format

Author: cherylmc

articles/application-gateway/application-gateway-tls-version-retirement.md

@@ -0,0 +1,77 @@
+---
+title: TLS 1.0 and 1.1 retirement on Azure Application Gateway
+description: Guidance for managing your Application Gateway with the upcoming retirement of TLS 1.0 and 1.1.
+services: application gateway
+author: jaesoni
+ms.service: azure-application-gateway
+ms.topic: concept-article
+ms.date: 03/04/2025
+ms.author: greglin
+---
+
+# Managing your Application Gateway with TLS 1.0 and 1.1 retirement
+
+Starting **31st August 2025**, Azure Application Gateway will no longer support **TLS (Transport Layer Security) versions 1.0 and 1.1**. This change aligns with the [Azure-wide retirement](https://azure.microsoft.com/updates?id=update-retirement-tls1-0-tls1-1-versions-azure-services) of these TLS versions to enhance the security. As the owner of an Application Gateway resource, you should review both the Frontend clients and Backend servers TLS connections that may be using these older versions.
+
+## Frontend TLS connections
+
+With deprecation of TLS versions 1.0 and 1.1, the **older Predefined TLS policies** and certain cipher suites from the **Custom TLS policy** will be removed.
+
+### Predefined policies for V2 SKUs
+
+The predefined policies 20150501 and 20170401 that support TLS v1.0 and 1.1 will be discontinued and can no longer be associated with an Application Gateway resource after August 2025. It's advised to transition to one of the recommended TLS policies, 20220101 or 20220101S. Alternatively, the 20170401S policy may be used if specific cipher suites are required. 
+
+![A diagram showing predefined policies for V2 SKUs.](media/application-gateway-tls-version-retirement/v2-retiring-tls-policies.png)
+
+### Custom policies for V2 SKUs
+
+Azure Application Gateway V2 SKU offers two types of custom policies: Custom and CustomV2. The retirement of these TLS versions affects only the "Custom" policy. The newer "CustomV2" policy comes with TLS v1.3. Beyond August 2025, the older Custom policy will support only TLS v1.2 and the following cipher suites won't be supported.
+
+| Unsupported cipher suites |
+| ---------- |
+| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 |
+| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
+| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 |
+| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 |
+| TLS_DHE_RSA_WITH_AES_256_CBC_SHA |
+| TLS_DHE_RSA_WITH_AES_128_CBC_SHA |
+| TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 |
+| TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 |
+| TLS_DHE_DSS_WITH_AES_256_CBC_SHA |
+| TLS_DHE_DSS_WITH_AES_128_CBC_SHA |
+| TLS_RSA_WITH_3DES_EDE_CBC_SHA |
+| TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA |
+
+### Predefined policies for V1 SKUs
+
+The V1 SKU will only support the 20170401S policy after the older policies with TLS versions 1.0 and 1.1 are discontinued. The newer 20220101 or 20220101S policies won't be available for the soon-to-be-retired V1 SKU.
+
+![A diagram showing predefined policies for V1 SKUs.](media/application-gateway-tls-version-retirement/v1-retiring-tls-policies.png)
+
+### Custom policies for V1 SKUs
+
+Application Gateway V1 SKU only supports the older "Custom" policy. Beyond August 2025, this older Custom policy will support only TLS v1.2 and the following cipher suites won't be supported.
+
+| Unsupported cipher suites |
+| ---------- |
+| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 |
+| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
+| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 |
+| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 |
+| TLS_DHE_RSA_WITH_AES_256_CBC_SHA |
+| TLS_DHE_RSA_WITH_AES_128_CBC_SHA |
+| TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 |
+| TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 |
+| TLS_DHE_DSS_WITH_AES_256_CBC_SHA |
+| TLS_DHE_DSS_WITH_AES_128_CBC_SHA |
+| TLS_RSA_WITH_3DES_EDE_CBC_SHA |
+| TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA |
+
+## Backend TLS connections
+
+You don't need to configure anything on your Application Gateway for the backend connection's TLS version as the selection of TLS policy has no control over the backend TLS connections. After retirement, the connections to backend servers will always be with preferred TLS v1.3 and up to TLS v1.2. You must ensure that your servers in the backend pools are compatible with these updated protocol versions. This compatibility avoids any disruptions when establishing a TLS/HTTPS connection with those backend servers.
+
+## Next steps
+
+Learn about [TLS policy types and configurations](application-gateway-ssl-policy-overview.md)
+Visit Azure Updates for [retirement notice](https://azure.microsoft.com/updates?searchterms=application+gateway)

