Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into azure-functions-triggers-and-bindings

Author: ShawnJackson

.openpublishing.redirection.json

@@ -10,7 +10,7 @@ ms.custom:
   - devdivchpfy22
   - build-2025
 ms.topic: tutorial
-ms.date: 05/14/2025
+ms.date: 07/09/2025
 ms.author: danlep
 ---
 # Tutorial: Monitor published APIs

articles/api-management/api-management-howto-use-azure-monitor.md

@@ -54,6 +54,8 @@ If you want to enable *public* inbound access to an API Management instance in t
 * Minimum: /27 (32 addresses)
 * Recommended: /24 (256 addresses) - to accommodate scaling of API Management instance
 
+### Network security group
+
 [!INCLUDE [api-management-virtual-network-v2-nsg-rules](../../includes/api-management-virtual-network-v2-nsg-rules.md)]
 
 ### Subnet delegation

articles/api-management/inject-vnet-v2.md

@@ -46,8 +46,14 @@ If you want to inject a Premium v2 (preview) API Management instance into a virt
 * Minimum: /27 (32 addresses)
 * Recommended: /24 (256 addresses) - to accommodate scaling of API Management instance
 
+### Network security group
+
 [!INCLUDE [api-management-virtual-network-v2-nsg-rules](../../includes/api-management-virtual-network-v2-nsg-rules.md)]
 
+> [!IMPORTANT]
+> * Inbound NSG rules do not apply when a v2 tier instance is integrated in a virtual network for private outbound access. To enforce inbound NSG rules, use virtual network injection instead of integration.
+> * This differs from networking in the classic Premium tier, where inbound NSG rules are enforced in both external and internal virtual network injection modes. [Learn more](virtual-network-injection-resources.md)
+
 ### Subnet delegation
 
 The subnet needs to be delegated to the **Microsoft.Web/serverFarms** service.

articles/api-management/integrate-vnet-outbound.md

@@ -1,7 +1,7 @@
 ---
 title: Monitor Azure API Management
 description: Learn how to monitor Azure API Management using Azure Monitor, including data collection, analysis, and alerting.
-ms.date: 05/14/2025
+ms.date: 07/09/2025
 ms.custom:
   - horz-monitor
   - build-2025
@@ -49,27 +49,31 @@ Azure API Management provides analytics for your APIs so that you can analyze th
 
 With API analytics, analyze the usage and performance of the APIs in your API Management instance across several dimensions, including:
 
-- Time
+- Timeline
 - Geography
 - APIs
 - API operations
 - Products
 - Subscriptions
 - Users
 - Requests
+- Language models (for large language model APIs)
 
 API analytics provides data on requests, including failed and unauthorized requests. Geography values are based on IP address mapping. There can be a delay in the availability of analytics data.
 
 #### Azure Monitor-based dashboard
 
 To use the Azure Monitor-based dashboard, you need a Log Analytics workspace as a data source for API Management gateway logs.
 
-If you need to configure one, the following are brief steps to send gateway logs to a Log Analytics workspace. For more information, see [Tutorial: Monitor published APIs](api-management-howto-use-azure-monitor.md#resource-logs). This procedure is a one-time setup.
+If you need to configure one, the following are brief steps to send gateway logs to a Log Analytics workspace. For more information, see [Enable diagnostic setting for Azure Monitor logs](#enable-diagnostic-setting-for-azure-monitor-logs), later in this article. This procedure is a one-time setup.
 
