Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into js-ts-combine

Author: pauljewellmsft

articles/api-management/api-management-subscriptions.md

@@ -6,7 +6,7 @@ author: dlepow
 
 ms.service: azure-api-management
 ms.topic: conceptual
-ms.date: 08/02/2023
+ms.date: 09/03/2024
 ms.author: danlep
 ms.custom: engagement-fy23
 ---
@@ -133,7 +133,7 @@ After the subscription requirement is disabled, the selected API or APIs can be
 
 When API Management receives an API request from a client with a subscription key, it handles the request according to these rules: 
 
-1. Check if it's a valid key associated with an active subscription, either:
+1. Check first if it's a valid key associated with an active subscription, either:
 
     * A subscription scoped to the API
     * A subscription scoped to a product that's assigned to the API
@@ -142,13 +142,15 @@ When API Management receives an API request from a client with a subscription ke
 
     If a valid key for an active subscription at an appropriate scope is provided, access is allowed. Policies are applied depending on the configuration of the policy definition at that scope.
 
+1. If the key isn't valid but a product exists that includes the API but doesn't require a subscription (an *open* product), ignore the key and handle as an API request without a subscription key (see below). 
+
 1. Otherwise, access is denied (401 Access denied error).
 
 ### API request without a subscription key
 
 When API Management receives an API request from a client without a subscription key, it handles the request according to these rules: 
 
-1. Check first for the existence of a product that includes the API but doesn't require a subscription (an *open* product). If the open product exists, handle the request in the context of the APIs, policies, and access rules configured for the product. An API can be associated with at most one open product.
+1. Check first for the existence of a product that includes the API but doesn't require a subscription (an *open* product). If the open product exists, handle the request in the context of the APIs, policies, and access rules configured for the open product. An API can be associated with at most one open product.
 1. If an open product including the API isn't found, check whether the API requires a subscription. If a subscription isn't required, handle the request in the context of that API and operation.
 1. If no configured product or API is found, then access is denied (401 Access denied error).
 
@@ -160,16 +162,16 @@ The following table summarizes how the gateway handles API requests with or with
 |All products assigned to API require subscription  |API requires subscription  |API call with subscription key  |API call without subscription key  | Typical scenarios |
 |---------|---------|---------|---------|----|
 |✔️     | ✔️     | Access allowed:<br/><br/>• Product-scoped key<br/>• API-scoped key<br/>• All APIs-scoped key<br/>• Service-scoped key<br/><br/>Access denied:<br/><br/>• Other key not scoped to applicable product or API        | Access denied        | Protected API access using product-scoped or API-scoped subscription  |
-|✔️     |  ❌    | Access allowed:<br/><br/>• Product-scoped key<br/>• API-scoped key<br/>• All APIs-scoped key<br/>• Service-scoped key<br/><br/>Access denied:<br/><br/>• Other key not scoped to applicable product or API        |  Access allowed (API context)   | • Protected API access with product-scoped subscription<br/><br/>• Anonymous access to API. If anonymous access isn’t intended, configure API-level policies to enforce authentication and authorization. |
+|✔️     |  ❌    | Access allowed:<br/><br/>• Product-scoped key<br/>• API-scoped key<br/>• All APIs-scoped key<br/>• Service-scoped key<br/>• Other key not scoped to applicable product or API        |  Access allowed (API context)   | • Protected API access with product-scoped subscription<br/><br/>• Anonymous access to API. If anonymous access isn’t intended, configure API-level policies to enforce authentication and authorization. |
 |❌<sup>1</sup>     | ✔️    | Access allowed:<br/><br/>• Product-scoped key<br/>• API-scoped key<br/>• All APIs-scoped key<br/>• Service-scoped key<br/><br/>Access denied:<br/><br/>• Other key not scoped to applicable product or API        |    Access allowed (open product context)     | •	Protected API access with API-scoped subscription<br/><br/>•	Anonymous access to API. If anonymous access isn’t intended, configure with product policies to enforce authentication and authorization  |
-|❌<sup>1</sup>     |  ❌      | Access allowed:<br/><br/>• Product-scoped key<br/>• API-scoped key<br/>• All APIs-scoped key<br/>• Service-scoped key<br/><br/>Access denied:<br/><br/>• Other key not scoped to applicable product or API        | Access allowed (open product context)        | Anonymous access to API. If anonymous access isn’t intended, configure with product policies to enforce authentication and authorization  |
+|❌<sup>1</sup>     |  ❌      | Access allowed:<br/><br/>• Product-scoped key<br/>• API-scoped key<br/>• All APIs-scoped key<br/>• Service-scoped key<br/>• Other key not scoped to applicable product or API        | Access allowed (open product context)        | Anonymous access to API. If anonymous access isn’t intended, configure with product policies to enforce authentication and authorization  |
 
