Merge pull request #278667 from MicrosoftDocs/repo_sync_working_branch

Taojunshen · web-flow · commit 9f768ea3397e · 2024-06-20T00:35:08.000+08:00
Confirm merge from repo_sync_working_branch to main to sync with https://github.com/MicrosoftDocs/azure-docs (branch main)
diff --git a/articles/azure-monitor/visualize/workbooks-data-sources.md b/articles/azure-monitor/visualize/workbooks-data-sources.md
@@ -98,7 +98,13 @@ This provider supports [JSONPath](workbooks-jsonpath.md).
 
 Merging data from different sources can enhance the insights experience. An example is augmenting active alert information with related metric data. Merging data allows users to see not just the effect (an active alert) but also potential causes, for example, high CPU usage. The monitoring domain has numerous such correlatable data sources that are often critical to the triage and diagnostic workflow.
 
-With workbooks, you can query different data sources. Workbooks also provide simple controls that you can use to merge or join data to provide rich insights. The *merge* control is the way to achieve it.
+With workbooks, you can query different data sources. Workbooks also provide simple controls that you can use to merge or join data to provide rich insights. The *merge* control is the way to achieve it.  A single merge data source can do many merges in one step.  For example, a *single* merge data source can merge results from a step using Azure Resource Graph with Azure Metrics, and then merge that result with another step using the Azure Resource Manager data source in one query item.
+
+> [!NOTE]
+> Although hidden query and metrics steps run if they're referenced by a merge step, hidden query items that use the merge data source don't run while hidden.
+> A step that uses merge and attempts to reference a hidden step by using merge data source won't run until that hidden step becomes visible.
+> A single merge step can merge many data sources at once.  There's rarely a case where a merge data source will reference another merge data source.
+
 
 ### Combine alerting data with Log Analytics VM performance data
 
diff --git a/articles/backup/azure-kubernetes-service-cluster-backup-concept.md b/articles/backup/azure-kubernetes-service-cluster-backup-concept.md
@@ -33,7 +33,7 @@ Azure Backup now allows you to back up AKS clusters (cluster resources and persi
 
 - Before you install an extension in an AKS cluster, you must register the `Microsoft.KubernetesConfiguration` resource provider at the subscription level. Learn how to [register the resource provider](azure-kubernetes-service-cluster-manage-backups.md#resource-provider-registrations).
 
-- Extension agent and extension operator are the core platform components in AKS, which are installed when an extension of any type is installed for the first time in an AKS cluster. These provide capabilities to deploy *1P* and *3P* extensions. The backup extension also relies on them for installation and upgrades.
+- Extension agent and extension operator are the core platform components in AKS, which are installed when an extension of any type is installed for the first time in an AKS cluster. These provide capabilities to deploy first-party and third-party extensions. The backup extension also relies on them for installation and upgrades.
 
   >[!Note]
   >Both of these core components are deployed with aggressive hard limits on CPU and memory, with CPU *less than 0.5% of a core* and memory limit ranging from *50-200 MB*. So, the *COGS impact* of these components is very low. Because they are core platform components, there is no workaround available to remove them once installed in the cluster.
@@ -48,7 +48,7 @@ Many Azure services depend on *clusterAdmin kubeconfig* and the *publicly access
 
 Your Azure resources access AKS clusters through the AKS regional gateway using system-assigned managed identity authentication. The managed identity must have the appropriate Kubernetes permissions assigned via an Azure resource role.
 
-For AKS backup, the Backup vault accesses your AKS clusters via Trusted Access to configure backups and restores. The Backup vault is assigned a pre-defined role **Microsoft.DataProtection/backupVaults/backup-operator** in the AKS cluster, allowing it to only perform specific backup operations. 
+For AKS backup, the Backup vault accesses your AKS clusters via Trusted Access to configure backups and restores. The Backup vault is assigned a predefined role **Microsoft.DataProtection/backupVaults/backup-operator** in the AKS cluster, allowing it to only perform specific backup operations. 
 