 1. In the [Azure portal](https://portal.azure.com), navigate to your API Management instance.
 1. In the left-hand menu, under **Monitoring**, select **Diagnostic settings** > **+ Add diagnostic setting**.
 1. Enter a descriptive name for the diagnostic setting.
 1. In **Logs**, select **Logs related to ApiManagement Gateway**.
+    > [!TIP]
+    > To collect logs for large language model (LLM) APIs for display on the Azure Monitor-based dashboard, also select **Logs related to generative AI gateway**.
+
 1. In **Destination details**, select **Send to Log Analytics** and select a Log Analytics workspace in the same or a different subscription. If you need to create a workspace, see [Create a Log Analytics workspace](/azure/azure-monitor/logs/quick-create-workspace).
 1. Make sure **Resource specific** is selected as the destination table.
 1. Select **Save**.
@@ -111,7 +115,7 @@ This section shows you how to enable Azure Monitor logs for auditing and trouble
 |API Management gateway     |  Requests processed by the API Management gateway, including HTTP methods, protocols, request and response bodies, headers, timings, error details, and cache involvement.       | Adjust settings for all APIs, or override them for individual APIs.<br/><br/>In API Management instances configured with [workspaces](workspaces-overview.md), gateway logs can be collected individually for each workspace and aggregated for centralized access by the platform team.  |
 |WebSocket connections     | Events for [WebSocket API](websocket-api.md) connections, starting from the handshake until the connection is terminated.       |
 |Developer portal usage     |  Requests that are received and processed by the API Management [developer portal](developer-portal-overview.md), including user authentication actions, views of API details, and API testing in the interactive test console.|
-| Generative AI gateway | Requests processed by the API Management gateway for large language model (LLM) REST APIs such as Azure OpenAI APIs, including token usage, models, and optionally details of request prompts and response completions. | Enable logging of request messages and/or response messages for specific LLM APIs.
+| Generative AI gateway | Requests processed by the API Management gateway for large language model (LLM) REST APIs such as Azure AI Foundry APIs, including token usage, models, and optionally details of request prompts and response completions. | Enable logging of request messages and/or response messages for specific LLM APIs.
 
 For more information, see [API Management monitoring data reference](monitor-api-management-reference.md).
 

articles/api-management/monitor-api-management.md

@@ -5,7 +5,7 @@ author: dlepow
 
 ms.service: azure-api-management
 ms.topic: concept-article
-ms.date: 06/18/2025
+ms.date: 07/08/2025
 ms.author: danlep
 ---
 
@@ -45,7 +45,6 @@ For information about configuring subnet delegation, see [Add or remove a subnet
 
 #### [Virtual network integration](#tab/external)
 
-
 For virtual network integration, the subnet needs to be delegated to the **Microsoft.Web/serverFarms** service.
 
 :::image type="content" source="media/virtual-network-injection-workspaces-resources/delegate-external.png" alt-text="Screenshot showing subnet delegation to Microsoft.Web/serverFarms in the portal.":::
@@ -65,21 +64,20 @@ For virtual network injection, the subnet needs to be delegated to the **Microso
 
 ---
 
+## Network security group
 
-## Network security group (NSG) rules
+#### [Virtual network integration](#tab/external)
 
-A network security group (NSG) must be attached to the subnet to explicitly allow certain inbound or outbound connectivity. Configure the following rules in the NSG. Set the priority of these rules higher than that of the default rules.
+[!INCLUDE [api-management-virtual-network-v2-nsg-rules](../../includes/api-management-virtual-network-v2-nsg-rules.md)]
 
-Configure other NSG rules to meet your organization's network access requirements.
 
-#### [Virtual network integration](#tab/external)
+#### [Virtual network injection](#tab/internal)
 
-| Direction | Source  | Source port ranges | Destination | Destination port ranges | Protocol |  Action | Purpose | 
-|-------|--------------|----------|---------|------------|-----------|-----|--------|
-| Inbound | AzureLoadBalancer | * | Workspace gateway subnet range  | 80 | TCP | Allow | Allow internal health ping traffic |
-| Inbound | Internet | * | Workspace gateway subnet range  | 80,443 | TCP | Allow | Allow inbound traffic |
+A network security group (NSG) must be associated with the subnet. To set up a network security group, see [Create a network security group](../virtual-network/manage-network-security-group.md). 
 
-#### [Virtual network injection](#tab/internal)
+* Configure the following rules in the NSG. Set the priority of these rules higher than that of the default rules.
+* Configure other outbound rules you need for the gateway to reach your API backends. 
+* Configure other NSG rules to meet your organization’s network access requirements. For example, NSG rules can also be used to block outbound traffic to the internet and allow access only to resources in your virtual network. 
 
 | Direction | Source  | Source port ranges | Destination | Destination port ranges | Protocol |  Action | Purpose | 
 |-------|--------------|----------|---------|------------|-----------|-----|--------|
@@ -89,6 +87,10 @@ Configure other NSG rules to meet your organization's network access requirement
 
 ---
 
+> [!IMPORTANT]
+> * Inbound NSG rules do not apply when you integrate a workspace gateway in a virtual network for private outbound access. To enforce inbound NSG rules, use virtual network injection instead of integration.
+> * This differs from networking in the classic Premium tier, where inbound NSG rules are enforced in both external and internal virtual network injection modes. [Learn more](virtual-network-injection-resources.md)
+
 ## DNS settings for virtual network injection
 
 For virtual network injection, you have to manage your own DNS to enable inbound access to your workspace gateway. 

articles/api-management/virtual-network-workspaces-resources.md

@@ -265,7 +265,7 @@ The created app registration authenticates incoming requests for your Microsoft
 
 Your application code is often the best place to handle custom authorization logic. However, for common scenarios, the Microsoft identity platform provides built-in checks that you can use to limit access.
 
