Merge branch 'master' of https://github.com/MicrosoftDocs/azure-docs-pr into ds-qsrt1720628

Author: davidsmatlak

articles/active-directory/cloud-provisioning/tutorial-pilot-aadc-aadccp.md

@@ -7,7 +7,7 @@ manager: daveba
 ms.service: active-directory
 ms.workload: identity
 ms.topic: overview
-ms.date: 03/04/2020
+ms.date: 05/19/2020
 ms.subservice: hybrid
 ms.author: billmath
 ms.collection: M365-identity-device-management
@@ -196,7 +196,9 @@ Azure AD Connect sync synchronizes changes occurring in your on-premises directo
 3.  Run `Start-ADSyncSyncCycle`.  Hit Enter.  
 
 >[!NOTE] 
->If you are running your own custom scheduler for AAD Connect sync, then please enable the scheduler. 
+>If you are running your own custom scheduler for Azure AD Connect sync, then please enable the scheduler. 
+
+Once the scheduler is enabled, Azure AD Connect will stop exporting any changes on objects with `cloudNoFlow=true` in the metaverse, unless any reference attribute (eg. manager) is being updated. In case there is any reference attribute update on the object, Azure AD Connect will ignore the `cloudNoFlow` signal and export all updates on the object.
 
 ## Something went wrong
 In case the pilot does not work as expected, you can go back to the Azure AD Connect sync setup by following the steps below:

articles/aks/azure-files-dynamic-pv.md

@@ -31,7 +31,6 @@ A storage class is used to define how an Azure file share is created. A storage
 * *Standard_ZRS* - standard zone redundant storage (ZRS)
 * *Standard_RAGRS* - standard read-access geo-redundant storage (RA-GRS)
 * *Premium_LRS* - premium locally redundant storage (LRS)
-* *Premium_ZRS* - premium zone redundant storage (GRS)
 
 > [!NOTE]
 > Azure Files support premium storage in AKS clusters that run Kubernetes 1.13 or higher, minimum premium file share is 100GB

articles/aks/cluster-autoscaler.md

@@ -95,7 +95,7 @@ az aks update \
 The above example updates cluster autoscaler on the single node pool in *myAKSCluster* to a minimum of *1* and maximum of *5* nodes.
 
 > [!NOTE]
-> You can't set a higher minimum node count than is currently set for the node pool. For example, if you currently have min count set to *1*, you can't update the min count to *3*.
+The cluster autoscaler will make its scaling decisions based on the minimum and maximum counts set on each node pool, but it does not enforce them. For example, setting a min-count of 5 when the current node count is 3 will not immediately scale the pool up to 5. If you change the minimum count on the node pool to a value higher than the current number of nodes, this new limit will be respected when there are enough unschedulable pods present that would require 2 new additional nodes and trigger an autoscaler event. After this occurs, the new minimum count limit will be respected for the cluster autoscaler.
 
 Monitor the performance of your applications and services, and adjust the cluster autoscaler node counts to match the required performance.
 

articles/aks/developer-best-practices-pod-security.md

@@ -66,14 +66,17 @@ Work with your cluster operator to determine what security context settings you
 
 To limit the risk of credentials being exposed in your application code, avoid the use of fixed or shared credentials. Credentials or keys shouldn't be included directly in your code. If these credentials are exposed, the application needs to be updated and redeployed. A better approach is to give pods their own identity and way to authenticate themselves, or automatically retrieve credentials from a digital vault.
 
-The following [associated AKS open source projects][aks-associated-projects] let you automatically authenticate pods or request credentials and keys from a digital vault:
+### Use Azure Container Compute Upstream projects
 
-* Managed identities for Azure resources, and
-* [Azure Key Vault Provider for Secrets Store CSI Driver](https://github.com/Azure/secrets-store-csi-driver-provider-azure#usage)
+> [!IMPORTANT]
+> Associated AKS open source projects are not supported by Azure technical support. They are provided for users to self-install into clusters and gather feedback from our community.
 
-Associated AKS open source projects are not supported by Azure technical support. They are provided to gather feedback and bugs from our community. These projects are not recommended for production use.
+The following [associated AKS open source projects][aks-associated-projects] let you automatically authenticate pods or request credentials and keys from a digital vault. These projects are maintained by the Azure Container Compute Upstream team and are part of a [broader list of projects available for use](https://github.com/Azure/container-compute-upstream/blob/master/README.md#support).
 