 To enable Trusted Access between a Backup vault and an AKS cluster, you must register the `TrustedAccessPreview`  feature flag on `Microsoft.ContainerService` at the subscription level. Learn more [to register the resource provider](azure-kubernetes-service-cluster-manage-backups.md#enable-the-feature-flag).
 
@@ -63,7 +63,7 @@ Learn [how to enable Trusted Access](azure-kubernetes-service-cluster-manage-bac
 
 To enable backup for an AKS cluster, see the following prerequisites: .
 
-- AKS backup uses CSI drivers snapshot capabilities to perform backups of persistent volumes. CSI Driver support is available for AKS clusters with Kubernetes version *1.21.1* or later. 
+- AKS backup uses Container Storage Interface (CSI) drivers snapshot capabilities to perform backups of persistent volumes. CSI Driver support is available for AKS clusters with Kubernetes version *1.21.1* or later. 
 
   >[!Note]
   >- Currently, AKS backup only supports backup of Azure Disk-based persistent volumes (enabled by CSI driver). If you're using Azure File Share and Azure Blob type persistent volumes in your AKS clusters, you can configure backups for them via the Azure Backup solutions available for [Azure File Share](azure-file-share-backup-overview.md) and [Azure Blob](blob-backup-overview.md).
diff --git a/articles/backup/backup-azure-diagnostic-events.md b/articles/backup/backup-azure-diagnostic-events.md
@@ -35,7 +35,7 @@ If you are still using the [legacy event](#legacy-event) Azure Backup Reporting
 
 For more information, see [Data model for Azure Backup diagnostics events](./backup-azure-reports-data-model.md).
 
-Data for these events can be sent to either a storage account, a Log Analytics workspace, or an event hub. If you're sending this data to a Log Analytics workspace, select the **Resource specific** toggle on the **Diagnostics settings** screen. For more information, see the following sections.
+Data for these events can be sent to either a storage account, a Log Analytics workspace, or an event hub. The storage account needs to be in the same region as the Recovery Services vaults. However, the Log Analytics workspace can be in a different region.  If you're sending this data to a Log Analytics workspace, select the **Resource specific** toggle on the **Diagnostics settings** screen. For more information, see the following sections.
 
 ## Use diagnostics settings with Log Analytics
 
@@ -144,6 +144,10 @@ Azure Backup and Azure Site Recovery events are sent from the same Recovery Serv
 
 ![Site Recovery events](./media/backup-azure-diagnostics-events/site-recovery-settings.png)
 
+> [!NOTE]
+> When you create a Log Analytics workspace, it does not matter if the Recovery Services vault is located in a different region.
+
+
 To summarize:
 
