Merge pull request #262070 from MicrosoftDocs/main

12/29/2023 AM Publish

Author: Taojunshen

articles/azure-monitor/logs/cross-workspace-query.md

@@ -26,7 +26,7 @@ If you manage subscriptions in other Microsoft Entra tenants through [Azure Ligh
 ## Permissions required
 
 - You must have `Microsoft.OperationalInsights/workspaces/query/*/read` permissions to the Log Analytics workspaces you query, as provided by the [Log Analytics Reader built-in role](./manage-access.md#log-analytics-reader), for example.
-- To save a query, you must have `microsoft.operationalinsights/querypacks/queries/action` permisisons to the query pack where you want to save the query, as provided by the [Log Analytics Contributor built-in role](./manage-access.md#log-analytics-contributor), for example.
+- To save a query, you must have `microsoft.operationalinsights/querypacks/queries/action` permissions to the query pack where you want to save the query, as provided by the [Log Analytics Contributor built-in role](./manage-access.md#log-analytics-contributor), for example.
 
 ## Limitations
 

articles/azure-resource-manager/bicep/bicep-config-linter.md

@@ -3,7 +3,7 @@ title: Linter settings for Bicep config
 description: Describes how to customize configuration values for the Bicep linter
 ms.topic: conceptual
 ms.custom: devx-track-bicep
-ms.date: 11/27/2023
+ms.date: 12/29/2023
 ---
 
 # Add linter settings in the Bicep config file
@@ -36,6 +36,9 @@ The following example shows the rules that are available for configuration.
         "explicit-values-for-loc-params": {
           "level": "warning"
         },
+        "max-asserts": {
+          "level": "warning"
+        },
         "max-outputs": {
           "level": "warning"
         },

articles/azure-resource-manager/bicep/linter-rule-max-asserts.md

@@ -0,0 +1,28 @@
+---
+title: Linter rule - max asserts
+description: Linter rule - max asserts.
+ms.topic: conceptual
+ms.custom: devx-track-bicep
+ms.date: 12/28/2023
+---
+
+# Linter rule - max asserts
+
+This rule checks that the number of predeployment conditions doesn't exceed `32`.
+
+## Linter rule code
+
+Use the following value in the [Bicep configuration file](bicep-config-linter.md) to customize rule settings:
+
+`max-asserts`
+
+> [!WARNING]
+> This rule is intended used in tandem with `testFramework` experimental feature flag for expected functionality. For more information, see [Bicep Experimental Test Framework](https://github.com/Azure/bicep/issues/11967).
+
+## Solution
+
+Reduce the number of predeployment conditions in your template.
+
+## Next steps
+
+For more information about the linter, see [Use Bicep linter](./linter.md).

articles/azure-resource-manager/bicep/linter.md

@@ -3,7 +3,7 @@ title: Use Bicep linter
 description: Learn how to use Bicep linter.
 ms.topic: conceptual
 ms.custom: devx-track-bicep
-ms.date: 11/27/2023
+ms.date: 12/29/2023
 ---
 
 # Use Bicep linter
@@ -22,6 +22,7 @@ The default set of linter rules is minimal and taken from [arm-ttk test cases](.
 - [artifacts-parameters](./linter-rule-artifacts-parameters.md)
 - [decompiler-cleanup](./linter-rule-decompiler-cleanup.md)
 - [explicit-values-for-loc-params](./linter-rule-explicit-values-for-loc-params.md)
+- [max-asserts](./linter-rule-max-asserts.md)
 - [max-outputs](./linter-rule-max-outputs.md)
 - [max-params](./linter-rule-max-parameters.md)
 - [max-resources](./linter-rule-max-resources.md)