articles/application-gateway/media/application-gateway-tls-version-retirement/v1-retiring-tls-policies.png

@@ -95,6 +95,8 @@
     href: ssl-certificate-management.md
   - name: Security baseline
     href: /security/benchmark/azure/baselines/application-gateway-security-baseline?toc=/azure/application-gateway/toc.json
+  - name: TLS 1.0 and 1.1 retirement
+    href: application-gateway-tls-version-retirement.md
   - name: Network security blog
     href: https://techcommunity.microsoft.com/category/azure-network-security/blog/azurenetworksecurityblog
 - name: Deploy

articles/application-gateway/media/application-gateway-tls-version-retirement/v2-retiring-tls-policies.png

@@ -4,8 +4,6 @@ description: This article contains important reference material you need when yo
 ms.date: 05/13/2024
 ms.custom: horz-monitor, ignite-2024
 ms.topic: reference
-author: rboucher
-ms.author: robb
 ---
 
 # Azure Cache for Redis monitoring data reference

articles/application-gateway/toc.yml

@@ -4,9 +4,6 @@ description: Start here to learn how to monitor Azure Cache for Redis.
 ms.date: 03/21/2024
 ms.custom: horz-monitor
 ms.topic: conceptual
-author: robb
-ms.author: robb
-
 ---
 
 # Monitor Azure Cache for Redis

articles/azure-cache-for-redis/monitor-cache-reference.md

@@ -17,7 +17,7 @@ In this article, you learn how to generate the service principal auth token, a u
 ## Register your app with Microsoft Entra ID
 
 1. To provision the Azure Data Manager for Energy platform, you must register your app on the [Azure portal app registration page](https://go.microsoft.com/fwlink/?linkid=2083908). You can use either a Microsoft account or a work or school account to register an app. For steps on how to configure, see [Register your app documentation](../active-directory/develop/quickstart-register-app.md#register-an-application).
-1. In the app overview section, if there are no redirect URIs specified, you can select **Add a platform** > **Web**, add `http://localhost:8080`, and select **Save**.
+1. In the application overview section, if no redirect Uniform Resource Identifiers (URIs) are specified, select **Add a platform** > **Web**, add `http://localhost:8080`, and then select **Save**.
 
    :::image type="content" source="media/how-to-generate-auth-token/app-registration-uri.png" alt-text="Screenshot that shows adding the URI to the app.":::
 
@@ -38,7 +38,7 @@ You can also find the parameters after the app is registered on the Azure portal
 
 ### Find client-id
 
-A `client-id` is the same value that you use to register your application during the provisioning of your [Azure Data Manager for Energy instance](quickstart-create-microsoft-energy-data-services-instance.md). It's often referred to as `app-id`.
+A `client-id` is the value used to register your application during the provisioning of your [Azure Data Manager for Energy instance](quickstart-create-microsoft-energy-data-services-instance.md). It is often referred to as `app-id`.
 
 1. Go to the Azure Data Manager for Energy **Overview** page. On the **Essentials** pane, find **client ID**.
 1. Copy the `client-id` value and paste it into an editor to be used later.
@@ -51,7 +51,7 @@ A `client-id` is the same value that you use to register your application during
 
 ### Find client-secret
 
-A `client-secret` is a string value your app can use in place of a certificate to identify itself. It's sometimes referred to as an application password.
+A `client-secret` is a string value your app can use in place of a certificate to identify itself. It is sometimes called an application password.
 