 * If you already have Log Analytics diagnostics set up with Azure Diagnostics and have written custom queries on top of it, keep that setting *intact* until you migrate your queries to use data from the new events.
diff --git a/articles/firewall-manager/migrate-to-policy.md b/articles/firewall-manager/migrate-to-policy.md
@@ -25,14 +25,22 @@ The beginning of the script defines the source firewall name and resource group
 Modify the following script to migrate your firewall configuration.
 
 ```azurepowershell
-#Input params to be modified as needed
-$FirewallResourceGroup = "AzFWMigrateRG"
+# Input params to be modified as needed
+$FirewallResourceGroup = "AzFWMigrateRG" 
 $FirewallName = "azfw"
 $FirewallPolicyResourceGroup = "AzFWPolicyRG"
 $FirewallPolicyName = "fwpolicy"
 $FirewallPolicyLocation = "WestEurope"
-	@@ -43,141 +44,186 @@ $InvalidCharsPattern = "[']"
-#Helper functions for translating ApplicationProtocol and ApplicationRule
+
+$DefaultAppRuleCollectionGroupName = "ApplicationRuleCollectionGroup"
+$DefaultNetRuleCollectionGroupName = "NetworkRuleCollectionGroup"
+$DefaultNatRuleCollectionGroupName = "NatRuleCollectionGroup"
+$ApplicationRuleGroupPriority = 300
+$NetworkRuleGroupPriority = 200
+$NatRuleGroupPriority = 100
+$InvalidCharsPattern = "[']"
+
+# Helper functions for translating ApplicationProtocol and ApplicationRule
 Function GetApplicationProtocolsString
 {
   Param([Object[]] $Protocols)
@@ -81,7 +89,7 @@ Function ParseRuleName
 	Param([Object] $RuleName)
 	if ($RuleName -match $InvalidCharsPattern) {
 		$newRuleName = $RuleName -split $InvalidCharsPattern -join ""
-		Write-Host "Rule $RuleName contains an invalid character. Invalid characters have been removed, rule new name is $newRuleName. " -ForegroundColor Cyan
+		Write-Host "Rule $RuleName contains an invalid character. Invalid characters have been removed, rule new name is $newRuleName. " -ForegroundColor Yellow
 		return $newRuleName 
 	}
 	return $RuleName
@@ -100,8 +108,9 @@ else {
   $fwp = New-AzFirewallPolicy -Name $FirewallPolicyName -ResourceGroupName $FirewallPolicyResourceGroup -Location $FirewallPolicyLocation -ThreatIntelMode $azfw.ThreatIntelMode
 }
 Write-Host $fwp.Name "created"
+
+# Translate ApplicationRuleCollection
 Write-Host "creating " $azfw.ApplicationRuleCollections.Count " application rule collections"
-#Translate ApplicationRuleCollection
 If ($azfw.ApplicationRuleCollections.Count -gt 0)
 {
   $firewallPolicyAppRuleCollections = @()
@@ -115,18 +124,19 @@ If ($azfw.ApplicationRuleCollections.Count -gt 0)
       {
         $cmd = GetApplicationRuleCmd($appRule)
         $firewallPolicyAppRule = Invoke-Expression $cmd
-        Write-Host "Created appRule " $firewallPolicyAppRule.Name
+        Write-Host "Created Application Rule: " $firewallPolicyAppRule.Name
         $firewallPolicyAppRules += $firewallPolicyAppRule
       }
       $fwpAppRuleCollection = New-AzFirewallPolicyFilterRuleCollection -Name $appRC.Name -Priority $appRC.Priority -ActionType $appRC.Action.Type -Rule $firewallPolicyAppRules
-      Write-Host "Created appRuleCollection "  $fwpAppRuleCollection.Name
+      Write-Host "Created Application Rule Collection: "  $fwpAppRuleCollection.Name
     }
     $firewallPolicyAppRuleCollections += $fwpAppRuleCollection
   }
   $appRuleGroup = New-AzFirewallPolicyRuleCollectionGroup -Name $DefaultAppRuleCollectionGroupName -Priority $ApplicationRuleGroupPriority -RuleCollection $firewallPolicyAppRuleCollections -FirewallPolicyObject $fwp
-  Write-Host "Created ApplicationRuleCollectionGroup "  $appRuleGroup.Name
+  Write-Host "Created Application Rule Collection Group: "  $appRuleGroup.Name
 }
-#Translate NetworkRuleCollection
+
+# Translate NetworkRuleCollection
 Write-Host "creating " $azfw.NetworkRuleCollections.Count " network rule collections"
 If ($azfw.NetworkRuleCollections.Count -gt 0)
 {
@@ -170,18 +180,19 @@ If ($azfw.NetworkRuleCollections.Count -gt 0)
             $firewallPolicyNetRule = New-AzFirewallPolicyNetworkRule -Name $parsedName -SourceIpGroup $rule.SourceIpGroups -DestinationFqdn $rule.DestinationFqdns -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
