Merge branch 'main' into 330777

Author: ktoliver

.openpublishing.redirection.json

@@ -3714,6 +3714,21 @@
       "source_path_from_root": "/articles/reliability/resiliency-recommendations/recommend-cosmos-db-nosql.md",
       "redirect_url": "/azure/reliability/reliability-cosmos-db-nosql",
       "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/virtual-network/tutorial-create-route-table-portal.md",
+      "redirect_url": "/azure/virtual-network/tutorial-create-route-table",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/virtual-network/tutorial-create-route-table-powershell.md",
+      "redirect_url": "/azure/virtual-network/tutorial-create-route-table",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/virtual-network/tutorial-create-route-table-cli.md",
+      "redirect_url": "/azure/virtual-network/tutorial-create-route-table",
+      "redirect_document_id": false
     }
   ]
 }

articles/active-directory-b2c/age-gating.md

@@ -25,7 +25,7 @@ Age gating in Azure Active Directory B2C (Azure AD B2C) enables you to identify
 >This feature is in public preview. Do not use feature for production applications.
 >
 
-When age gating is enabled for a user flow, users are asked for their date of birth, and country of residence. If a user signs in that hasn't previously entered the information, they'll need to enter it the next time they sign in. The rules are applied every time a user signs in.
+When age gating is enabled for a user flow, users are asked for their date of birth, and country/region of residence. If a user signs in that hasn't previously entered the information, they'll need to enter it the next time they sign in. The rules are applied every time a user signs in.
 
 ![Screenshot of age gating information gather flow](./media/age-gating/age-gating-information-gathering.png)
 
@@ -69,7 +69,7 @@ After your tenant is set up to use age gating, you can then use this feature in
 1. To test your policy, select **Run user flow**.
 1. For **Application**, select the web application named *testapp1* that you previously registered. The **Reply URL** should show `https://jwt.ms`.
 1. Select the **Run user flow** button.
-1. Sign-in with a local or social account. Then select your country of residence, and date of birth that simulate a minor. 
+1. Sign-in with a local or social account. Then select your country/region of residence, and date of birth that simulate a minor. 
 1. Repeat the test, and select a date of birth that simulates an adult.  
 
 When you sign-in as a minor, you should see the following error message: *Unfortunately, your sign on has been blocked. Privacy and online safety laws in your country prevent access to accounts belonging to children.*

articles/active-directory-b2c/localization-string-ids.md

@@ -318,7 +318,7 @@ The Following are the IDs for a content definition with an ID of `api.phonefacto
 | `error_phone_throttled` | You hit the limit on the number of call attempts. Try again shortly. | `>= 1.2.3` |
 | `error_throttled` | You hit the limit on the number of verification attempts. Try again shortly. | `>= 1.2.3` |
 | `error_incorrect_code` | The verification code you have entered does not match our records. Please try again, or request a new code. | `All` |
-| `countryList` | See [the countries list](#phone-factor-authentication-page-example). | `All` |
+| `countryList` | See [the countries/regions list](#phone-factor-authentication-page-example). | `All` |
 | `error_448` | The phone number you provided is unreachable. | `All` |
 | `error_449` | User has exceeded the number of retry attempts. | `All` |
 | `verification_code_input_placeholder_text` | Verification code | `All` |

articles/active-directory-b2c/openid-connect.md

@@ -59,7 +59,7 @@ client_id=00001111-aaaa-2222-bbbb-3333cccc4444
 | {tenant} | Yes | Name of your [Azure AD B2C tenant]( tenant-management-read-tenant-name.md#get-your-tenant-name). If you're using a [custom domain](custom-domain.md), replace `tenant.b2clogin.com` with your domain, such as `fabrikam.com`.  |
 | {policy} | Yes | The user flow or policy that the app runs. Specify the name of a user flow that you create in your Azure AD B2C tenant. For example: `b2c_1_sign_in`, `b2c_1_sign_up`, or `b2c_1_edit_profile`. |
 | client_id | Yes | The application ID that the [Azure portal](https://portal.azure.com/) assigned to your application. |
-| nonce | Yes | A value included in the request (generated by the application) that is included in the resulting ID token as a claim. The application can then verify this value to mitigate token replay attacks. The value is typically a randomized unique string that can be used to identify the origin of the request. |
+| nonce | Recommended | A value included in the request (generated by the application) that is included in the resulting ID token as a claim. The application can then verify this value to mitigate token replay attacks. The value is typically a randomized unique string that can be used to identify the origin of the request. |
 | response_type | Yes | Must include an ID token for OpenID Connect. If your web application also needs tokens for calling a web API, you can use `code+id_token`.|
 | scope | Yes | A space-separated list of scopes. The `openid` scope indicates a permission to sign in the user and get data about the user in the form of ID tokens. The `offline_access` scope is optional for web applications. It indicates that your application need a *refresh token* for extended access to resources. The `https://{tenant-name}/{app-id-uri}/{scope}` indicates a permission to protected resources, such as a web API. For more information, see [Request an access token](access-tokens.md#scopes). |
 | prompt | No | The type of user interaction that you require. The only valid value at this time is `login`, which forces the user to enter their credentials on that request. |

