Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into liFlag

Author: roygara

articles/aks/TOC.yml

@@ -260,6 +260,8 @@
             - name: Scan images in your CI/CD Workflow
               href: ../defender-for-cloud/defender-for-container-registries-cicd.md
               maintainContext: True
+        - name: Remove vulnerable images with ImageCleaner (preview)
+          href: image-cleaner.md
         - name: Registry security
           items:
             - name: Scanning images in ACR registries

articles/aks/image-cleaner.md

@@ -0,0 +1,167 @@
+---
+title: Use ImageCleaner on Azure Kubernetes Service (AKS)
+description: Learn how to use ImageCleaner to clean up stale images on Azure Kubernetes Service (AKS)
+ms.author: nickoman
+author: nickomang
+services: container-service
+ms.topic: article
+ms.date: 08/26/2022
+---
+
+# Use ImageCleaner to clean up stale images on your Azure Kubernetes Service cluster (preview)
+
+It's common to use pipelines to build and deploy images on Azure Kubernetes Service (AKS) clusters. While great for image creation, this process often doesn't account for the stale images left behind and can lead to image bloat on cluster nodes. These images can present security issues as they may contain vulnerabilities. By cleaning these unreferenced images, you can remove an area of risk in your clusters. When done manually, this process can be time intensive, which ImageCleaner can mitigate via automatic image identification and removal.
+
+[!INCLUDE [preview features callout](./includes/preview/preview-callout.md)]
+
+## Prerequisites
+
+* An Azure subscription. If you don't have an Azure subscription, you can create a [free account](https://azure.microsoft.com/free).
+* [Azure CLI][azure-cli-install] or [Azure PowerShell][azure-powershell-install] and the `aks-preview` CLI extension installed.
+* The `EnableImageCleanerPreview` feature flag registered on your subscription:
+
+### [Azure CLI](#tab/azure-cli)
+
+Register the `EnableImageCleanerPreview` feature flag by using the [az feature register][az-feature-register] command, as shown in the following example:
+
+```azurecli-interactive
+az feature register --namespace "Microsoft.ContainerService" --name "EnableImageCleanerPreview"
+```
+
+It takes a few minutes for the status to show *Registered*. Verify the registration status by using the [az feature list][az-feature-list] command:
+
+```azurecli-interactive
+az feature list -o table --query "[?contains(name, 'Microsoft.ContainerService/EnableImageCleanerPreview')].{Name:name,State:properties.state}"
+```
+
+When ready, refresh the registration of the *Microsoft.ContainerService* resource provider by using the [az provider register][az-provider-register] command:
+
+```azurecli-interactive
+az provider register --namespace Microsoft.ContainerService
+```
+
+### [Azure PowerShell](#tab/azure-powershell)
+
+Register the `EnableImageCleanerPreview` feature flag by using the [Register-AzProviderPreviewFeature][register-azproviderpreviewfeature] cmdlet, as shown in the following example:
+
+```azurepowershell-interactive
+Register-AzProviderPreviewFeature -ProviderNamespace Microsoft.ContainerService -Name EnableImageCleanerPreview
+```
+
+It takes a few minutes for the status to show *Registered*. Verify the registration status by using the [Get-AzProviderPreviewFeature][get-azproviderpreviewfeature] cmdlet:
+
+```azurepowershell-interactive
+Get-AzProviderPreviewFeature -ProviderNamespace Microsoft.ContainerService -Name EnableImageCleanerPreview |
+ Format-Table -Property Name, @{name='State'; expression={$_.Properties.State}}
+```
+
+When ready, refresh the registration of the *Microsoft.ContainerService* resource provider by using the [Register-AzResourceProvider][register-azresourceprovider] command:
+
+```azurepowershell-interactive
+Register-AzResourceProvider -ProviderNamespace Microsoft.ContainerService
+```
+
+---
+
+## Limitations
+
+ImageCleaner does not support the following:
+
+* ARM64 node pools. For more information, see [Azure Virtual Machines with ARM-based processors][arm-vms].
+* Windows node pools.
+
+## How ImageCleaner works
+
