Merge pull request #302036 from MicrosoftDocs/main

Merged by Learn.Build PR Management system

Author: learn-build-service-prod[bot]

articles/backup/backup-create-recovery-services-vault.md

@@ -2,7 +2,7 @@
 title: Create and configure Recovery Services vaults
 description: Learn how to create and configure Recovery Services vaults, and how to restore in a secondary region by using Cross Region Restore.
 ms.topic: how-to
-ms.date: 06/23/2025
+ms.date: 06/30/2025
 ms.custom: references_regions, engagement-fy23
 author: jyothisuri
 ms.author: jsuri
@@ -83,6 +83,23 @@ For more information about backup and restore with Cross Region Restore, see the
 - [Cross Region Restore for SAP HANA databases](sap-hana-db-restore.md#cross-region-restore)
 - [Cross Region Restore for MARS (Preview)](about-restore-microsoft-azure-recovery-services.md#cross-region-restore)
 
+## Set Cross Subscription Restore
+
+Cross Subscription Restore allows you to restore data to a different subscription within the same tenant as the source subscription (as per the Azure RBAC capabilities) from restore points. 
+
+>[!Note]
+>Cross Subscription Restore is currently supported for Azure VM, SQL Server in Azure VM, SAP ASE and SAP HANA in Azure VM, and Azure Files.
+
+To configure Cross Subscription Restore for the vault, follow these steps:
+
+1. In the Azure portal, go to your **Recovery Services vault**.
+1. On the **Recovery Services vault** pane, select **Settings** > **Properties**.
+1. On the **Properties** pane, under **Cross Subscription Restore**, select **Update**.
+
+   :::image type="content" source="./media/backup-create-rs-vault/configure-cross-region-restore.png" alt-text="Screenshot shows how to enable Cross subscription restore for a vault." lightbox="./media/backup-create-rs-vault/configure-cross-region-restore.png" :::
+
+1. On the **Cross Subscription Restore** pane, select **Enable Cross Subscription Restore** > **Update**.
+
 ## Set encryption settings
 
 By default, the data in the Recovery Services vault is encrypted through platform-managed keys. You don't need to take any explicit actions to enable this encryption. It applies to all workloads that are backed up to your Recovery Services vault. 
@@ -136,7 +153,7 @@ If you need to keep the current protected data in the GRS vault and continue the
 
 - For an Azure VM, you can [stop protection with retained data](backup-azure-manage-vms.md#stop-protecting-a-vm) for the VM in the GRS vault, move the VM to another resource group, and then help protect the VM in the LRS vault. For information about moving a VM to another resource group, see the [guidance and limitations](../azure-resource-manager/management/move-limitations/virtual-machines-move-limitations.md).
 
-  You can add a VM to only one vault at a time. However, the VM in the new resource group can be added to the LRS vault because it's considered a different VM. Be aware that:
+  You can add a VM to only one vault at a time. However, the VM in the new resource group can be added to the LRS vault because it's considered as a different VM. Be aware that:
 
   - The Azure Backup service will retain the recovery points that have been backed up on the GRS vault.
   - You'll need to pay to keep the recovery points in the GRS vault. See [Azure Backup pricing](azure-backup-pricing.md) for details.

articles/backup/media/backup-create-rs-vault/configure-cross-region-restore.png

@@ -22,7 +22,7 @@ Use the following tables to find all the relevant information on number availabi
 | Number Type | Send SMS             | Receive SMS          | Make Calls           | Receive Calls          |
 | :---------- | :------------------- | :------------------- | :------------------- | :--------------------- |
 | Toll-Free   |General Availability  | General Availability | General Availability | General Availability\* |
-| Local       | Public Preview       | Public Preview       | General Availability | General Availability\* |
+| Local       | General Availability (via 10DLC)      | General Availability (via 10DLC)     | General Availability | General Availability\* |
 | Short code       |General Availability                    |General Availability                    | - | - |
 
 \* Please refer to [Inbound calling capabilities page](../telephony/inbound-calling-capabilities.md) for details.

articles/communication-services/concepts/numbers/phone-number-management-for-united-states.md

@@ -8,15 +8,15 @@ ms.custom:
   - devx-track-azurecli
   - build-2025
 ms.topic: tutorial
-ms.date: 05/19/2025
+ms.date: 06/25/2025
 ms.author: cshoe
 ---
 
 # Tutorial: Enable Azure Container Apps on Azure Arc-enabled Kubernetes
 
 With [Azure Arc-enabled Kubernetes clusters](/azure/azure-arc/kubernetes/overview), you can create a [Container Apps enabled custom location](azure-arc-create-container-app.md) in your on-premises or cloud Kubernetes cluster to deploy your Azure Container Apps applications as you would any other region.
 
