
 
 Use `kubectl apply` to deploy the sample application on the cluster:
 
@@ -150,10 +187,8 @@ reviews       ClusterIP   10.0.73.95     <none>        9080/TCP   86s
 kubectl get pods
 ```
 
-Confirm that all the pods have status of `Running`.
-
 ```
-NAME          TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)    AGE
+NAME                              READY   STATUS    RESTARTS   AGE
 details-v1-558b8b4b76-2llld       2/2     Running   0          2m41s
 productpage-v1-6987489c74-lpkgl   2/2     Running   0          2m40s
 ratings-v1-7dc98c7588-vzftc       2/2     Running   0          2m41s
@@ -162,8 +197,8 @@ reviews-v2-7d79d5bd5d-8zzqd       2/2     Running   0          2m41s
 reviews-v3-7dbcdcbc56-m8dph       2/2     Running   0          2m41s
 ```
 
-> [!NOTE]
-> Each pod has two containers, one of which is the Envoy sidecar injected by Istio and the other is the application container.
+
+Confirm that all the pods have status of `Running` with 2 containers in the `READY` column. The second container (`istio-proxy`) added to each pod is the Envoy sidecar injected by Istio, and the other is the application container.
 
 To test this sample application against ingress, check out [next-steps](#next-steps).
 

articles/aks/istio-deploy-addon.md

@@ -32,7 +32,7 @@ The following example illustrates how to upgrade from revision `asm-1-18` to `as
 1. Initiate a canary upgrade from revision `asm-1-18` to `asm-1-19` using [az aks mesh upgrade start](/cli/azure/aks/mesh#az-aks-mesh-upgrade-start):
 
     ```bash
-    az aks mesh upgrade start --resource-group $RESOURCE_GROUP --name $CLUSTER --revision asm-1-18
+    az aks mesh upgrade start --resource-group $RESOURCE_GROUP --name $CLUSTER --revision asm-1-19
     ```
 
     A canary upgrade means the 1.18 control plane is deployed alongside the 1.17 control plane. They continue to coexist until you either complete or roll back the upgrade.
@@ -101,7 +101,7 @@ The following example illustrates how to upgrade from revision `asm-1-18` to `as
 
     * **Rollback the canary upgrade**: In case you observe any issues with the health of your workloads, you can roll back to the previous revision of Istio:
 
-      * Relabel the namespace to the previous revision
+      * Relabel the namespace to the previous revision:
 
           ```bash
           kubectl label namespace default istio.io/rev=asm-1-18 --overwrite
@@ -119,7 +119,7 @@ The following example illustrates how to upgrade from revision `asm-1-18` to `as
           az aks mesh upgrade rollback --resource-group $RESOURCE_GROUP --name $CLUSTER
           ```
 
-1. If [mesh configuration][meshconfig] was set up for the revisions in previous steps, you can now delete the ConfigMap for the revision that was removed from the cluster on completing or rolling back the upgrade.
+1. If [mesh configuration][meshconfig] was previously set up for the revisions, you can now delete the ConfigMap for the revision that was removed from the cluster during complete/rollback.
 
 > [!NOTE]
 > Manually relabeling namespaces when moving them to a new revision can be tedious and error-prone. [Revision tags](https://istio.io/latest/docs/setup/upgrade/canary/#stable-revision-labels) solve this problem. Revision tags are stable identifiers that point to revisions and can be used to avoid relabeling namespaces. Rather than relabeling the namespace, a mesh operator can simply change the tag to point to a new revision. All namespaces labeled with that tag will be updated at the same time. However, note that you still need to restart the workloads to make sure the correct version of `istio-proxy` sidecars are injected.