+When enabled, an `eraser-controller-manager` pod is deployed on each agent node, which will use an `ImageList` CRD to determine unreferenced and vulnerable images. Vulnerability is determined based on a [trivy][trivy] scan, after which images with a `LOW`, `MEDIUM`, `HIGH`, or `CRITICAL` classification are flagged. An updated `ImageList` will be automatically generated by ImageCleaner based on a set time interval, and can also be supplied manually.
+
+Once an `ImageList` is generated, ImageCleaner will remove all the images in the list from node VMs.
+
+
+:::image type="content" source="./media/image-cleaner/image-cleaner.jpg" alt-text="A diagram showing ImageCleaner's workflow. The ImageCleaner pods running on the cluster can generate an ImageList, or manual input can be provided.":::
+
+## Configuration options
+
+In addition to choosing between manual and automatic mode, there are several options for ImageCleaner:
+
+|Name|Description|Required|
+|----|-----------|--------|
+|--enable-image-cleaner|Enable the ImageCleaner feature for an AKS cluster|Yes, unless disable is specified|
+|--disable-image-cleaner|Disable the ImageCleaner feature for an AKS cluster|Yes, unless enable is specified|
+|--image-cleaner-interval-hours|This parameter determines the interval time (in hours) ImageCleaner will use to run. The default value is one week, the minimum value is 24 hours and the maximum is three months.|No|
+
+## Enable ImageCleaner on your AKS cluster
+
+To create a new AKS cluster using the default interval, use [az aks create][az-aks-create]:
+
+```azurecli-interactive
+az aks create -g MyResourceGroup -n MyManagedCluster \ 
+  --enable-image-cleaner 
+```
+
+To enable on an existing AKS cluster, use [az aks update][az-aks-update]:
+
+```azurecli-interactive
+az aks update -g MyResourceGroup -n MyManagedCluster \ 
+  --enable-image-cleaner 
+```
+
+The `--image-cleaner-interval-hours` parameter can be specified at creation time or for an existing cluster. For example, the following command updates the interval for a cluster with ImageCleaner already enabled:
+
+```azurecli-interactive
+az aks update -g MyResourceGroup -n MyManagedCluster \
+  --image-cleaner-interval-hours 48
+```
+
+Based on your configuration, ImageCleaner will generate an `ImageList` containing non-running and vulnerable images at the desired interval. ImageCleaner will automatically remove these images from cluster nodes.
+
+## Manually remove images
+
+To manually remove images from your cluster using ImageCleaner, first create an `ImageList`. For example, save the following as `image-list.yml`:
+
+```yml
+apiVersion: eraser.sh/v1alpha1
+kind: ImageList
+metadata:
+  name: imagelist
+spec:
+  images:
+    - docker.io/library/alpine:3.7.3   # You can also use "*" to specify all non-running images
+```
+
+And apply it to the cluster:
+
+```bash
+kubectl apply -f image-list.yml
+```
+
+A job will trigger which causes ImageCleaner to remove the desired images from all nodes.
+
+## Disable ImageCleaner
+
+To stop using ImageCleaner, you can disable it via the `--disable-image-cleaner` flag:
+
+```azurecli-interactive
+az aks update -g MyResourceGroup -n MyManagedCluster
+  --disable-image-cleaner
+```
+
+## Logging
+
+The deletion logs are stored in the `image-cleaner-kind-worker` pods. You can check these via `kubectl logs` or via the Container Insights pod log table if the [Azure Monitor add-on](./monitor-aks.md) is enabled.
+
+<!-- LINKS -->
+
+[azure-cli-install]: /cli/azure/install-azure-cli
+[azure-powershell-install]: /powershell/azure/install-az-ps
+
+[az-aks-create]: /cli/azure/aks#az_aks_create
+[az-aks-update]: /cli/azure/aks#az_aks_update
+[az-feature-register]: /cli/azure/feature#az_feature_register
+[register-azproviderpreviewfeature]: /powershell/module/az.resources/register-azproviderpreviewfeature
+[az-feature-list]: /cli/azure/feature#az_feature_list
+[get-azproviderpreviewfeature]: /powershell/module/az.resources/get-azproviderpreviewfeature
+[az-provider-register]: /cli/azure/provider#az_provider_register
+[register-azresourceprovider]: /powershell/module/az.resources/register-azresourceprovider
+
+[arm-vms]: https://azure.microsoft.com/blog/azure-virtual-machines-with-ampere-altra-arm-based-processors-generally-available/
+[trivy]: https://github.com/aquasecurity/trivy