-This tutorial will show you how to enable Azure Container Apps on your Arc-enabled Kubernetes cluster.  In this tutorial you will:
+This tutorial shows how to enable Azure Container Apps on an Azure Arc–enabled Kubernetes cluster. In this tutorial, you:
 
 > [!div class="checklist"]
 > * Create a connected cluster.
@@ -28,6 +28,8 @@ This tutorial will show you how to enable Azure Container Apps on your Arc-enabl
 
 ## Prerequisites
 
+Before you begin, make sure you have the following prerequisites in place:
+
 - An Azure account with an active subscription.
   - If you don't have one, you [can create one for free](https://azure.microsoft.com/free/).
 - Install the [Azure CLI](/cli/azure/install-azure-cli).
@@ -103,7 +105,9 @@ $LOCATION="eastus"
 
 ## Create a connected cluster
 
-The following steps help you get started understanding the service, but for production deployments, they should be viewed as illustrative, not prescriptive. See [Quickstart: Connect an existing Kubernetes cluster to Azure Arc](/azure/azure-arc/kubernetes/quickstart-connect-cluster) for general instructions on creating an Azure Arc-enabled Kubernetes cluster.
+ These instructions are meant for evaluation and learning purposes. For production deployments, refer to [Quickstart: Connect an existing Kubernetes cluster to Azure Arc](/azure/azure-arc/kubernetes/quickstart-connect-cluster) for general instructions on creating an Azure Arc-enabled Kubernetes cluster. 
+ 
+ To get started with service, follow these steps to create an Azure Kubernetes Service (AKS) cluster and connect it to Azure Arc:
 
 1. Create a cluster in Azure Kubernetes Service.
 
@@ -183,7 +187,7 @@ The following steps help you get started understanding the service, but for prod
 
 ## Create a Log Analytics workspace
 
-A [Log Analytics workspace](/azure/azure-monitor/logs/quick-create-workspace) provides access to logs for Container Apps applications running in the Azure Arc-enabled Kubernetes cluster.  A Log Analytics workspace is optional, but recommended.
+A [Log Analytics workspace](/azure/azure-monitor/logs/quick-create-workspace) provides access to logs for Container Apps applications running in the Azure Arc-enabled Kubernetes cluster. A Log Analytics workspace is optional, but recommended.
 
 1. Create a Log Analytics workspace.
 
@@ -250,9 +254,9 @@ A [Log Analytics workspace](/azure/azure-monitor/logs/quick-create-workspace) pr
 ## Install the Container Apps extension
 
 > [!IMPORTANT]
-> If deploying onto **AKS on Azure Local** ensure that you have [setup HAProxy or a custom load balancer](/azure/aks/aksarc/configure-load-balancer) before attempting to install the extension. You could also use `az containerapp arc setup-core-dns --distro AksAzureLocal` to set up coredns for local contexts.
+> If deploying onto **AKS on Azure Local**, ensure that you have [setup HAProxy or a custom load balancer](/azure/aks/aksarc/configure-load-balancer) before attempting to install the extension. You could also use `az containerapp arc setup-core-dns --distro AksAzureLocal` to set up core dns for local contexts.
 
-1. Set the following environment variables to the desired name of the [Container Apps extension](azure-arc-create-container-app.md), the cluster namespace in which resources should be provisioned, and the name for the Azure Container Apps connected environment. Choose a unique name for `<connected-environment-name>`.  The connected environment name will be part of the domain name for app you'll create in the Azure Container Apps connected environment.
+1. Set the following environment variables to the desired name of the [Container Apps extension](azure-arc-create-container-app.md), the cluster namespace in which resources should be provisioned, and the name for the Azure Container Apps connected environment. Choose a unique name for `<connected-environment-name>`. The connected environment name is part of the domain name for app you create in the Azure Container Apps connected environment.
 
     # [Azure CLI](#tab/azure-cli)
 
@@ -326,9 +330,9 @@ A [Log Analytics workspace](/azure/azure-monitor/logs/quick-create-workspace) pr
 
     | Parameter | Description |
     |---|---|
-    | `Microsoft.CustomLocation.ServiceAccount` | The service account created for the custom location. It's recommended that it 's set to the value `default`. |
+    | `Microsoft.CustomLocation.ServiceAccount` | The service account created for the custom location. Set the value to `default`. |
     | `appsNamespace` | The namespace used to create the app definitions and revisions. It **must** match that of the extension release namespace. |
-    | `clusterName` | The name of the Container Apps extension Kubernetes environment that will be created against this extension. |
+    | `clusterName` | The name of the Container Apps extension Kubernetes environment created against this extension. |
     | `logProcessor.appLogs.destination` | Optional. Destination for application logs. Accepts `log-analytics` or `none`, choosing none disables platform logs. |
     | `logProcessor.appLogs.logAnalyticsConfig.customerId` | Required only when `logProcessor.appLogs.destination` is set to `log-analytics`. The base64-encoded Log analytics workspace ID. This parameter should be configured as a protected setting. |
     | `logProcessor.appLogs.logAnalyticsConfig.sharedKey` | Required only when `logProcessor.appLogs.destination` is set to `log-analytics`. The base64-encoded Log analytics workspace shared key. This parameter should be configured as a protected setting. |
@@ -367,7 +371,7 @@ A [Log Analytics workspace](/azure/azure-monitor/logs/quick-create-workspace) pr
     az resource wait --ids $EXTENSION_ID --custom "properties.provisioningState!='Pending'" --api-version "2020-07-01-preview"
     ```
 