 1. Go to **App registrations**.
 1. Under the **Manage** section, select **Certificates & secrets**.
@@ -76,7 +76,7 @@ The `redirect-uri` of your app, where your app sends and receives the authentica
 
 ### Find the adme-url for your Azure Data Manager for Energy instance
 
-1. Create an [Azure Data Manager for Energy instance](quickstart-create-microsoft-energy-data-services-instance.md) using the `client-id` generated above.
+1.  Create an [Azure Data Manager for Energy instance](quickstart-create-microsoft-energy-data-services-instance.md) using the `client-id` obtained in the [Find client-id](#find-client-id) section.
 1. Go to your Azure Data Manager for Energy **Overview** page on the Azure portal.
 1. On the **Essentials** pane, copy the URI.
 
@@ -159,11 +159,11 @@ The first step to get an access token for many OpenID Connect (OIDC) and OAuth 2
    |Parameter| Description|
    | --- | --- |
    |code|The authorization code that the app requested. The app can use the authorization code to request an access token for the target resource. Authorization codes are short lived. Typically, they expire after about 10 minutes.|
-   |state|If a state parameter is included in the request, the same value should appear in the response. The app should verify that the state values in the request and response are identical. This check helps to detect [CSRF attacks](https://tools.ietf.org/html/rfc6749#section-10.12) against the client.|
+   |state|If a state parameter is included in the request, the same value should appear in the response. The app should verify that the state values in the request and response are identical. This check helps to detect Cross-Site Request Forgery (CSRF) attacks. For more information, see [CSRF attacks](https://tools.ietf.org/html/rfc6749#section-10.12).|
    |session_state|A unique value that identifies the current user session. This value is a GUID, but it should be treated as an opaque value that's passed without examination.|
 
 > [!WARNING]
-> Running the URL in Postman won't work because it requires extra configuration for token retrieval.
+> Running the URL in other GUI-based API clients doesn't work because they require extra configuration for token retrieval.
 
 ### Get an auth token and a refresh token
 

articles/azure-cache-for-redis/monitor-cache.md

@@ -284,4 +284,5 @@ As an alternative user experience to Postman, you can use the sdutil command-lin
 > [!div class="nextstepaction"]
 > [Use sdutil to load data into Seismic Store](./tutorial-seismic-ddms-sdutil.md)
 >
-> For more information on the Seismic REST APIs in Azure Data Manager for Energy, see the OpenAPI specifications available in the [adme-samples](https://microsoft.github.io/adme-samples/) GitHub repository.
+
+For more information on the Seismic REST APIs in Azure Data Manager for Energy, see the OpenAPI specifications available in the [adme-samples](https://microsoft.github.io/adme-samples/) GitHub repository.

articles/energy-data-services/how-to-generate-auth-token.md

@@ -5,7 +5,7 @@ services: firewall
 author: duongau
 ms.service: azure-firewall
 ms.topic: concept-article
-ms.date: 01/15/2025
+ms.date: 03/20/2025
 ms.author: duau
 ---
 
@@ -43,12 +43,6 @@ For more information, see [Resource Health overview](/azure/service-health/resou
 
 You can configure Azure Firewall to autolearn both registered and private ranges every 30 minutes. For information, see [Azure Firewall SNAT private IP address ranges](snat-private-range.md#auto-learn-snat-routes-preview).
 
-### Parallel IP Group updates (preview)
-
-You can now update multiple IP Groups in parallel at the same time. This is useful for administrators who want to make configuration changes more quickly and at scale, especially when making those changes using a dev ops approach (templates, ARM template, CLI, and PowerShell).
-
-For more information, see [IP Groups in Azure Firewall](ip-groups.md#parallel-ip-group-updates-preview).
-
 ### Private IP address DNAT rules (preview)
 
 You can now configure a DNAT rule on Azure Firewall Policy with the private IP address of the Azure Firewall as the destination. Previously, DNAT rules only worked with Azure Firewall Public IP addresses.
@@ -67,4 +61,4 @@ For more information, see [Customer provided public IP address support in secure
 
 ## Next steps
 
-To learn more about Azure Firewall, see [What is Azure Firewall?](overview.md).
+To learn more about Azure Firewall, see [What is Azure Firewall?](overview.md).

articles/energy-data-services/tutorial-seismic-ddms.md

@@ -57,40 +57,27 @@ You can see all the IP addresses in the IP Group and the rules or resources that
 
 You can now select **IP Group** as a **Source type** or **Destination type** for the IP address(es) when you create Azure Firewall DNAT, application, or network rules.
 