-This section shows how to enable built-in checks by using the [App Service authentication V2 API](./configure-authentication-api-version.md). Currently, the only way to configure these built-in checks is by using [Azure Resource Manager templates](/azure/templates/microsoft.web/sites/config-authsettingsv2) or the [REST API](/rest/api/appservice/web-apps/update-auth-settings-v2).
+This section shows how to enable built-in checks by using the [App Service authentication V2 API](./configure-authentication-api-version.md). Currently, the only way to configure these built-in checks is by using [Azure Resource Manager templates](/azure/templates/microsoft.web/sites/config-authsettingsv2) or the [REST API](/rest/api/appservice/web-apps/update-auth-settings-v-2).
 
 Within the API object, the Microsoft Entra identity provider configuration has a `validation` section that can include a `defaultAuthorizationPolicy` object, as shown in the following structure:
 

articles/app-service/configure-authentication-provider-aad.md

@@ -3,7 +3,7 @@ title: 'Invoke an App Service web app from Azure AI Foundry Agent Service'
 description: Learn how to integrate App Service with AI Foundry Agent Service and get started with agentic AI
 author: seligj95
 ms.author: jordanselig
-ms.date: 06/13/2025
+ms.date: 07/11/2025
 ms.update-cycle: 180-days
 ms.topic: article
 ms.custom:
@@ -95,7 +95,7 @@ For detailed guidance with screenshots and additional information, see [Add Open
 After setting up the AI Agent and adding the OpenAPI Specified Tool, you need to configure your App Service with the appropriate environment variables so the app knows which agent to connect to. The app already has a managed identity assigned that gives it access to the AI Agent Service. This managed identity is required for the app to reach the agent and is created with the azd template.
 
 1. From the Agents dashboard where you added the OpenAPI tool, note the **agent ID**. It's in the format `asst_<unique-identifier>`.
-1. Select **Overview** in the menu note the **project's connection string**. It's in the format `<region>.api.azureml.ms;<subscription-id>;<resource-group-name>;<project-name>`.
+1. Select **Overview** in the menu and note the **project's connection string**. It's in the format `<region>.api.azureml.ms;<subscription-id>;<resource-group-name>;<project-name>`.
 1. Navigate to your App Service in the Azure portal.
 1. Select **Environment variables** in the left menu.
 1. In the **App settings** tab, select **+ Add** and add the following setting:

articles/app-service/invoke-openapi-web-app-from-azure-ai-agent-service.md

@@ -12,7 +12,7 @@
   - name: Architecture best practices for Azure Application Gateway v2
     href: /azure/well-architected/service-guides/azure-application-gateway?toc=/azure/application-gateway/toc.json&bc=/azure/application-gateway/breadcrumb/toc.json
   - name: What is load balancing and content delivery?
-    href: /azure/networking/load-balancer-content-delivery/load-balancing-content-delivery-overview.md
+    href: /azure/networking/load-balancer-content-delivery/load-balancing-content-delivery-overview
   - name: Choose a load balancing solution
     href: /azure/architecture/guide/technology-choices/load-balancing-overview?toc=/azure/load-balancer/toc.json
   - name: Create Application Gateway - Portal

articles/application-gateway/toc.yml

@@ -30,7 +30,7 @@ Before you begin, you must have an Azure account with an active subscription. [C
 
 ## Review the template
 
-The template used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/function-app-flex-managed-identities/).
+The template used in this quickstart is from [Azure Quickstart Templates](/samples/azure/azure-quickstart-templates/function-app-flex-managed-identities/).
 
 :::code language="json" source="~/quickstart-templates/quickstarts/microsoft.web/function-app-flex-managed-identities/azuredeploy.json":::