articles/azure-resource-manager/bicep/toc.yml

@@ -458,6 +458,9 @@
       - name: Explicit values for module location parameters
         displayName: linter
         href: linter-rule-explicit-values-for-loc-params.md
+      - name: Max asserts
+        displayName: linter
+        href: linter-rule-max-asserts.md
       - name: Max outputs
         displayName: linter
         href: linter-rule-max-outputs.md
@@ -530,13 +533,13 @@
       - name: Use parent property
         displayName: linter
         href: linter-rule-use-parent-property.md
-      - name: use recent API versions
+      - name: Use recent API versions
         displayName: linter
         href: linter-rule-use-recent-api-versions.md
-      - name: use resource ID functions
+      - name: Use resource ID functions
         displayName: linter
         href: linter-rule-use-resource-id-functions.md
-      - name: use resource symbol reference
+      - name: Use resource symbol reference
         displayName: linter
         href: linter-rule-use-resource-symbol-reference.md
       - name: Use stable resource identifier

articles/backup/azure-kubernetes-service-backup-overview.md

@@ -5,7 +5,7 @@ ms.topic: conceptual
 ms.service: backup
 ms.custom:
   - ignite-2023
-ms.date: 12/25/2023
+ms.date: 12/29/2023
 author: AbhishekMallick-MS
 ms.author: v-abhmallick
 ---
@@ -67,6 +67,15 @@ Azure Backup gives you the option to restore all the items that are backed up or
 
 To restore backup stored in Vault Tier, you must provide a staging location where the backup data is hydrated. This staging location includes a resource group and a storage account in it within the same region and a subscription as the target cluster for restore. During restore, specific resources (blob container, disk, and disk snapshots) are created as part of hydration, which is then cleared after the restore operation is complete.
 
+Azure Backup for AKS currently supports the following two options when doing a restore operation when resource clash happens (backed-up resource has the same name as the resource in the target AKS cluster). You can choose one of these options when defining the restore configuration.
+
+1. **Skip**: This option is selected by default. For example, if you have backed up a PVC named *pvc-azuredisk* and you're restoring it in a target cluster that has the PVC with the same name, then the backup extension skips restoring the backed-up persistent volume claim (PVC). In such scenarios, we recommend you to delete the resource from the cluster, and then do the restore operation so that the backed-up items are only available in the cluster and aren't skipped.
+
+2. **Patch**: This option allows the patching mutable variable in the backed-up resource on the resource in the target cluster. If you want to update the number of replicas in the target cluster, you can opt for patching as an operation. 
+
+>[!Note]
+>AKS backup currently doesn't delete and recreate resources in the target cluster if they already exist. If you attempt to restore Persistent Volumess in the original location, delete the existing Persistent Volumes, and then do the restore operation.
+
 ## Use custom hooks for backup and restore
 
 You can use custom hooks to take application-consistent snapshots of volumes that are used for databases deployed as containerized workloads.

articles/backup/azure-kubernetes-service-backup-troubleshoot.md

@@ -1,8 +1,8 @@
 ---
 title: Troubleshoot Azure Kubernetes Service backup
-description: Symptoms, causes, and resolutions of Azure Kubernetes Service backup and restore.
+description: Symptoms, causes, and resolutions of the Azure Kubernetes Service backup and restore operations.
 ms.topic: troubleshooting
-ms.date: 03/15/2023
+ms.date: 12/28/2023
 ms.service: backup
 ms.custom:
   - ignite-2023
@@ -114,6 +114,114 @@ This error appears due to absence of these FQDN rules because of which configura
 
