Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into safe

Author: gitName

.openpublishing.redirection.json

@@ -30,6 +30,46 @@
       "redirect_url": "/previous-versions/azure/partner-solutions/logzio/troubleshoot",
        "redirect_document_id": false
     },
+    {
+      "source_path_from_root": "/articles/hdinsight-aks/index.yml",
+      "redirect_url": "/previous-versions/azure/hdinsight-aks",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/hdinsight-aks/flink/index.md",
+      "redirect_url": "/previous-versions/azure/hdinsight-aks/flink/flink-overview",
+      "redirect_document_id": false
+    },
+    {
+        "source_path_from_root": "/articles/hdinsight-aks/prerequisites-subscription.md",
+        "redirect_url": "/previous-versions/azure/hdinsight-aks/quickstart-prerequisites-subscription",
+        "redirect_document_id": false
+    },
+    {
+        "source_path_from_root": "/articles/hdinsight-aks/release-notes/index.md",
+        "redirect_url": "/previous-versions/azure/hdinsight-aks/release-notes/hdinsight-aks-release-notes",
+        "redirect_document_id": false
+    },
+    {
+        "source_path_from_root": "/articles/hdinsight-aks/prerequisites-resources.md",
+        "redirect_url": "/previous-versions/azure/hdinsight-aks/quickstart-prerequisites-resources",
+        "redirect_document_id": false
+    },    
+    {
+        "source_path_from_root": "/articles/hdinsight-aks/spark/index.md",
+        "redirect_url": "/previous-versions/azure/hdinsight-aks/spark/hdinsight-on-aks-spark-overview",
+        "redirect_document_id": false
+    },
+    {
+        "source_path_from_root": "/articles/hdinsight-aks/get-started.md",
+        "redirect_url": "/previous-versions/azure/hdinsight-aks/quickstart-get-started",
+        "redirect_document_id": false
+    },
+    {
+        "source_path_from_root": "/articles/hdinsight-aks/trino/index.md",
+        "redirect_url": "/previous-versions/azure/hdinsight-aks/trino/trino-overview ",
+        "redirect_document_id": false
+    },
     {
       "source_path": "articles/hdinsight-aks/cluster-storage.md",
       "redirect_url": "/previous-versions/azure/hdinsight-aks/cluster-storage",

articles/api-management/TOC.yml

@@ -705,3 +705,5 @@
     href: /answers/tags/29/azure-api-management
   - name: Stack Overflow
     href: https://stackoverflow.com/questions/tagged/azure-api-management
+  - name: aka.ms/apimlove
+    href: https://aka.ms/apimlove

articles/api-management/api-management-key-concepts.md

@@ -45,6 +45,9 @@ Common scenarios include:
 * **Multi-channel user experiences** - APIs are frequently used to enable user experiences such as web, mobile, wearable, or Internet of Things applications. Reuse APIs to accelerate development and ROI.
 * **B2B integration** - APIs exposed to partners and customers lower the barrier to integrate business processes and exchange data between business entities. APIs eliminate the overhead inherent in point-to-point integration. Especially with self-service discovery and onboarding enabled, APIs are the primary tools for scaling B2B integration.
 
+> [!TIP]
+> Visit [aka.ms/apimlove](https://aka.ms/apimlove) for a library of useful resources, including videos, blogs, and customer stories about using Azure API Management.
+
 ## API Management components
 
 Azure API Management is made up of an API *gateway*, a *management plane*, and a *developer portal*. These components are Azure-hosted and fully managed by default. API Management is available in various [tiers](#api-management-tiers) differing in capacity and features.
@@ -132,7 +135,8 @@ API Management integrates with many complementary Azure services to create enter
 **More information**:
 * [Basic enterprise integration](/azure/architecture/reference-architectures/enterprise-integration/basic-enterprise-integration?toc=%2Fazure%2Fapi-management%2Ftoc.json&bc=/azure/api-management/breadcrumb/toc.json)
 * [Landing zone accelerator](/azure/cloud-adoption-framework/scenarios/app-platform/api-management/landing-zone-accelerator?toc=%2Fazure%2Fapi-management%2Ftoc.json&bc=/azure/api-management/breadcrumb/toc.json)
-* [Import APIs to API Center from API Management](../api-center/import-api-management-apis.md?toc=%2Fazure%2Fapi-management%2Ftoc.json&bc=/azure/api-management/breadcrumb/toc.json)
+* [GenAI gateway capabilities in API Management](genai-gateway-capabilities.md)
+* [Synchronize APIs to API Center from API Management](../api-center/synchronize-api-management-apis.md?toc=%2Fazure%2Fapi-management%2Ftoc.json&bc=/azure/api-management/breadcrumb/toc.json)
 
 ## Key concepts
 

articles/app-service/configure-ssl-app-service-certificate.md

@@ -139,6 +139,13 @@ By default, App Service certificates have a one-year validity period. Before the
 
 If you think your certificate's private key is compromised, you can rekey your certificate. This action rotates the certificate with a new certificate issued from the certificate authority.
 