 <sup>1</sup> An open product exists that's associated with the API. 
 
 ### Considerations
 
 -	API access in a product context is the same, whether the product is published or not. Unpublishing the product hides it from the developer portal, but it doesn’t invalidate new or existing subscription keys.
--	Even if a product or API doesn't require a subscription, a valid key from an active subscription that enables access to the product or API can still be used.
+-   If an API doesn't require subscription authentication, any API request that includes a subscription key is treated the same as a request without a subscription key. The subscription key is ignored.
 -	API access "context" means the policies and access controls that are applied at a particular scope (for example, API or product).
 
 ## Next steps

articles/api-management/quickstart-terraform.md

@@ -82,6 +82,9 @@ In this article, you learn how to:
 
 [!INCLUDE [terraform-apply-plan.md](~/azure-dev-docs-pr/articles/terraform/includes/terraform-apply-plan.md)]
 
+> [!NOTE]
+> It can take 30 to 40 minutes to create and activate an API Management service.
+
 ## Verify the results
 
 #### [Azure CLI](#tab/azure-cli)

articles/application-gateway/application-gateway-secure-flag-session-affinity.md

@@ -0,0 +1,55 @@
+---
+title: Setting HTTPOnly or Secure flag for Session Affinity cookie
+titleSuffix: Azure Application Gateway
+description: Learn how to set HTTPOnly or Secure flag for Session Affinity cookie
+services: application-gateway
+author: jaesoni
+ms.service: azure-application-gateway
+ms.topic: how-to
+ms.date: 10/22/2024
+ms.author: jaysoni 
+---
+
+# Setting HTTPOnly or Secure flag for Session Affinity cookie
+In this guide you learn to create a Rewrite set for your Application Gateway and configure Secure and HttpOnly [ApplicationGatewayAffinity cookie](configuration-http-settings.md#cookie-based-affinity).
+
+
+## Prerequisites
+* You must have an Azure subscription. You can create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.
+* An existing Application Gateway resource configured with at least one Listener, Rule, Backend Setting and Backend Pool configuration. If you don't have one, you can create one by following the [QuickStart guide](quick-create-portal.md).
+
+## Creating a Rewrite set
+
+1. Sign in to the Azure portal.
+1. Navigate to the required Application Gateway resource.
+1. Select Rewrites in the left pane.
+1. Select Rewrite set.
+1. Under the Name and Association tab
+    1. Specify a name for this new rewrite set.
+    1. Select the routing rules for which you wish to rewrite the ApplicationGatewayAffinity cookie's flag.
+    1. Select Next.
+1. Select "Add rewrite rule"
+    1. Enter a name for the rewrite rule.
+    1. Enter a numeric value for Rule Sequence field.
+1. Select "Add condition"
+1. Now open the "If" condition box and use the following details.
+    1. Type of variable to check - HTTP header
+    1. Header type - Response header
+    1. Header name - Common header
+    1. Common header - Set-Cookie
+    1. Case-sensitive - No
+    1. Operator - equal (=)
+    1. Pattern to match - (.*)
+    1. To save these details, select **OK**.
+1. Go to the **Then** box to specify action details.
+    1. Rewrite type - Response header
+    1. Action type - Set
+    1. Header name - Common header
+    1. Common header - Set-Cookie
+    1. Header value - {http_resp_Set-Cookie_1}; HttpOnly; Secure
+    1. Select **OK**
+1. Select Update to save the rewrite set configurations.
+
+
+## Next steps
+[Visit other configurations of a Backend Setting](configuration-http-settings.md)