-You can use `kubectl` to see the pods that have been created in your Kubernetes cluster:
+Use `kubectl` to view the pods running in your Kubernetes cluster:
 
 ```bash
 kubectl get pods -n $NAMESPACE
@@ -424,7 +428,7 @@ The [custom location](/azure/azure-arc/kubernetes/custom-locations) is an Azure
     ---
 
     > [!NOTE]
-    > If you experience issues creating a custom location on your cluster, you may need to [enable the custom location feature on your cluster](/azure/azure-arc/kubernetes/custom-locations#enable-custom-locations-on-your-cluster).  This is required if logged into the CLI using a Service Principal or if you are logged in with a Microsoft Entra user with restricted permissions on the cluster resource.
+    > If you experience issues creating a custom location on your cluster, you may need to [enable the custom location feature on your cluster](/azure/azure-arc/kubernetes/custom-locations#enable-custom-locations-on-your-cluster). Enable this feature when logged into the CLI using a Service Principal or a Microsoft Entra user with restricted permissions on the cluster resource.
     >
 
 1. Validate that the custom location is successfully created with the following command. The output should show the `provisioningState` property as `Succeeded`. If not, rerun the command after a minute.

articles/container-apps/azure-arc-enable-cluster.md

@@ -5,7 +5,7 @@ services: container-apps
 author: craigshoemaker
 ms.service: azure-container-apps
 ms.topic: how-to
-ms.date: 06/13/2024
+ms.date: 06/30/2025
 ms.author: cshoe
 ---
 
@@ -17,7 +17,7 @@ When client certificates are used, the TLS certificates are exchanged between th
 
 For example, you might want to require a client certificate for a container app that manages sensitive data.
 
-Container Apps accepts client certificates in the PKCS12 format are that issued by a trusted certificate authority (CA), or are self-signed.
+Container Apps accepts client certificates in the PKCS12 format when a trusted certificate authority (CA) issues them or when they're self-signed.
 
 ## Configure client certificate authorization
 
@@ -34,7 +34,7 @@ Ingress passes the client certificate to the container app if `require` or `acce
 The following ARM template example configures ingress to require a client certificate for all requests to the container app.
 
 ```json
-{ 
+{
   "properties": {
     "configuration": {
       "ingress": {
@@ -44,6 +44,63 @@ The following ARM template example configures ingress to require a client certif
   }
 }
 ```
+> [!NOTE]
+> You can set the `clientCertificateMode` directly on the ingress property. It isn't available as an explicit option in the CLI, but you can patch your app using the Azure CLI.
+
+Before you run the following commands, make sure to replace the placeholders surrounded by `<>` with your own values.
+
+Get the Azure Resource Manager (ARM) ID of your container app:
+
+```bash
+APP_ID=$(az containerapp show \
+  --name <APP_NAME> \
+  --resource-group <RESOURCE_GROUP> \
+  --query id \
+  --output tsv)
+```
+
+Patch the `clientCertificateMode` property on the app:
+
+```azurecli
+az rest \
+  --method patch \
+  --url "https://management.azure.com/$APP_ID?api-version=<API_VERSION>" \
+  --body '{
+    "properties": {
+      "configuration": {
+        "ingress": {
+          "clientCertificateMode": "require"
+        }
+      }
+    }
+  }'
+```
+
+> [!NOTE]
+> Be sure to use a valid and stable API version that supports this feature. For example, replace <API_VERSION> in the command with 2025-01-01 or another supported version.
+
+## Client certificate mode and header format
+
+The value for `clientCertificateMode` varies what you need to provide for Container Apps to manage your certificate:
+- When `require` is set, the client must provide a certificate.
+- When `accept` is set, the certificate is optional. If the client provides a certificate, it passes to the app in the `X-Forwarded-Client-Cert` header, as a semicolon-separated list. 
+
+### Example `X-Forwarded-Client-Cert` header value
+
+The following example is a sample value of the `X-Forwarded-Client-Cert` header that your app might receive:
+
+```text
+Hash=<HASH_VALUE>;Cert="-----BEGIN CERTIFICATE-----<CERTIFICATE_VALUE>";Chain="-----BEGIN CERTIFICATE-----<CERTIFICATE_VALUE>";
+```
+
+### Header field breakdown
+
+| Field   | Description                                                                | How to Use It                                                  |
+|---|---|---|
+| `Hash`  | The SHA-256 thumbprint of the client certificate.                         | Use the thumbprint to identify or validate the client certificate.              |
+| `Cert`  | The base64-encoded client certificate in PEM format (single certificate). | Parse the certificate to inspect metadata such as subject and issuer. |
+| `Chain` | One or more PEM-encoded intermediate certificates.                        | Provide the intermediate certificates when building a full trust chain for validation. |
+
 
 ## Next Steps