-### Use pod managed identities
+ * [Azure Active Directory Pod Identity][aad-pod-identity]
+ * [Azure Key Vault Provider for Secrets Store CSI Driver](https://github.com/Azure/secrets-store-csi-driver-provider-azure#usage)
+
+#### Use pod managed identities
 
 A managed identity for Azure resources lets a pod authenticate itself against Azure services that support it, such as Storage or SQL. The pod is assigned an Azure Identity that lets them authenticate to Azure Active Directory and receive a digital token. This digital token can be presented to other Azure services that check if the pod is authorized to access the service and perform the required actions. This approach means that no secrets are required for database connection strings, for example. The simplified workflow for pod managed identity is shown in the following diagram:
 
@@ -83,7 +86,7 @@ With a managed identity, your application code doesn't need to include credentia
 
 For more information about pod identities, see [Configure an AKS cluster to use pod managed identities and with your applications][aad-pod-identity]
 
-### Use Azure Key Vault with Secrets Store CSI Driver
+#### Use Azure Key Vault with Secrets Store CSI Driver
 
 Using the pod identity project enables authentication against supporting Azure services. For your own services or applications without managed identities for Azure resources, you can still authenticate using credentials or keys. A digital vault can be used to store these secret contents.
 

articles/aks/egress-outboundtype.md

@@ -117,9 +117,6 @@ DEVSUBNET_NAME="${PREFIX}dev"
 Next, set subscription IDs.
 
 ```azure-cli
-# Get ARM Access Token and Subscription ID - This will be used for AuthN later.
-
-ACCESS_TOKEN=$(az account get-access-token -o tsv --query 'accessToken')
 
 # NOTE: Update Subscription Name
 # Set Default Azure Subscription to be Used via Subscription ID

articles/aks/faq.md

@@ -123,9 +123,7 @@ Windows Server support for node pool includes some limitations that are part of
 
 ## Does AKS offer a service-level agreement?
 
-AKS offers an optional [uptime SLA add-on][uptime-sla] for the Kubernetes API server. Customers who choose the SLA add-on are guaranteed 99.95% availability for clusters which are spread across availability zones and 99.9% availability for those which are not. For clusters without the SLA add-on, AKS maintaines a service-level objective of 99.5% availability. 
-
-It is important to recognize the distinction between AKS service availability which refers to uptime of the Kubernetes control plane and the availability of your specific workload which is running on Azure Virtual Machines and therefore covered by the [VM SLA][vm-sla]. In the event that the Kubernetes control plane is unavailable, your applications will continue to function. However, you will be unable to deploy new applications, scale or upgrade existing applications, or perform other management operations on the cluster.
+AKS provides SLA guarantees as an optional add on feature with [Uptime SLA][uptime-sla].
 
 ## Can I apply Azure reservation discounts to my AKS agent nodes?
 

articles/aks/private-clusters.md

@@ -98,13 +98,13 @@ As mentioned, VNet peering is one way to access your private cluster. To use VNe
 * IP authorized ranges cannot be applied to the private api server endpoint, they only apply to the public API server
 * Availability Zones are currently supported for certain regions, see the beginning of this document 
 * [Azure Private Link service limitations][private-link-service] apply to private clusters.
-* No support for virtual nodes in a private cluster to spin private Azure Container Instances (ACI) in a private Azure virtual network
 * No support for Azure DevOps integration out of the box with private clusters
 * For customers that need to enable Azure Container Registry to work with private AKS, the Container Registry virtual network must be peered with the agent cluster virtual network.
 * No current support for Azure Dev Spaces
 * No support for converting existing AKS clusters into private clusters
 * Deleting or modifying the private endpoint in the customer subnet will cause the cluster to stop functioning. 
 * Azure Monitor for containers Live Data isn't currently supported.
+* Uptime SLA isn't currently supported.
 
 
 <!-- LINKS - internal -->

articles/aks/uptime-sla.md

@@ -1,25 +1,25 @@
 ---
-title: Azure Kubernetes Service (AKS) high availability with Uptime SLA
-description: Learn about the optional high availability Uptime SLA offering for the Azure Kubernetes Service (AKS) API Server.
+title: Azure Kubernetes Service (AKS) with Uptime SLA
+description: Learn about the optional Uptime SLA offering for the Azure Kubernetes Service (AKS) API Server.
 services: container-service
 ms.topic: conceptual
 ms.date: 05/11/2020
 ---
 
 # Azure Kubernetes Service (AKS) Uptime SLA
 
-Uptime SLA is an optional feature to enable financially backed higher SLA for a cluster. Uptime SLA guarantees 99.95% availability of the Kubernetes API server endpoint for clusters that use [Availability Zone][availability-zones] and 99.9% of availability for clusters that don't use availability zones. AKS uses master node replicas across update and fault domains to ensure SLA requirements are met.
+Uptime SLA is an optional feature to enable a financially backed, higher SLA for a cluster. Uptime SLA guarantees 99.95% availability of the Kubernetes API server endpoint for clusters that use [Availability Zones][availability-zones] and 99.9% of availability for clusters that don't use Availability Zones. AKS uses master node replicas across update and fault domains to ensure SLA requirements are met.
 
-Customers needing SLA for compliance reasons or extending SLA's to their customers should turn on this feature. Customers with critical workloads who need higher availability with an option of SLA benefit from enabling this feature. Enable the feature with Availability Zones to obtain higher availability of the Kubernetes API server.  
+Customers needing an SLA to meet compliance requirements or require extending an SLA to their end-users should enable this feature. Customers with critical workloads that will benefit from a higher uptime SLA may also benefit. Using the Uptime SLA feature with Availability Zones enables a higher availability for the uptime of the Kubernetes API server.  
 
-Customers can create unlimited free clusters with a service level objective (SLO) of 99.5%.
+Customers can still create unlimited free clusters with a service level objective (SLO) of 99.5% and opt for the preferred SLO or SLA Uptime as needed.
 
 > [!Important]
 > For clusters with egress lockdown, see [limit egress traffic](limit-egress-traffic.md) to open appropriate ports for Uptime SLA.
 
 ## SLA terms and conditions
 
-Uptime SLA is a paid feature and enabled per cluster. Uptime SLA pricing is determined by the number of clusters, and not by the size of the clusters. You can view [Uptime SLA pricing details](https://azure.microsoft.com/pricing/details/kubernetes-service/) for more information.
+Uptime SLA is a paid feature and enabled per cluster. Uptime SLA pricing is determined by the number of discrete clusters, and not by the size of the individual clusters. You can view [Uptime SLA pricing details](https://azure.microsoft.com/pricing/details/kubernetes-service/) for more information.
 
 ## Region Availability
 
@@ -59,19 +59,17 @@ After a few minutes, the command completes and returns JSON-formatted informatio
     "name": "Basic",
     "tier": "Paid"
   },
-  "tags": null,
-  "type": "Microsoft.ContainerService/ManagedClusters",
-  "windowsProfile": null
 ```
 
