Merge pull request #288004 from MicrosoftDocs/main

Publish to live, Tuesday 4 AM PST, 10/8

Author: ttorble

articles/active-directory-b2c/identity-verification-proofing.md

@@ -5,7 +5,7 @@ description: Learn about our partners who integrate with Azure AD B2C to provide
 author: gargi-sinha
 manager: martinco
 ms.reviewer: kengaderdus
-ms.service: active-directory
+ms.service: azure-active-directory
 ms.topic: how-to
 ms.date: 01/26/2024
 ms.author: gasinh

articles/azure-cache-for-redis/cache-tutorial-aks-get-started.md

@@ -1,12 +1,8 @@
 ---
 title: 'Tutorial: Get started connecting an AKS application to a cache'
 description: In this tutorial, you learn how to connect your AKS-hosted application to an Azure Cache for Redis instance.
-
-
-
-
 ms.topic: tutorial
-ms.date: 08/15/2023
+ms.date: 10/01/2024
 #CustomerIntent: As a developer, I want to see how to use a Azure Cache for Redis instance with an AKS container so that I see how I can use my cache instance with a Kubernetes cluster.
 
 ---
@@ -19,6 +15,7 @@ In this tutorial, you adapt the [AKS sample voting application](https://github.c
 
 - An Azure subscription. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
 - An Azure Kubernetes Service Cluster - For more information on creating a cluster, see [Quickstart: Deploy an Azure Kubernetes Service (AKS) cluster using the Azure portal](/azure/aks/learn/quick-kubernetes-deploy-portal).
+- A user assigned managed identity that you want to use to connect to your Azure Cache for Redis instance.
 
 > [!IMPORTANT]
 > This tutorial assumes that you are familiar with basic Kubernetes concepts like containers, pods and service.
@@ -30,17 +27,46 @@ In this tutorial, you adapt the [AKS sample voting application](https://github.c
     For this tutorial, use a Standard C1 cache.
     :::image type="content" source="media/cache-tutorial-aks-get-started/cache-new-instance.png" alt-text="Screenshot of creating a Standard C1 cache in the Azure portal":::
 
-1. On the **Advanced** tab, enable **Non-TLS port**.
-    :::image type="content" source="media/cache-tutorial-aks-get-started/cache-non-tls.png" alt-text="Screenshot of the Advanced tab with Non-TLS enabled during cache creation.":::
-
 1. Follow the steps through to create the cache.
 
-> [!IMPORTANT]
-> This tutorial uses a non-TLS port for demonstration, but we highly recommend that you use a TLS port for anything in production.
+1. Once your Redis cache instance is created, navigate to the **Authentication** tab. Select the user assigned managed identity you want to use to connect to your Redis cache instance, then select **Save**.
+
+1. Alternatively, you can navigate to Data Access Configuration on the Resource menu to create a new Redis user with your user assigned managed identity to connect to your cache.
+
+1. Take note of the user name for your Redis user from the portal. You use this user name with the AKS workload.
+
+## Run sample locally
+
+To run this sample locally, configure your user principal as a Redis User on your Redis instance. The code sample will use your user principal through (DefaultAzureCredential)[https://learn.microsoft.com/en-us/dotnet/azure/sdk/authentication/?tabs=command-line#use-defaultazurecredential-in-an-application] to connect to Redis instance. 
+
+## Configure your AKS cluster
 
-Creating the cache can take a few minutes. You can move to the next section while the process finishes.
+Follow these [steps](/azure/aks/workload-identity-deploy-cluster) to configure a workload identity for your AKS cluster. Complete the following steps:
 