articles/active-directory-b2c/partner-web-application-firewall.md

@@ -7,7 +7,7 @@ manager: martinco
 ms.reviewer: kengaderdus
 ms.service: azure-active-directory
 ms.topic: how-to
-ms.date: 01/26/2024
+ms.date: 10/29/2024
 ms.author: gasinh
 ms.subservice: b2c
 
@@ -17,12 +17,9 @@ ms.subservice: b2c
 
 # Tutorial: Configure Azure Active Directory B2C with Azure Web Application Firewall
 
-Learn how to enable the Azure Web Application Firewall (WAF) service for an Azure Active Directory B2C (Azure AD B2C) tenant, with a custom domain. WAF protects web applications from common exploits and vulnerabilities.
+Learn how to enable the Azure Web Application Firewall (WAF) service for an Azure Active Directory B2C (Azure AD B2C) tenant with a custom domain. WAF protects web applications from common exploits and vulnerabilities such as cross-site scripting, DDoS attacks, and malicious bot activity.
 
->[!NOTE]
->This feature is in public preview. 
-
-See, [What is Azure Web Application Firewall?](../web-application-firewall/overview.md)
+See [What is Azure Web Application Firewall?](../web-application-firewall/overview.md)
 
 ## Prerequisites
 
@@ -32,77 +29,122 @@ To get started, you need:
 * If you don't have one, get an [Azure free account](https://azure.microsoft.com/free/)
 * **An Azure AD B2C tenant** – authorization server that verifies user credentials using custom policies defined in the tenant
   * Also known as the identity provider (IdP)
-  * See, [Tutorial: Create an Azure Active Directory B2C tenant](tutorial-create-tenant.md) 
-* **Azure Front Door (AFD)** – enables custom domains for the Azure AD B2C tenant
-  * See, [Azure Front Door and CDN documentation](../frontdoor/index.yml)
+  * See [Tutorial: Create an Azure Active Directory B2C tenant](tutorial-create-tenant.md) 
+* **Azure Front Door premium** – enables custom domains for the Azure AD B2C tenant and is security optimized with access to WAF managed rulesets
+  * See [Azure Front Door and CDN documentation](../frontdoor/index.yml)
 * **WAF** – manages traffic sent to the authorization server
-  * [Azure Web Application Firewall](https://azure.microsoft.com/services/web-application-firewall/#overview)
+  * [Azure Web Application Firewall](https://azure.microsoft.com/services/web-application-firewall/#overview) (requires Premium SKU)
 
 ## Custom domains in Azure AD B2C
 
-To use custom domains in Azure AD B2C, use the custom domain features in AFD. See, [Enable custom domains for Azure AD B2C](./custom-domain.md?pivots=b2c-user-flow).  
+To use custom domains in Azure AD B2C, use the custom domain features in Azure Front Door. See [Enable custom domains for Azure AD B2C](./custom-domain.md?pivots=b2c-user-flow).
 
-   > [!IMPORTANT]
-   > After you configure the custom domain, see [Test your custom domain](./custom-domain.md?pivots=b2c-custom-policy#test-your-custom-domain).  
+> [!IMPORTANT]
+> After you configure the custom domain, see [Test your custom domain](./custom-domain.md?pivots=b2c-custom-policy#test-your-custom-domain).
 
 ## Enable WAF
 
-To enable WAF, configure a WAF policy and associate it with the AFD for protection.
+To enable WAF, configure a WAF policy and associate it with your Azure Front Door premium for protection. Azure Front Door premium comes optimized for security and gives you access to rulesets managed by Azure that protect against common vulnerabilities and exploits including cross site scripting and Java exploits. The WAF provides rulesets that help protect you against malicious bot activity. The WAF offers you layer 7 DDoS protection for your application.
 
 ### Create a WAF policy
 
-Create a WAF policy with Azure-managed default rule set (DRS). See, [Web Application Firewall DRS rule groups and rules](../web-application-firewall/afds/waf-front-door-drs.md).
+Create a WAF policy with Azure-managed default rule set (DRS). See [Web Application Firewall DRS rule groups and rules](../web-application-firewall/afds/waf-front-door-drs.md).
 