articles/aks/media/image-cleaner/image-cleaner.jpg

@@ -413,6 +413,8 @@
           href: diagnostic-queries-mongodb.md
         - name: Prevent rate-limiting errors
           href: prevent-rate-limiting-errors.md
+        - name: Optimize query and storage costs when upgrading
+          href: compression-cost-savings.md
     - name: Analytics and BI with Azure Synapse Link
       items:
         - name: Configure Azure Synapse Link

articles/cosmos-db/mongodb/TOC.yml

@@ -0,0 +1,33 @@
+---
+title: Improve performance and optimize costs when upgrading to Azure Cosmos DB API for MongoDB 4.0+
+description: Learn how upgrading your API for MongoDB account to versions 4.0+ saves you money on queries and storage.
+author: gahl-levy
+ms.service: cosmos-db
+ms.topic: how-to
+ms.date: 09/06/2022
+ms.author: gahllevy
+---
+
+# Improve performance and optimize costs when upgrading to Azure Cosmos DB API for MongoDB 4.0+
+[!INCLUDE[appliesto-mongodb-api](../includes/appliesto-mongodb-api.md)]
+
+Azure Cosmos DB API for MongoDB introduced a new data compression algorithm in versions 4.0+ that saves up to 90% on RU and storage costs. Upgrading your database account to versions 4.0+ and following this guide will help you realize the maximum performance and cost improvements. 
+
+## How it works
+The API for MongoDB charges users based on how many [request units](../request-units.md) (RUs) are consumed for each operation. With the new compression format, a reduction in storage size and query size directly results in a reduction in RU usage, saving you money. Performance and costs are coupled in Cosmos DB.
+
+When [upgrading](upgrade-mongodb-version.md) from an API for MongoDB database account versions 3.6 or 3.2 to version 4.0 or greater, all new documents (data) written to that account will be stored in the improved compression format. Older documents, written before the account was upgraded, remain fully backwards compatible, but will remain stored in the older compression format.
+
+## Upgrading older documents
+When upgrading your database account to versions 4.0+, it's good idea to consider upgrading your older documents as well. Doing so will provide you with efficiency improvements on your older data as well as new data that gets written to the account after the upgrade. The following steps upgrade your older documents to the new compression format:
+
+1. [Upgrade](upgrade-mongodb-version.md) your database account to 4.0 or higher. Any new data that's written to any collection in the account will be written in the new format. All formats are backwards compatible. 
+2. Update at least one field in each old document (from before the upgrade) to a new value or change the document in a different way- such as adding a new field. Don't rewrite the exact same document since the Cosmos DB optimizer will ignore it.
+3. Repeat step two for each document. When a document is updated, it will be written in the new format.
+
+
+## Next steps
+Learn more about upgrading and the API for MongoDB versions:
+* [Introduction to the API for MongoDB](mongodb-introduction.md)
+* [Upgrade guide](upgrade-mongodb-version.md)
+* [Version 4.2](feature-support-42.md)

articles/cosmos-db/mongodb/compression-cost-savings.md

@@ -4,7 +4,7 @@ titleSuffix: Microsoft Cost Management
 description: The article explains how you can use the Cost Details API to get raw, unaggregated cost data that corresponds to your Azure bill.
 author: bandersmsft
 ms.author: banders
-ms.date: 07/15/2022
+ms.date: 09/08/2022
 ms.topic: conceptual
 ms.service: cost-management-billing
 ms.subservice: cost-management
@@ -21,6 +21,14 @@ To learn more about the data in cost details (formerly referred to as *usage det
 