-## Install and connect to your AKS cluster
+  - Enable OIDC issuer and workload identity
+  - Skip the step to create user assigned managed identity if you already created your managed identity. If you create a new managed identity, ensure that you create a new Redis User for your managed identity and assign appropriate data access permissions.
+  - Create a Kubernetes Service account annotated with the client ID of your user assigned managed identity
+  - Create a federated identity credential for your AKS cluster.
+
+## Configure your workload that connects to Azure Cache for Redis
+
+Next, set up the AKS workload to connect to Azure Cache for Redis after you configure the AKS cluster.
+
+1. Download the code for the [sample app](https://github.com/Azure-Samples/azure-cache-redis-sample/connect-from-aks).
+
+1. Build and push docker image to your Azure Container Registry using [az acr build](/cli/azure/acr#az-acr-build) command.
+
+   ```bash
+    az acr build --image sample/connect-from-aks-sample:1.0 --registry yourcontainerregistry --file Dockerfile .
+   ```
+
+1. Attach your container registry to your AKS cluster using following command:
+
+    ```bash
+    az aks update --name clustername --resource-group mygroup --attach-acr youracrname
+    ```
+
+## Deploy your workload
 
 In this section, you first install the Kubernetes CLI and then connect to an AKS cluster.
 
@@ -56,148 +82,116 @@ If you use Azure Cloud Shell, _kubectl_ is already installed, and you can skip t
 