 6. Delete and reinstall Backup Extension to initiate backup. 
 
+## Backup Extension post installation related errors
+
+These error codes appear due to issues on the Backup Extension installed in the AKS cluster.
+
+
+
+### KubernetesBackupListExtensionsError: 
+
+**Cause**: Backup vault as part of a validation, checks if the cluster has backup extension installed. For this, the Vault MSI needs a reader permission on the AKS cluster allowing it to list all the extensions installed in the cluster. 
+
+**Recommended action**: Reassign the Reader role to the Vault MSI (remove the existing role assignment and assign the Reader role again), because the Reader role assigned is missing the *list-extension* permission in it. If reassignment fails, use a different Backup vault to configure backup.
+
+### UserErrorKubernetesBackupExtensionNotFoundError
+
+**Cause**: Backup vault as part of validation, checks if the cluster has the Backup extension installed. Vault performs an operation to list the extensions installed in the cluster. If the Backup extension is absent in the list, this error appears.
+
+**Recommended action**: Use the CL or Azure portal client to delete the extension, and then install the extension again.
+
+### UserErrorKubernetesBackupExtensionHasErrors
+
+**Cause**: The Backup extension installed in the cluster has some internal errors.
+
+**Recommended action**: Use the CL or Azure portal client to delete the extension, and then install the extension again.
+
+### UserErrorKubernetesBackupExtensionIdentityNotFound
+
+**Cause**: AKS backup requires a Backup extension installed in the cluster. The extension along with its installation has a User Identity created called extension MSI. This MSI is created in the Resource Group comprising the node pools for the AKS cluster. This MSI gets the required Roles assigned to access Backup Storage location. The error code suggests that the Extension Identity is missing.
+
+**Recommended action**: Use the CLI or the Azure portal client to delete the extension, and then install the extension again. A new identity is created along with the extension.
+
+### KubernetesBackupCustomResourcesTrackingTimeOutError
+
+**Cause**: Azure Backup for AKS requires a Backup extension to be installed in the cluster. To perform the backup and restore operations, custom resources are created in the cluster. The extension-spawn pods that perform backup related operations via these CRs. This error occurs when the extension isn't able to update the status of these CRs.
+
+**Recommended action**: The health of the extension is required to be verified via running the command `kubectl get pods -n dataprotection.microsoft`. If the pods aren't in running state, then increase the number of nodes in the cluster by *1* or increase the compute limits. Then wait for a few minutes and run the command again, which should change the state of the pods to *running*. If the issue persists, delete and reinstall the extension.
+
+### BackupPluginDeleteBackupOperationFailed
+
+**Cause**: The Backup extension should be running to delete the backups. 
+
+**Recommended action**: If the cluster is running, verify if the extension is running in a healthy state. Check if the extension pods are spawning, otherwise, increase the nodes. If that fails, try deleting and reinstalling the extension. If the backed-up cluster is deleted, then manually delete the snapshots and metadata.
+
+### ExtensionTimedOutWaitingForBackupItemSync
+
+**Cause**: The Backup extension waits for the backup items to be synced with the storage account.
+
+**Recommended action**: If this error code appears, then either retry the backup operation or reinstall the extension.
+
+## Backup storage location based errors
+
+These error codes appear due to issues based on the Backup extension installed in the AKS cluster.
+
+### UserErrorDeleteBackupFailedBackupStorageLocationReadOnly
+
+**Cause**: The storage account provided as input during Backup extension installation is in *read only* state, which doesn't allow to delete the backup data from the blob container. 
+
+**Recommended action**: Change the storage account state from *read only* to *write*.
+
+### UserErrorDeleteBackupFailedBackupStorageLocationNotFound
+
+**Cause**: During the extension installation, a Backup Storage Location is to be provided as input that includes a storage account and blob container. This error appears if the location is deleted or incorrectly added during extension installation.
+
+**Recommended action**: Delete the Backup extension, and then reinstall it with correct storage account and blob container as input.
+
+### UserErrorBackupFailedBackupStorageLocationReadOnly
+
+**Cause**: The storage account provided as input during Backup extension installation is in *read only* state, which doesn't allow to write backup data on the blob container.
+
+**Recommended action**: Change the storage account state from *read only* to *write*.
+
+### UserErrorNoDefaultBackupStorageLocationFound
+
+**Cause**: During extension installation, a Backup Storage Location is to be provided as input, which includes a storage account and blob container. The error appears if the location is deleted or incorrectly entered during extension installation.
+
+**Recommended action**: Delete the Backup extension, and then reinstall it with correct storage account and blob container as input.
+
+### UserErrorExtensionMSIMissingPermissionsOnBackupStorageLocation
+
+**Cause**: The Backup extension should have the *Storage Account Contributor* role on the Backup Storage Location (storage account). The Extension Identity gets this role assigned. 
+
+**Recommended action**: If this role is missing, then use Azure portal or CLI to reassign this missing permission on the storage account.
+
+### UserErrorBackupStorageLocationNotReady
+
+**Cause**: During extension installation, a Backup Storage Location is to be provided as input that includes a storage account and blob container. The Backup extension should have *Storage Account Contributor* role on the Backup Storage Location (storage account). The Extension Identity gets this role assigned.
+
+**Recommended action**: The error appears if the Extension Identity doesn't have right permissions to access the storage account. This  error appears if AKS backup extension is installed the first time when configuring protection operation. This happens for the time taken for the granted permissions to propagate to the AKS backup extension. As a workaround, wait an hour and retry the protection configuration. Otherwise, use Azure portal or CLI to reassign this missing permission on the storage account.
+
+## Vaulted backup based errors
+
+This error code can appear while you enable AKS backup to store backups in a vault standard datastore.
+
+### DppUserErrorVaultTierPolicyNotSupported
+
+**Cause**: This error code appears when a backup policy is created with retention rule defined for vault-standard datastore for a Backup vault in a region where this datastore isn't supported.
+
+**Recommended action**: Update the retention rule with vault-standard duration defined on Azure portal:
+
+1. Select **Edit** icon next to the rule.
+
+   :::image type="content" source="./media/azure-kubernetes-service-backup-troubleshoot/edit-backup-policy-for-vaulted-backup.png" alt-text="Screenshot shows how to edit the retention duration of the AKS backups." lightbox="./media/azure-kubernetes-service-backup-troubleshoot/edit-backup-policy-for-vaulted-backup.png":::
+
+2. Clear the checkbox next the **Vault-standard**, and then select **Update**.
+
+   :::image type="content" source="./media/azure-kubernetes-service-backup-troubleshoot/clear-vault-standard-checkbox.png" alt-text="Screenshot shows clearing the vault-standard checkbox." lightbox="./media/azure-kubernetes-service-backup-troubleshoot/clear-vault-standard-checkbox.png":::
+
+3. Create a backup policy for operational tier backup (only snapshots for the AKS cluster).
+
 ## Next steps
 