 The [Cost Details](/rest/api/cost-management/generate-cost-details-report) report is only available for customers with an Enterprise Agreement or Microsoft Customer Agreement. If you're an MSDN, Pay-As-You-Go or Visual Studio customer, see [Get cost details for a pay-as-you-go subscription](get-usage-details-legacy-customer.md).
 
+## Permissions
+
+To use the Cost Details API, you need read only permissions for supported features and scopes. For more information, see: 
+
+- [Azure RBAC scopes - role permissions for feature behavior](../costs/understand-work-scopes.md#feature-behavior-for-each-role)
+- [Enterprise Agreement scopes - role permissions for feature behavior](../costs/understand-work-scopes.md#feature-behavior-for-each-role-1)
+- [Microsoft Customer Agreement scopes - role permissions for feature behavior](../costs/understand-work-scopes.md#feature-behavior-for-each-role-2)
+
 ## Cost Details API best practices
 
 Microsoft recommends the following best practices as you use the Cost Details API.

articles/cost-management-billing/automate/get-small-usage-datasets-on-demand.md

@@ -4,7 +4,7 @@ titleSuffix: Microsoft Cost Management
 description: This article helps you understand billing and resource management scopes available in Azure and how to use the scopes in Cost Management and APIs.
 author: bandersmsft
 ms.author: banders
-ms.date: 12/07/2021
+ms.date: 09/08/2022
 ms.topic: conceptual
 ms.service: cost-management-billing
 ms.subservice: cost-management
@@ -82,7 +82,7 @@ The following table shows how Cost Management features are used by each role. Th
 
 | **Feature/Role** | **Owner** | **Contributor** | **Reader** | **Cost Management Reader** | **Cost Management Contributor** |
 | --- | --- | --- | --- | --- | --- | 
-| **Cost Analysis / Forecast / Query API** | Read only | Read only | Read only | Read only | Read only |
+| **Cost Analysis / Forecast / Query / Cost Details API** | Read only | Read only | Read only | Read only | Read only |
 | **Shared views** | Create, Read, Update, Delete | Create, Read, Update, Delete | Read only | Read only |  Create, Read, Update, Delete|
 | **Budgets** | Create, Read, Update, Delete | Create, Read, Update, Delete | Read only | Read only | Create, Read, Update, Delete |
 | **Alerts** | Read, Update | Read, Update | Read only | Read only | Read, Update |
@@ -128,7 +128,7 @@ The following tables show how Cost Management features can be utilized by each r
 
 | **Feature/Role** | **Enterprise Admin** | **Enterprise Read-Only** |
 | --- | --- | --- |
-| **Cost Analysis / Forecast / Query API** | Read only | Read only |
+| **Cost Analysis / Forecast / Query / Cost Details API** | Read only | Read only |
 | **Shared Views** | Create, Read, Update, Delete | Create, Read, Update, Delete |
 | **Budgets** | Create, Read, Update, Delete | Create, Read, Update, Delete |
 | **Alerts** | Read, Update | Read, Update |
@@ -139,7 +139,7 @@ The following tables show how Cost Management features can be utilized by each r
 
 | **Feature/Role** | **Enterprise Admin** | **Enterprise Read Only** | **Department Admin (only if "DA view charges" setting is on)** | **Department Read Only (only if "DA view charges" setting is on)** |
 | --- | --- | --- | --- | --- |
-| **Cost Analysis / Forecast / Query API** | Read only | Read only | Read only | Read only |
+| **Cost Analysis / Forecast / Query / Cost Details API** | Read only | Read only | Read only | Read only |
 | **Shared Views** | Create, Read, Update, Delete | Create, Read, Update, Delete | Create, Read, Update, Delete | Create, Read, Update, Delete |
 | **Budgets** | Create, Read, Update, Delete | Create, Read, Update, Delete | Create, Read, Update, Delete | Create, Read, Update, Delete |
 | **Alerts** | Read, Update | Read, Update | Read, Update | Read, Update |
@@ -150,7 +150,7 @@ The following tables show how Cost Management features can be utilized by each r
 