-## Parallel IP Group updates (preview)
-
-You can now update multiple IP Groups in parallel at the same time. This is particularly useful for administrators who want to make configuration changes more quickly and at scale, especially when making those changes using a dev ops approach (templates, ARM, CLI, and Azure PowerShell).
-
-With this support, you can now:
-
-- Update 50 IP Groups at a time
-- Update the firewall and firewall policy during IP Group updates
-- Use the same IP Group in parent and child policy
-- Update multiple IP Groups referenced by firewall policy or classic firewall simultaneously
-- Receive new and improved error messages
-   - Fail and succeed states
-
-     For example, if there is an error with one IP Group update out of 20 parallel updates, the other updates proceed, and the errored IP Group fails. In addition, if the IP Group update fails, and the firewall is still healthy, the firewall remains in a *Succeeded* state. To check if the IP Group update has failed or succeeded, you can view the status on the IP Group resource.
-
-To activate Parallel IP Group support, you can register the feature using either Azure PowerShell or the Azure portal.
-
-### Azure PowerShell
-
-Use the following Azure PowerShell commands:
-
-```azurepowershell
-Connect-AzAccount
-Select-AzSubscription -Subscription <subscription_id> or <subscription_name>
-Register-AzProviderFeature -FeatureName AzureFirewallParallelIPGroupUpdate -ProviderNamespace Microsoft.Network
-Register-AzResourceProvider -ProviderNamespace Microsoft.Network
-```
-It can take several minutes for this to take effect. Once the feature is completely registered, consider performing an update on Azure Firewall for the change to take effect immediately.
-
-### Azure portal
-
-1. Navigate to **Preview features** in the Azure portal.
-1. Search and register **AzureFirewallParallelIPGroupUpdate**.
-1. Ensure the feature is enabled.
+## Parallel IP Group updates
+
+You can now update multiple IP Groups in parallel at the same time. This is particularly useful for environments requiring faster changes at scale, especially when making those changes using a dev ops approach (templates, ARM, CLI, and Azure PowerShell).
+
+With this support, you can perform the following:
+
+- **Update 20 IP Groups at a time:** Perform simultaneous updates up to 20 IP Groups in one operation, referenced by firewall policy or classic firewall. 
+- **Update Azure Firewall and IP Groups together:** You can update IP Groups simultaneously with the firewall or with firewall policies. 
+- **Improved efficiency:** Parallel IP Group updates now run twice as fast. 
+- **Receive new and improved error messages:**
+
+   |Error message  |Description  |Recommended action|
+   |---------|---------|---------|
+   |**In failed state (skipping update)**  |Azure Firewall or Firewall Policy is in a failed state. Updates cannot proceed until the resource is healthy. |Review previous operations and correct any misconfigurations to ensure the resource is healthy.|
+   | **Backend server could not update Firewall at this time** | The backend server was unable to successfully process the request.| Create a support request.|
+   | **Error occurred during FW update** | The error is related to the underlying backend servers.| Retry the operation or create a support request if the issue persists.|
+   | **Internal server error** | An unexpected backend error has occurred. | Retry the operation or create a support request.|
+  
+Additionally, note the following status updates:
+- **One or more IP Group failure:** If one IP Group update (out of 20 parallel updates) fails, the provisioning state changes to "Failed" while the remaining IP Groups will continue to update and succeed.
+- **Status update:** If an IP Group update fails, and if the firewall remains healthy, its state will still show as "Succeeded." To verify, check the status on the IP Group resource itself. 
 
 ## Region availability