 - [About Azure Kubernetes Service (AKS) backup](azure-kubernetes-service-backup-overview.md)

articles/backup/azure-kubernetes-service-cluster-restore.md

@@ -5,7 +5,7 @@ ms.topic: how-to
 ms.service: backup
 ms.custom:
   - ignite-2023
-ms.date: 12/25/2023
+ms.date: 12/29/2023
 author: AbhishekMallick-MS
 ms.author: v-abhmallick
 ---
@@ -111,6 +111,15 @@ As part of item-level restore capability of AKS backup, you can utilize multiple
 
      :::image type="content" source="./media/azure-kubernetes-service-cluster-restore/select-backed-up-namespace-for-migrate.png" alt-text="Screenshot shows the selection of namespace for migration.":::
 
+Azure Backup for AKS currently supports the following two options when doing a restore operation when resource clash happens (backed-up resource has the same name as the resource in the target AKS cluster). You can choose one of these options when defining the restore configuration.
+
+- **Skip**: This option is selected by default. For example, if you have backed up a PVC named *pvc-azuredisk* and you're restoring it in a target cluster that has the PVC with the same name, then the backup extension skips restoring the backed-up persistent volume claim (PVC). In such scenarios, we recommend you to delete the resource from the cluster, and then do the restore operation so that the backed-up items are only available in the cluster and aren't skipped.
+
+- **Patch**: This option allows the patching mutable variable in the backed-up resource on the resource in the target cluster. If you want to update the number of replicas in the target cluster, you can opt for patching as an operation. 
+
+>[!Note]
+>AKS backup currently doesn't delete and recreate resources in the target cluster if they already exist. If you attempt to restore Persistent Volumess in the original location, delete the existing Persistent Volumes, and then do the restore operation.
+
 ## Restore in secondary region (preview)
 
 To restore the AKS cluster in the secondary region, [configure Geo redundancy and Cross Region Restore in the Backup vault](azure-kubernetes-service-cluster-backup.md#create-a-backup-vault), and then [trigger restore](tutorial-restore-aks-backups-across-regions.md#restore-in-secondary-region-preview).