 ## Limitations
 
-* You can't currently add Uptime SLA to existing clusters.
-* Currently, there is no way to remove Uptime SLA from an AKS cluster.  
+* Currently, cannot convert as existing cluster to enable the Uptime SLA.
+* Currently, there is no way to remove Uptime SLA from an AKS cluster after creation with it enabled.  
 
 ## Next steps
 
 Use [Availability Zones][availability-zones] to increase high availability with your AKS cluster workloads.
+Configure your cluster to [limit egress traffic](limit-egress-traffic.md).
 
 <!-- LINKS - External -->
 [azure-support]: https://ms.portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/newsupportrequest

articles/aks/use-network-policies.md

@@ -77,7 +77,7 @@ The following example script:
 * Creates an Azure Active Directory (Azure AD) service principal for use with the AKS cluster.
 * Assigns *Contributor* permissions for the AKS cluster service principal on the virtual network.
 * Creates an AKS cluster in the defined virtual network and enables network policy.
-    * The *azure* network policy option is used. To use Calico as the network policy option instead, use the `--network-policy calico` parameter. Note: Calico could be used with either `--network-plugin azure` or `--network-plugin kubenet`.
+    * The _Azure Network_ policy option is used. To use Calico as the network policy option instead, use the `--network-policy calico` parameter. Note: Calico could be used with either `--network-plugin azure` or `--network-plugin kubenet`.
 
 Note that instead of using a service principal, you can use a managed identity for permissions. For more information, see [Use managed identities](use-managed-identity.md).
 
@@ -142,7 +142,7 @@ az aks get-credentials --resource-group $RESOURCE_GROUP_NAME --name $CLUSTER_NAM
 
 ## Deny all inbound traffic to a pod
 
-Before you define rules to allow specific network traffic, first create a network policy to deny all traffic. This policy gives you a starting point to begin to whitelist only the  desired traffic. You can also clearly see that traffic is dropped when the network policy is applied.
+Before you define rules to allow specific network traffic, first create a network policy to deny all traffic. This policy gives you a starting point to begin to create an allow list for only the desired traffic. You can also clearly see that traffic is dropped when the network policy is applied.
 
 For the sample application environment and traffic rules, let's first create a namespace called *development* to run the example pods:
 
@@ -470,9 +470,9 @@ To learn more about policies, see [Kubernetes network policies][kubernetes-netwo
 [policy-rules]: https://kubernetes.io/docs/concepts/services-networking/network-policies/#behavior-of-to-and-from-selectors
 [aks-github]: https://github.com/azure/aks/issues
 [tigera]: https://www.tigera.io/
-[calicoctl]: https://docs.projectcalico.org/v3.9/reference/calicoctl/
+[calicoctl]: https://docs.projectcalico.org/reference/calicoctl/
 [calico-support]: https://www.tigera.io/tigera-products/calico/
-[calico-logs]: https://docs.projectcalico.org/v3.9/maintenance/component-logs
+[calico-logs]: https://docs.projectcalico.org/maintenance/troubleshoot/component-logs
 [calico-aks-cleanup]: https://github.com/Azure/aks-engine/blob/master/docs/topics/calico-3.3.1-cleanup-after-upgrade.yaml
 
 <!-- LINKS - internal -->

articles/azure-functions/TOC.yml

@@ -49,7 +49,7 @@
   - name: Machine learning with TensorFlow
     href: functions-machine-learning-tensorflow.md
   - name: Image classification with PyTorch
-    href: machine-learning-pytorch.md 
+    href: machine-learning-pytorch.md
   - name: Create a custom Linux image
     href: functions-create-function-linux-custom-image.md
   - name: Functions on IoT Edge device
@@ -335,6 +335,8 @@
     items:
     - name: Troubleshoot storage
       href: functions-recover-storage-account.md
+    - name: Troubleshoot Python dependencies
+      href: recover-module-not-found.md
 - name: Reference
   items:
   - name: API references