 ### Connect to your AKS cluster
 
-Use the portal to copy the resource group and cluster name for your AKS cluster. To configure _kubectl_ to connect to your AKS cluster, use the following command with your resource group and cluster name:
-
-```bash
- az aks get-credentials --resource-group myResourceGroup --name myClusterName
- ```
-
-Verify that you're able to connect to your cluster by running the following command:
+1. Use the portal to copy the resource group and cluster name for your AKS cluster. To configure _kubectl_ to connect to your AKS cluster, use the following command with your resource group and cluster name:
 
-```bash
-kubectl get nodes
-```
-
-You should see similar output showing the list of your cluster nodes.
-
-```output
-NAME                                STATUS   ROLES   AGE   VERSION
-aks-agentpool-21274953-vmss000001   Ready    agent   1d    v1.24.15
-aks-agentpool-21274953-vmss000003   Ready    agent   1d    v1.24.15
-aks-agentpool-21274953-vmss000006   Ready    agent   1d    v1.24.15
-```
-
-## Update the voting application to use Azure Cache for Redis
+   ```bash
+   az aks get-credentials --resource-group myResourceGroup --name myClusterName
+    ```
 
-Use the [.yml file](https://github.com/Azure-Samples/azure-voting-app-redis/blob/master/azure-vote-all-in-one-redis.yaml) in the sample for reference.
+1. Verify that you're able to connect to your cluster by running the following command:
 
-Make the following changes to the deployment file before you save the file as _azure-vote-sample.yaml_.
+    ```bash
+    kubectl get nodes
+    ```
 
-1. Remove the deployment and service named `azure-vote-back`. This deployment is used to deploy a Redis container to your cluster that is not required when using Azure Cache for Redis.
+    You should see similar output showing the list of your cluster nodes.
 
-2. Replace the value `REDIS` variable from "azure-vote-back" to the _hostname_ of the Azure Cache for Redis instance that you created earlier. This change indicates that your application should use Azure Cache for Redis instead of a Redis container.
+    ```bash
+    NAME                                STATUS   ROLES   AGE   VERSION
+    aks-agentpool-21274953-vmss000001   Ready    agent   1d    v1.29.7
+    aks-agentpool-21274953-vmss000003   Ready    agent   1d    v1.29.7
+    aks-agentpool-21274953-vmss000006   Ready    agent   1d    v1.29.7
+    ```
 
-3. Define variable named `REDIS_PWD`, and set the value to the _access key_ for the Azure Cache for Redis instance that you created earlier.
+## Run your workload
 
-After all the changes, the deployment file should look like following file with your _hostname_ and _access key_. Save your file as _azure-vote-sample.yaml_.
+1. The following code describes the pod specification file that you use to run our workload. Take note that the pod has the label _azure.workloadidentity/use: "true"_ and is annotated with _serviceAccountName_ as required by AKS workload identity. When using access key authentication, replace the value of AUTHENTICATION_TYPE, REDIS_HOSTNAME and REDIS_ACCESSKEY environment variables.
 
-```YAML
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: azure-vote-front
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: azure-vote-front
-  strategy:
-    rollingUpdate:
-      maxSurge: 1
-      maxUnavailable: 1
-  minReadySeconds: 5 
-  template:
+   ```yml
+    apiVersion: v1
+    kind: Pod
     metadata:
+      name: entrademo-pod
       labels:
-        app: azure-vote-front
+        azure.workload.identity/use: "true"  # Required. Only pods with this label can use workload identity.
     spec:
-      nodeSelector:
-        "kubernetes.io/os": linux
+      serviceAccountName: workload-identity-sa
       containers:
-      - name: azure-vote-front
-        image: mcr.microsoft.com/azuredocs/azure-vote-front:v1
-        ports:
-        - containerPort: 80
+      - name: entrademo-container
+        image: youracr.azurecr.io/connect-from-aks-sample:1.0
+        imagePullPolicy: Always
+        command: ["dotnet", "ConnectFromAKS.dll"] 
         resources:
-          requests:
-            cpu: 250m
           limits:
-            cpu: 500m
+            memory: "256Mi"
+            cpu: "500m"
+          requests:
+            memory: "128Mi"
+            cpu: "250m"
         env:
-        - name: REDIS
-          value: myrediscache.redis.cache.windows.net
-        - name: REDIS_PWD
-          value: myrediscacheaccesskey
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: azure-vote-front
-spec:
-  type: LoadBalancer
-  ports:
-  - port: 80
-  selector:
-    app: azure-vote-front
-```
-
-## Deploy and test your application
+             - name: AUTHENTICATION_TYPE
+               value: "MANAGED_IDENTITY" # change to ACCESS_KEY to authenticate using access key
+             - name: REDIS_HOSTNAME
+               value: "your redis hostname"
+             - name: REDIS_ACCESSKEY
+               value: "your access key" 
+             - name: REDIS_PORT
+               value: "6380"
+      restartPolicy: Never
+    
+   ```
 
-Run the following command to deploy this application to your AKS cluster:
+1. Save this file as podspec.yaml and then apply it to your AKS cluster by running the folloWing command:
 
-```bash
-kubectl apply -f azure-vote-sample.yaml
-```
+    ```bash
+    kubectl apply -f podspec.yaml
+    ```
 
-You get a response indicating your deployment and service was created:
+   You get a response indicating your pod was created:
 
-```output
-deployment.apps/azure-vote-front created
-service/azure-vote-front created
-```
+    ```bash
+    pod/entrademo-pod created
+    ```
 
-To test the application, run the following command to check if the pod is running:
+1. To test the application, run the following command to check if the pod is running:
 
-```bash
-kubectl get pods
-```
+    ```bash
+    kubectl get pods
+    ```
 
-You see your pod running successfully like:
+    You see your pod running successfully like:
 
-```output
-NAME                                READY   STATUS                       RESTARTS   AGE
-azure-vote-front-7dd44597dd-p4cnq   1/1     Running                      0          68s
-```
+    ```bash
+    NAME                       READY   STATUS      RESTARTS       AGE
+    entrademo-pod              0/1     Completed   0              42s
+   ```
 
-Run the following command to get the endpoint for your application:
+1. Because this tutorial is a console app, you need to check the logs of the pod to verify that it ran as expected using this command.
 
-```bash
-kubectl get service azure-vote-front
-```
-
-You might see that the EXTERNAL-IP has status `<pending>` for a few minutes. Keep retrying until the status is replaced by an IP address.
-
-```output
-NAME                   TYPE           CLUSTER-IP     EXTERNAL-IP     PORT(S)        AGE
-azure-vote-front       LoadBalancer   10.0.166.147   20.69.136.105   80:30390/TCP   90s
-```
+    ```bash
+    kubectl logs entrademo-app
+    ```
 
-Once the External-IP is available, open a web browser to the External-IP address of your service and you see the application running as follows:
+    You see the following logs that indicate your pod successfully connected to your Redis instance using user assigned managed identity
 
-:::image type="content" source="media/cache-tutorial-aks-get-started/cache-web-voting-app.png" alt-text="Screenshot of the voting application running in a browser with buttons for cats, dogs, and reset.":::
+    ```bash
+    Connecting with managed identity..
+    Retrieved value from Redis: Hello, Redis!
+    Success! Previous value: Hello, Redis!
+   ```
 
-## Clean up your deployment
+## Clean up your cluster
 
 To clean up your cluster, run the following commands:
 