 1. Sign in to the [Azure portal](https://portal.azure.com).
-2. Select **Create a resource**.
-3. Search for Azure WAF. 
-4. Select **Azure Web Application Firewall (WAF)**.
-5. Select **Create**.
-6. Go to the **Create a WAF policy** page.
-7. Select the **Basics** tab. 
-8. For **Policy for**, select **Global WAF (Front Door)**.
-9. For **Front Door SKU**, select between **Basic**, **Standard**, or **Premium** SKU.
-10. For **Subscription**, select your Front Door subscription name.
-11. For **Resource group**, select your Front Door resource group name.
-12. For **Policy name**, enter a unique name for your WAF policy.
-13. For **Policy state**, select **Enabled**.
-14. For **Policy mode**, select **Detection**.
-15. Select **Review + create**.
-16. Go to the **Association** tab of the Create a WAF policy page.
-17. Select **+ Associate a Front Door profile**.
-18. For **Front Door**, select your Front Door name associated with Azure AD B2C custom domain.
-19. For **Domains**, select the Azure AD B2C custom domains to associate the WAF policy to.
-20. Select **Add**.
-21. Select **Review + create**.
-22. Select **Create**.
+1. Select **Create a resource**.
+1. Search for Azure WAF. 
+1. Select the **Azure Service Web Application Firewall (WAF) from Microsoft**.
+1. Select **Create**.
+1. Go to the **Create a WAF policy** page.
+1. Select the **Basics** tab. 
+1. For **Policy for**, select **Global WAF (Front Door)**.
+1. For **Front Door SKU**, select the **Premium** SKU.
+1. For **Subscription**, select your Front Door subscription name.
+1. For **Resource group**, select your Front Door resource group name.
+1. For **Policy name**, enter a unique name for your WAF policy.
+1. For **Policy state**, select **Enabled**.
+1. For **Policy mode**, select **Detection**.
+1. Go to the **Association** tab of the Create a WAF policy page.
+1. Select **+ Associate a Front Door profile**.
+1. For **Front Door**, select your Front Door name associated with Azure AD B2C custom domain.
+1. For **Domains**, select the Azure AD B2C custom domains to associate the WAF policy to.
+1. Select **Add**.
+1. Select **Review + create**.
+1. Select **Create**.
+
+### Default Ruleset
+
+When you create a new WAF policy for Azure Front Door, it automatically deploys with the latest version of Azure-managed default ruleset (DRS). This ruleset protects web applications from common vulnerabilities and exploits. Azure-managed rule sets provide an easy way to deploy protection against a common set of security threats. Because Azure manages these rule sets, the rules are updated as needed to protect against new attack signatures. The DRS includes the Microsoft Threat Intelligence Collection rules that are written in partnership with the Microsoft Intelligence team to provide increased coverage, patches for specific vulnerabilities, and better false positive reduction.
+
+Learn more: [Azure Web Application Firewall DRS rule groups and rules](../web-application-firewall/afds/waf-front-door-drs.md#default-rule-sets)
+
+### Bot Manager Ruleset
+
+By default, the Azure Front Door WAF deploys with the latest version of Azure-managed Bot Manager ruleset. This ruleset categorizes bot traffic into good, bad, and unknown bots. The bot signatures behind this ruleset are managed by the WAF platform and are updated dynamically.
+
+Learn more: [What is Azure Web Application Firewall on Azure Front Door?](../web-application-firewall/afds/afds-overview.md#bot-protection-rule-set)
+
+### Rate Limiting
+
+Rate limiting enables you to detect and block abnormally high levels of traffic from any socket IP address. By using Azure WAF in Azure Front Door, you can mitigate some types of denial-of-service attacks. Rate limiting protects you against clients that were accidentally misconfigured to send large volumes of requests in a short time period. Rate limiting must be configured manually on the WAF using custom rules.
+
+Learn more:
+- [Web application firewall rate limiting for Azure Front Door](../web-application-firewall/afds/waf-front-door-rate-limit.md)
+- [Configure a WAF rate-limit rule for Azure Front Door](../web-application-firewall/afds/waf-front-door-rate-limit-configure.md)
 
 ### Detection and Prevention modes
 
-When you create WAF policy, the policy is in Detection mode. We recommend you don't disable Detection mode. In this mode, WAF doesn't block requests. Instead, requests that match the WAF rules are logged in the WAF logs. 
+When you create a WAF policy, the policy starts in **Detection mode**. We recommend you leave the WAF policy in **Detection mode** while you tune the WAF for your traffic. In this mode, WAF doesn't block requests. Instead, requests that match the WAF rules are logged by the WAF once logging is enabled.
+
+Enable logging: [Azure Web Application Firewall monitoring and logging](../web-application-firewall/afds/waf-front-door-monitor.md#logs-and-diagnostics)
 