+> [!NOTE]
+> Starting September 23 2021, if you haven't verified the domain in the last 395 days, App Service certificates require domain verification during a renew, auto-renew, or rekey process. The new certificate order remains in "pending issuance" mode during the renew, auto-renew, or rekey process until you complete the domain verification.
+> 
+> Unlike the free App Service managed certificate, purchased App Service certificates don't have automated domain re-verification. Failure to verify domain ownership results in failed renewals. For more information about how to verify your App Service certificate, review [Confirm domain ownership](#confirm-domain-ownership).
+>
+> The rekey process requires that the service principal for App Service has the required permissions on your key vault. These permissions are set up for you when you import an App Service certificate through the Azure portal. Make sure that you don't remove these permissions from your key vault.
+
 1. On the [App Service Certificates page](https://portal.azure.com/#blade/HubsExtension/Resources/resourceType/Microsoft.CertificateRegistration%2FcertificateOrders), select the certificate. From the left menu, select **Rekey and Sync**.
 
 1. To start the process, select **Rekey**. This process can take 1-10 minutes to complete.

articles/application-gateway/for-containers/toc.yml

@@ -130,5 +130,5 @@
   - name: Regional availability
     href: https://azure.microsoft.com/global-infrastructure/services/
   - name: Stack Overflow
-    href: https://stackoverflow.com/questions/tagged/azure-application-gateway-for-containers
+    href: https://stackoverflow.com/questions/tagged/azure-app-gateway-for-containers
 

articles/batch/batch-pool-compute-intensive-sizes.md

@@ -3,7 +3,7 @@ title: Use compute-intensive Azure VMs with Batch
 description: How to take advantage of HPC and GPU virtual machine sizes in Azure Batch pools. Learn about OS dependencies and see several scenario examples.
 ms.topic: how-to
 ms.custom: linux-related-content
-ms.date: 06/07/2024
+ms.date: 02/04/2025
 ---
 # Use RDMA or GPU instances in Batch pools
 
@@ -33,7 +33,7 @@ The RDMA or GPU capabilities of compute-intensive sizes in Batch are supported o
 | -------- | -------- | ----- |  -------- | ----- |
 | [H16r, H16mr](/azure/virtual-machines/sizes-hpc)<br/>[NC24r, NC24rs_v2, NC24rs_v3, ND24rs<sup>*</sup>](/azure/virtual-machines/linux/n-series-driver-setup#rdma-network-connectivity) | RDMA | Ubuntu 22.04 LTS <br/> (Azure Marketplace) | Intel MPI 5<br/><br/>Linux RDMA drivers | Enable inter-node communication, disable concurrent task execution |
 | [NCv3, NDv2, NDv4, NDv5 series](/azure/virtual-machines/linux/n-series-driver-setup) | NVIDIA Tesla GPU (varies by series) | Ubuntu 22.04 LTS  <br/> (Azure Marketplace) | NVIDIA CUDA or CUDA Toolkit drivers | N/A |
-| [NVv3, NVv4, NVv5 series](/azure/virtual-machines/linux/n-series-driver-setup) | Accelerated Visualization GPU | Ubuntu 22.04 LTS <br/> (Azure Marketplace) | NVIDIA GRID drivers (if required) | N/A |
+| [NVv3, NVv4, NVv5 series](/azure/virtual-machines/linux/n-series-driver-setup) | Accelerated Visualization GPU | Ubuntu 22.04 LTS <br/> (Azure Marketplace) | NVIDIA GRID drivers or AMD GPU drivers | N/A |
 
 <sup>*</sup>RDMA-capable N-series sizes also include NVIDIA Tesla GPUs
 
@@ -69,14 +69,16 @@ To configure a specialized VM size for your Batch pool, you have several options
 
 * For pools in the virtual machine configuration, choose a preconfigured [Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/) VM image that has drivers and software preinstalled. Examples:
 