 | **Feature/Role** | **Enterprise Admin** | **Enterprise Read Only** | **Department Admin (only if "DA view charges" is on)** | **Department Read Only (only if "DA view charges" setting is on)** | **Account Owner (only if "AO view charges" setting is on)** |
 | --- | --- | --- | --- | --- | --- |
-| **Cost Analysis / Forecast / Query API** | Read only | Read only | Read only | Read only | Read only |
+| **Cost Analysis / Forecast / Query / Cost Details API** | Read only | Read only | Read only | Read only | Read only |
 | **Shared Views** | Create, Read, Update, Delete | Create, Read, Update, Delete | Create, Read, Update, Delete | Create, Read, Update, Delete | Create, Read, Update, Delete |
 | **Budgets** | Create, Read, Update, Delete | Create, Read, Update, Delete | Create, Read, Update, Delete | Create, Read, Update, Delete | Create, Read, Update, Delete |
 | **Alerts** | Read, Update | Read, Update | Read, Update | Read, Update | Read, Update |
@@ -215,7 +215,7 @@ The following tables show how Cost Management features can be utilized by each r
 
 | **Feature/Role** | **Owner** | **Contributor** | **Reader** |
 | --- | --- | --- | --- |
-| **Cost Analysis / Forecast / Query API** | Read only | Read only | Read only |
+| **Cost Analysis / Forecast / Query / Cost Details API** | Read only | Read only | Read only |
 | **Shared Views** | Create, Read, Update, Delete | Create, Read, Update, Delete | Create, Read, Update, Delete |
 | **Budgets** | Create, Read, Update, Delete | Create, Read, Update, Delete | Create, Read, Update, Delete |
 | **Alerts** | Read, Update | Read, Update | Read, Update |
@@ -226,7 +226,7 @@ The following tables show how Cost Management features can be utilized by each r
 
 | **Feature/Role** | **Owner** | **Contributor** | **Reader** | **Invoice Manager** |
 | --- | --- | --- | --- | --- |
-| **Cost Analysis / Forecast / Query API** | Read only | Read only | Read only | Read only |
+| **Cost Analysis / Forecast / Query / Cost Details API** | Read only | Read only | Read only | Read only |
 | **Shared Views** | Create, Read, Update, Delete | Create, Read, Update, Delete | Create, Read, Update, Delete | Create, Read, Update, Delete |
 | **Budgets** | Create, Read, Update, Delete | Create, Read, Update, Delete | Create, Read, Update, Delete | Create, Read, Update, Delete |
 | **Alerts** | Read, Update | Read, Update | Read, Update | Create, Read, Update, Delete |
@@ -237,7 +237,7 @@ The following tables show how Cost Management features can be utilized by each r
 
 | **Feature/Role** | **Owner** | **Contributor** | **Reader** | **Azure Subscription Creator** |
 | --- | --- | --- | --- | --- |
-| **Cost Analysis / Forecast / Query API** | Read only | Read only | Read only | Read only |
+| **Cost Analysis / Forecast / Query / Cost Details API** | Read only | Read only | Read only | Read only |
 | **Shared Views** | Create, Read, Update, Delete | Create, Read, Update, Delete | Create, Read, Update, Delete | Create, Read, Update, Delete |
 | **Budgets** | Create, Read, Update, Delete | Create, Read, Update, Delete | Create, Read, Update, Delete | Create, Read, Update, Delete |
 | **Alerts** | Read, Update | Read, Update | Read, Update | Read, Update |