 ```bash
-kubectl delete deployment azure-vote-front
-kubectl delete service azure-vote-front
+kubectl delete pod entrademo-pod
 ```
 
 [!INCLUDE [cache-delete-resource-group](includes/cache-delete-resource-group.md)]
 
 ## Related content
 
 - [Quickstart: Deploy an Azure Kubernetes Service (AKS) cluster using the Azure portal](/azure/aks/learn/quick-kubernetes-deploy-portal)
-- [AKS sample voting application](https://github.com/Azure-Samples/azure-voting-app-redis/tree/master)
+- [Quickstart: Deploy and configure workload identity on an Azure Kubernetes Service (AKS) cluster](/azure/aks/workload-identity-deploy-cluster)
+- [Azure Cache for Redis Entra ID Authentication](/azure/azure-cache-for-redis/cache-azure-active-directory-for-authentication)

articles/governance/policy/samples/australia-ism.md

@@ -1,7 +1,7 @@
 ---
 title: Regulatory Compliance details for Australian Government ISM PROTECTED
 description: Details of the Australian Government ISM PROTECTED Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment.
-ms.date: 09/30/2024
+ms.date: 10/08/2024
 ms.topic: sample
 ms.custom: generated
 ---

articles/governance/policy/samples/azure-security-benchmark.md

@@ -1,7 +1,7 @@
 ---
 title: Regulatory Compliance details for Microsoft cloud security benchmark
 description: Details of the Microsoft cloud security benchmark Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment.
-ms.date: 09/30/2024
+ms.date: 10/08/2024
 ms.topic: sample
 ms.custom: generated
 ---

articles/governance/policy/samples/built-in-initiatives.md

@@ -1,7 +1,7 @@
 ---
 title: List of built-in policy initiatives
 description: List built-in policy initiatives for Azure Policy. Categories include Regulatory Compliance, Azure Machine Configuration, and more.
-ms.date: 09/30/2024
+ms.date: 10/08/2024
 ms.topic: sample
 ms.custom: generated
 ---

articles/governance/policy/samples/built-in-policies.md

@@ -1,7 +1,7 @@
 ---
 title: List of built-in policy definitions
 description: List built-in policy definitions for Azure Policy. Categories include Tags, Regulatory Compliance, Key Vault, Kubernetes, Azure Machine Configuration, and more.
-ms.date: 09/30/2024
+ms.date: 10/08/2024
 ms.topic: sample
 ms.custom: generated
 ---

articles/governance/policy/samples/canada-federal-pbmm.md

@@ -1,7 +1,7 @@
 ---
 title: Regulatory Compliance details for Canada Federal PBMM
 description: Details of the Canada Federal PBMM Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment.
-ms.date: 09/30/2024
+ms.date: 10/08/2024
 ms.topic: sample
 ms.custom: generated
 ---

articles/governance/policy/samples/cis-azure-1-1-0.md

@@ -1,7 +1,7 @@
 ---
 title: Regulatory Compliance details for CIS Microsoft Azure Foundations Benchmark 1.1.0
 description: Details of the CIS Microsoft Azure Foundations Benchmark 1.1.0 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment.
-ms.date: 09/30/2024
+ms.date: 10/08/2024
 ms.topic: sample
 ms.custom: generated
 ---

articles/governance/policy/samples/cis-azure-1-3-0.md

@@ -1,7 +1,7 @@
 ---
 title: Regulatory Compliance details for CIS Microsoft Azure Foundations Benchmark 1.3.0
 description: Details of the CIS Microsoft Azure Foundations Benchmark 1.3.0 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment.
-ms.date: 09/30/2024
+ms.date: 10/08/2024
 ms.topic: sample
 ms.custom: generated
 ---

articles/governance/policy/samples/cis-azure-1-4-0.md

@@ -1,7 +1,7 @@
 ---
 title: Regulatory Compliance details for CIS Microsoft Azure Foundations Benchmark 1.4.0
 description: Details of the CIS Microsoft Azure Foundations Benchmark 1.4.0 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment.
-ms.date: 09/30/2024
+ms.date: 10/08/2024
 ms.topic: sample
 ms.custom: generated
 ---