           }
         }
-        Write-Host "Created network rule " $firewallPolicyNetRule.Name
+        Write-Host "Created network rule: " $firewallPolicyNetRule.Name
         $firewallPolicyNetRules += $firewallPolicyNetRule
       }
       $fwpNetRuleCollection = New-AzFirewallPolicyFilterRuleCollection -Name $rc.Name -Priority $rc.Priority -ActionType $rc.Action.Type -Rule $firewallPolicyNetRules
-      Write-Host "Created NetworkRuleCollection "  $fwpNetRuleCollection.Name
+      Write-Host "Created Network Rule Collection: "  $fwpNetRuleCollection.Name
     }
     $firewallPolicyNetRuleCollections += $fwpNetRuleCollection
   }
   $netRuleGroup = New-AzFirewallPolicyRuleCollectionGroup -Name $DefaultNetRuleCollectionGroupName -Priority $NetworkRuleGroupPriority -RuleCollection $firewallPolicyNetRuleCollections -FirewallPolicyObject $fwp
-  Write-Host "Created NetworkRuleCollectionGroup "  $netRuleGroup.Name
+  Write-Host "Created Network Rule Collection Group: "  $netRuleGroup.Name
 }
-#Translate NatRuleCollection
+
+# Translate NatRuleCollection
 # Hierarchy for NAT rule collection is different for AZFW and FirewallPolicy. In AZFW you can have a NatRuleCollection with multiple NatRules
 # where each NatRule will have its own set of source , dest, translated IPs and ports.
 # In FirewallPolicy a NatRuleCollection has a set of rules which has one condition (source and dest IPs and Ports) and the translated IP and ports
@@ -198,29 +209,32 @@ If ($azfw.NatRuleCollections.Count -gt 0)
     If ($rc.Rules.Count -gt 0)
     {
       Write-Host "creating " $rc.Rules.Count " nat rules for collection "  $rc.Name
-      
       ForEach ($rule in $rc.Rules) 
 			{
 				$parsedName = ParseRuleName($rule.Name)
-				If ($rule.SourceAddresses)
-	@@ -188,18 +234,19 @@ If ($azfw.NatRuleCollections.Count -gt 0) {
+				If ($rule.SourceAddresses) 
 				{
-					$firewallPolicyNatRule = New-AzFirewallPolicyNatRule -Name $parsedName -SourceIpGroup  $rule.SourceIpGroups -TranslatedAddress $rule.TranslatedAddress -TranslatedPort $rule.TranslatedPort -DestinationAddress $rule.DestinationAddresses -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
+					$firewallPolicyNatRule = New-AzFirewallPolicyNatRule -Name $parsedName -SourceIpGroup  $rule.SourceAddresses -TranslatedAddress $rule.TranslatedAddress -TranslatedPort $rule.TranslatedPort -DestinationAddress $rule.DestinationAddresses -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
 				}
+        elseif ($rule.SourceIpGroups)
+        {
+					$firewallPolicyNatRule = New-AzFirewallPolicyNatRule -Name $parsedName -SourceIpGroup  $rule.SourceIpGroups -TranslatedAddress $rule.TranslatedAddress -TranslatedPort $rule.TranslatedPort -DestinationAddress $rule.DestinationAddresses -DestinationPort $rule.DestinationPorts -Protocol $rule.Protocols
+        }
 				Write-Host "Created NAT rule: " $firewallPolicyNatRule.Name
         $firewallPolicyNatRules += $firewallPolicyNatRule
       }
       
       $natRuleCollectionName = $rc.Name
       $fwpNatRuleCollection = New-AzFirewallPolicyNatRuleCollection -Name $natRuleCollectionName -Priority $priority -ActionType $rc.Action.Type -Rule $firewallPolicyNatRules
       $priority += 1
-      Write-Host "Created NAT RuleCollection "  $fwpNatRuleCollection.Name
+      Write-Host "Created NAT Rule Collection: "  $fwpNatRuleCollection.Name
       $firewallPolicyNatRuleCollections += $fwpNatRuleCollection
     }
   }
-  $natRuleGroup = New-AzFirewallPolicyRuleCollectionGroup -Name $DefaultNatRuleCollectionGroupName -Priority $NatRuleGroupPriority -RuleCollection $firewallPolicyNatRuleCollections -FirewallPolicyObject $fwp
-  Write-Host "Created NAT RuleCollectionGroup "  $natRuleGroup.Name
+  $natRuleCollectionGroup = New-AzFirewallPolicyRuleCollectionGroup -Name $DefaultNatRuleCollectionGroupName -Priority $NatRuleGroupPriority -RuleCollection $firewallPolicyNatRuleCollections -FirewallPolicyObject $fwp
+  Write-Host "Created NAT Rule Collection Group: "  $natRuleCollectionGroup.Name
 }
+
 ```
 ## Next steps
 