-* [Data Science Virtual Machine](/azure/machine-learning/data-science-virtual-machine/overview) for Linux or Windows - includes NVIDIA CUDA drivers
+    * [Data Science Virtual Machine](/azure/machine-learning/data-science-virtual-machine/overview) for Linux or Windows - includes NVIDIA CUDA drivers
 
-* Linux images for Batch container workloads that also include GPU and RDMA drivers:
+    * Linux images for Batch container workloads that also include GPU and RDMA drivers:
 
-* [Ubuntu Server (with GPU and RDMA drivers) for Azure Batch container pools](https://azuremarketplace.microsoft.com/marketplace/apps/microsoft-azure-batch.ubuntu-server-container-rdma?tab=Overview)
+    * [Ubuntu Server (with GPU and RDMA drivers) for Azure Batch container pools](https://azuremarketplace.microsoft.com/marketplace/apps/microsoft-azure-batch.ubuntu-server-container-rdma?tab=Overview)
 
 * Create a [custom Windows or Linux VM image](batch-sig-images.md) with installed drivers, software, or other settings required for the VM size.
 
+* [Install GPU and RDMA drivers by VM extension](create-pool-extensions.md).
+
 * Create a Batch [application package](batch-application-packages.md) from a zipped driver or application installer. Then, configure Batch to deploy this package to pool nodes and install once when each node is created. For example, if the application package is an installer, create a [start task](jobs-and-tasks.md#start-task) command line to silently install the app on all pool nodes. Consider using an application package and a pool start task if your workload depends on a particular driver version.
 
   > [!NOTE]

articles/confidential-computing/TOC.yml

@@ -49,6 +49,8 @@
       href: confidential-vm-faq.yml
     - name: Guest attestation for confidential VMs
       href: guest-attestation-confidential-vms.md
+    - name: Guest attestation Design for confidential VMs
+      href: guest-attestation-confidential-virtual-machines-design.md
     - name: About Azure confidential GPUs
       href: gpu-options.md
     - name: Microsoft Defender for Cloud integration

articles/confidential-computing/guest-attestation-confidential-virtual-machines-design.md