-Learn more: [Azure Web Application Firewall monitoring and logging](../web-application-firewall/afds/waf-front-door-monitor.md)
+Once logging is enabled, and your WAF starts receiving request traffic, you can begin tuning your WAF by looking through your logs.
+
+Learn more: [Tune Azure Web Application Firewall for Azure Front Door](../web-application-firewall/afds/waf-front-door-tuning.md)
 
 The following query shows the requests blocked by the WAF policy in the past 24 hours. The details include, rule name, request data, action taken by the policy, and the policy mode.
-   
-   ![Screenshot of blocked requests.](./media/partner-web-application-firewall/blocked-requests-query.png)
 
-   ![Screenshot of blocked requests details, such as Rule ID, Action, Mode, etc.](./media/partner-web-application-firewall/blocked-requests-details.png)
+```json
+AzureDiagnostics
+| where TimeGenerated >= ago(24h)
+| where Category == "FrontdoorWebApplicationFirewallLog"
+| where action_s == "Block"
+| project RuleID=ruleName_s, DetailMsg=details_msg_s, Action=action_s, Mode=policyMode_s, DetailData=details_data_s
+```
+
+|RuleID|DetailMsg|Action|Mode|DetailData|
+|---|---|---|---|---|
+|DefaultRuleSet-1.0-SQLI-942430|Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12)|Block|detection|Matched Data: CfDJ8KQ8bY6D|
 
 Review the WAF logs to determine if policy rules cause false positives. Then, exclude the WAF rules based on the WAF logs.
 
-Learn more: [Define exclusion rules based on Web Application Firewall logs](../web-application-firewall/afds/waf-front-door-exclusion.md#define-exclusion-based-on-web-application-firewall-logs)
+Learn more
+- [Configure WAF exclusion lists for Azure Front Door](../web-application-firewall/afds/waf-front-door-exclusion-configure.md)
+- [Web application firewall exclusion lists in Azure Front Door](../web-application-firewall/afds/waf-front-door-exclusion.md)
+ 
+Once logging is set up and your WAF is receiving traffic, you can assess the effectiveness of your bot manager rules in handling bot traffic. The following query shows the actions taken by your bot manager ruleset, categorized by bot type. While in **Detection mode**, the WAF logs bot traffic actions only. However, once switched to prevention mode, the WAF begins actively blocking unwanted bot traffic.
+
+```json
+AzureDiagnostics
+| where Category == "FrontDoorWebApplicationFirewallLog"
+| where action_s in ("Log", "Allow", "Block", "JSChallenge", "Redirect") and ruleName_s contains "BotManager"
+| extend RuleGroup = extract("Microsoft_BotManagerRuleSet-[\\d\\.]+-(.*?)-Bot\\d+", 1, ruleName_s)
+| extend RuleGroupAction = strcat(RuleGroup, " - ", action_s)
+| summarize Hits = count() by RuleGroupAction, bin(TimeGenerated, 30m)
+| project TimeGenerated, RuleGroupAction, Hits
+| render columnchart kind=stacked
+```
 
 #### Switching modes
 
-To see WAF operating, select **Switch to prevention mode**, which changes the mode from Detection to Prevention. Requests that match the rules in the DRS are blocked and logged in the WAF logs.
-
-  ![Screenshot of options and selections for DefaultRuleSet under Web Application Firewall policies.](./media/partner-web-application-firewall/switch-to-prevention-mode.png)
+To see WAF take action on request traffic, select **Switch to prevention mode** from the Overview page, which changes the mode from Detection to Prevention. Requests that match the rules in the DRS are blocked and logged in the WAF logs. The WAF takes the prescribed action when a request matches one, or more, rules in the DRS and logs the results. By default, the DRS is set to anomaly scoring mode; this means that the WAF doesn't take any action on a request unless the anomaly score threshold is met.
 
-To revert to Detection mode, select **Switch to detection mode**.
+Learn more: Anomaly scoring [Azure Web Application Firewall DRS rule groups and rules](../web-application-firewall/afds/waf-front-door-drs.md#anomaly-scoring-mode)
 
-  ![Screenshot of DefaultRuleSet with Switch to detection mode.](./media/partner-web-application-firewall/switch-to-detection-mode.png)
+To revert to **Detection mode**, select **Switch to detection mode** from the Overview page.
 
 ## Next steps
 
-* [Azure Web Application Firewall monitoring and logging](../web-application-firewall/afds/waf-front-door-monitor.md)
-* [Web Application Firewall (WAF) with Front Door exclusion lists](../web-application-firewall/afds/waf-front-door-exclusion.md)
+- [Best practices for Azure Web Application Firewall in Azure Front Door](../web-application-firewall/afds/waf-front-door-best-practices.md)
+- [Manage Web Application Firewall policies](../firewall-manager/manage-web-application-firewall-policies.md)
+- [Tune Azure Web Application Firewall for Azure Front Door](../web-application-firewall/afds/waf-front-door-tuning.md)