@@ -0,0 +1,172 @@
+---
+title: Azure Confidential VM guest attestation design detail
+description: Learn about the design detail of the guest attestation for Azure confidential virtual machines.
+author: mishih
+ms.author: mishih
+ms.service: azure-virtual-machines
+ms.subservice: azure-confidential-computing
+ms.topic: conceptual
+ms.date: 02/06/2025
+ms.custom: template-concept
+---
+
+# Confidential VM Guest Attestation Design Detail
+
+This document provides a detailed overview of the [Azure confidential VM Guest Attestation](guest-attestation-confidential-vms.md) design.
+
+## vTPM-Based Design
+
+Azure confidential virtual machines (VMs) utilize a vTPM-based design for the guest attestation. The approach ensures a consistent interface across guest operating systems (Linux and Windows) and hardware platforms (AMD SEV-SNP and Intel TDX).
+
+## Attestation Flow
+
+The guest attestation process involves two main steps: evidence generation and evidence verification. A user requests the Azure confidential VM to generate vTPM evidence and then send the evidence to a trusted party (for example, [Microsoft Azure Attestation (MAA)](https://azure.microsoft.com/products/azure-attestation)) for verification.
+
+A relying party, such as [Azure Key Vault Premium](../security/fundamentals/key-management.md) or [Azure Key Vault Managed HSM](/azure/key-vault/managed-hsm/overview), can assess the trustworthiness of the Azure confidential VM based on the verification results. If the VM is deemed trustworthy, the relying party can securely provision secrets to the VM, using mechanisms like [Secure Key Release](concept-skr-attestation.md).
+
+### vTPM Evidence
+
+A vTPM evidence consists of a TPM quote and endorsements used to verify the quote, as outlined in the rest of the section.
+- TPM Quote
+  - A standard TPM quote that is the output of `TPM2_Quote` command defined by TPM 2.0 specification.
+  - Includes a list of Platform Configuration Registers (PCRs) that captures the measurements of the guest OS (for example, boot process).
+  - The usage of PCRs conforms to Linux and Windows standards (each having its usage definition).
+  - Signed by vTPM attestation private key (AK); that is, AK is specified as the signing key in the `TPM2_Quote` command.
+
+- TPM Event Log
+  - An event log stored in the system that can be used to reproduce PCR values in the TPM quote.
+  - Refer to [TPM specification](https://trustedcomputinggroup.org/wp-content/uploads/TCG-Guidance-Integrity-Measurements-Event-Log-Processing_v1_r0p118_24feb2022-1.pdf) for more detail.
+
+- vTPM AK Certificate
+  - Issued by Azure (signed by Azure CA).
+  - Backed by hardware (the vTPM attestation public key, AK public, is captured in the hardware report).
+
+- Hardware Report
+  - Generated and signed by the hardware.
+  - Capture the following information
+    - AK public
+    - The measurement of Microsoft-built guest paravisor where the vTPM runs
+      - Learn more in [Confidential VMs on Azure](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/confidential-vms-on-azure/ba-p/3836282)).
+    - Hardware information
+      - Refer to AMD SEV-SNP and Intel TDX specifications for more detail.
+
+- Hardware Vendor Certificate Chain
+  - Issued by hardware vendor (AMD and Intel) to certify the signature of the hardware report.
+    - AMD SEV-SNP: Versioned Chip Endorsement Key (VCEK) Certificates
+    - Intel TDX: Provisioning Certificate Key (PCK) Certificates
+
+### What are being covered by a vTPM Evidence?
+
+| Component                        | Covered by       |
+| :---                             | :---             |
+| Guest OS                         | TPM Quote (PCRs) |
+| UEFI                             | Hardware Report  |
+| Guest Paravisor (including vTPM) | Hardware Report  |
+
+### How is vTPM Evidence verified?
+
+The verifier ([Microsoft Azure Attestation (MAA)](https://azure.microsoft.com/products/azure-attestation)) verified the vTPM evidence based on the trusted chain, as shown in the following figure. Successful verification implies that the attested Azure confidential VM is trustworthy and protected by the hardware.
+
+![Figure of vTPM-based Evidence Trust Chain](media/guest-attestation-confidential-vms-design/azure-cvm-trusted-chain.png)
+
+## Developer's Reference
+
+This section provides a reference to the vTPM-based guest attestation design used by Azure confidential VM.
+
+### Azure-Reserved TPM NV Indexes
+
+| Name | NV Index | Size (bytes) | Description |
+| :--- | :--- | :--- | :--- |
+| Attestation Report | 0x01400001 | 2600 | Azure-defined format with the hardware report embedded. |
+| Report Data        | 0x01400002 | 64   | The report data to be included in the Runtime Data. |
+| vTPM AK Cert       | 0x01C101D0 | 4096  | The certificate used to verify the TPM Quote signed by the vTPM AK. |
+| vTPM AK            | 0x81000003 | Depending on the key type | The key used to sign the TPM Quote. |
+
+Refer to [Azure Confidential VMs attestation guidance & FAQ](https://github.com/Azure/confidential-computing-cvm-guest-attestation/blob/main/cvm-guest-attestation.md) for sample TPM commands.
+
+### Attestation Report Format
+
+#### Attestation Report
+
+| Name | Offset (bytes) | Size (bytes) | Description |
+| :--- | :--- | :--- | :--- |
+| Header         | 0    | 32 | The report header (not endorsed by the hardware report). |
+| Report Payload | 32   | 1184 | The hardware report. |
+| Runtime Data   | 1216 | variable length | The runtime data includes claims endorsed by the hardware report. |
+
+
+#### Header
+
+| Name | Offset (bytes) | Size (bytes) | Description |
+| :--- | :--- | :--- | :--- |
+| Signature    | 0 | 4   | Embedded signature. Expected: 0x414c4348 (`HCLA`). |
+| Version      | 4 | 4   | Format version. Expected: 2.
+| Report Size  | 8 | 4   | Size of the Report Payload. Expected: 1184 (AMD SEV-SNP), 1024 (Intel TDX). |
+| Request Type | 12 | 4  | Azure-specific usage of the attestation report. Expected: 2. |
+| Status       | 16 | 4  | Reserved. |
+| Reserved     | 20 | 12 | Reserved. |
+
+#### Report Payload
+
+The report generated by the hardware (AMD SEV-SNP or Intel TDX). The report_data field of the report captures the hash of the Runtime Claims in the Runtime Data. Refer to specifications from hardware vendors for more detail.
+
+#### Runtime Data
+
+| Name | Offset (bytes) | Size (bytes) | Description | Measured |
+| :--- | :--- | :--- | :--- | :--- |
+| Data Size      | 0  | 4 | The size of Runtime Claims. | No |
+| Version        | 4  | 4 | Format version. Expected: 1. | No |
+| Report Type    | 8  | 4 | The type of hardware report. Expected: 2 (AMD SEV-SNP), 4 (Intel TDX) | No |
+| Hash Type      | 12 | 4 | The algorithm used to hash the runtime data. The hash value is captured in the report_data field of the hardware report. Expected: 1 (SHA-256), 2 (SHA-384), 3 (SHA-512) | No |
+| Runtime Claims | 16 | variable length | The runtime claims in JSON format. | Yes |
+
+#### Runtime Claims
+
+| JSON Field | Description |
+| :--- | :--- |
+| keys | An array of keys in JWK format. Expected `kid`:  `HCLAkPub` (vTPM AK public),  `HCLEkPub` (vTPM EK public). |
+| vm_configuration | Selective Azure confidential VM configuration. |
+| user_data | 64-byte data (HEX string) read from `0x01400002` NV index (Report Data). |
+
+Example
+
+```JSON
+{
+  "keys": [
+    {
+      "kid": "HCLAkPub",
+      "key_ops": [
+        "sign"
+      ],
+      "kty": "RSA",
+      "e": "AQAB",
+      "n": "rAipdAAArL6V1FNnSQ-39i3VH-a8PuOeVRo2VpecspDWbJNmgHJ4-VGGFEx4sdVbvDC6fyo_VM2ebE-_AKxTmrNVEr-KIZveJMD_vlOqvMvjtllsWwA-vsRfpqiduvQdFcdCvyHzfxBRHYqdmxgKq-3QI-XBbZv9cCMMMPHkNp4mWkyahjQxXVJVwB1egCrJGKSk1bRXlP1dXNG_Pe4-W5O-YEGRKdLIA31G0Yh8VBnrEUCAMjDAuh6fncMkwdMVskI5Ta-kJgGw4GepIj6_smIyYhxg3o8Ik4qPntxj1TrV0bVW2IiNMLHoM67y1ErOir7bv00xqgqouFodI-vM3Q"
+    },
+    {
+      "kid": "HCLEkPub",
+      "key_ops": [
+        "encrypt"
+      ],
+      "kty": "RSA",
+      "e": "AQAB",
+      "n": "m3AfPAAA-_HY3M_-x4bQbr0p2nkvAgig1mENl-BColvqq0aKKAqIHr-DFQ9-iB2z7EzhYVon5R7Nc1jzqBsmxahE8uaQfD-sp8bWOtbvy4V9nAqLY4HOwfxlJ99cEOOpxNXfCNesYOk8T0ntG05w7oBRjFw0LMVKS-1S3j5-oMnNnpJoo7rX5hNM8JVpxEuVa1IOf1NmvRey6wjwSHbjUay_IMUTAq1wzpx8wo_hjeY4JMd0Ka1ewLjJDaTQSpSxZI36ujyR6EGho0FBXSKN-9W9DAXkO8-RKuLUrmTXA6ETJRYApMuYGiUDCk1Y5zQTQsyWS6pLjnf2mg2tEntZZw"
+    }
+  ],
+  "vm-configuration": {
+    "root-cert-thumbprint": "",
+    "console-enabled": true,
+    "secure-boot": true,
+    "tpm-enabled": true,
+    "tpm-persisted": true,
+    "vmUniqueId": "68dc0ac0-2ed9-4b2a-a03e-4953e416d939"
+  },
+  "user-data": "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
+}
+```
+
+## Next Steps
+
+- [Learn more about the guest attestation APIs](guest-attestation-confidential-vms.md)
+- [Learn to use a sample application with the guest attestation APIs](guest-attestation-example.md)
+- [Learn how to use Microsoft Defender for Cloud integration with confidential VMs with guest attestation installed](guest-attestation-defender-for-cloud.md)
+- [Learn about Azure confidential VMs](confidential-vm-overview.md)

articles/confidential-computing/guest-attestation-confidential-vms.md

@@ -345,6 +345,7 @@ You can extract different parts of the JSON web token for the [different API sce
 
 ## Next steps
 
+- [Learn more about the guest attestation design](guest-attestation-confidential-virtual-machines-design.md)
 - [Learn to use a sample application with the guest attestation APIs](guest-attestation-example.md)
 - [Learn how to use Microsoft Defender for Cloud integration with confidential VMs with guest attestation installed](guest-attestation-defender-for-cloud.md)
 - [Learn about Azure confidential VMs](confidential-vm-overview.md)