Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into retry-go

Author: pauljewellmsft

articles/ai-services/content-safety/studio-quickstart.md

@@ -23,6 +23,7 @@ In this quickstart, get started with the Azure AI Content Safety service using C
 
 * An active Azure account. If you don't have one, you can [create one for free](https://azure.microsoft.com/free/cognitive-services/).
 * A [Content Safety](https://aka.ms/acs-create) Azure resource.
+* The `Cognitive Services User` role assigned to the Content Safety resource in the desired Azure subscription.
 * Sign in to [Content Safety Studio](https://contentsafety.cognitive.azure.com) with your Azure subscription and Content Safety resource. 
 
 

articles/ai-services/openai/concepts/gpt-with-vision.md

@@ -81,7 +81,7 @@ For a typical use case, take an image with both visible objects and text and a 1
 | Item        | Detail        |  Cost   |
 |-----------------|-----------------|--------------|
 | Text prompt input | 100 text tokens | $0.001 |
-| Example image input (see [Image tokens](/ai-services/openai/overview#image-tokens-gpt-4-turbo-with-vision)) | 170 + 85 image tokens | $0.00255 |
+| Example image input (see [Image tokens](/azure/ai-services/openai/overview#image-tokens-gpt-4-turbo-with-vision)) | 170 + 85 image tokens | $0.00255 |
 | Enhanced add-on features for OCR | $1.50 / 1000 transactions | $0.0015 |
 | Enhanced add-on features for Object Grounding | $1.50 / 1000 transactions | $0.0015 | 
 | Output Tokens      | 100 tokens (assumed)    | $0.003       |

articles/aks/app-routing-nginx-configuration.md

@@ -551,3 +551,4 @@ Learn about monitoring the ingress-nginx controller metrics included with the ap
 [azure-dns-overview]: ../dns/dns-overview.md
 [az-keyvault-certificate-show]: /cli/azure/keyvault/certificate#az-keyvault-certificate-show
 [prometheus-in-grafana]: app-routing-nginx-prometheus.md
+[az-role-assignment-create]: /cli/azure/role/assignment#az-role-assignment-create

articles/aks/configure-azure-cni-static-block-allocation.md

@@ -149,7 +149,7 @@ location="myRegion"
 az group create --name $resourceGroup --location $location
 
 # Create our two subnet network 
-az network vnet create -resource-group $resourceGroup --location $location --name $vnet --address-prefixes 10.0.0.0/8 -o none 
+az network vnet create --resource-group $resourceGroup --location $location --name $vnet --address-prefixes 10.0.0.0/8 -o none 
 az network vnet subnet create --resource-group $resourceGroup --vnet-name $vnet --name nodesubnet --address-prefixes 10.240.0.0/16 -o none 
 az network vnet subnet create --resource-group $resourceGroup --vnet-name $vnet --name podsubnet --address-prefixes 10.40.0.0/13 -o none 
 ```
@@ -171,7 +171,6 @@ az aks create \
     --vnet-subnet-id /subscriptions/$subscription/resourceGroups/$resourceGroup/providers/Microsoft.Network/virtualNetworks/$vnet/subnets/nodesubnet \
     --pod-subnet-id /subscriptions/$subscription/resourceGroups/$resourceGroup/providers/Microsoft.Network/virtualNetworks/$vnet/subnets/podsubnet \
     --enable-addons monitoring \
-    --kubernetes-version 1.28 \
     --generate-ssh-keys
 ```
 

articles/aks/istio-upgrade.md

@@ -6,6 +6,7 @@ ms.service: azure-kubernetes-service
 ms.date: 05/04/2023
 ms.author: shasb
 author: shashankbarsin
+ms.custom: devx-track-azurecli
 ---
 
 # Upgrade Istio-based service mesh add-on for Azure Kubernetes Service
@@ -20,27 +21,27 @@ Istio add-on allows upgrading the minor revision using [canary upgrade process][
 
 If the cluster is currently using a supported minor revision of Istio, upgrades are only allowed one minor revision at a time. If the cluster is using an unsupported revision of Istio, you must upgrade to the lowest supported minor revision of Istio for that Kubernetes version. After that, upgrades can again be done one minor revision at a time.
 
-The following example illustrates how to upgrade from revision `asm-1-18` to `asm-1-19`. The steps are the same for all minor upgrades.
+The following example illustrates how to upgrade from revision `asm-1-20` to `asm-1-21`. The steps are the same for all minor upgrades.
 
 1. Use the [az aks mesh get-upgrades](/cli/azure/aks/mesh#az-aks-mesh-get-upgrades) command to check which revisions are available for the cluster as upgrade targets:
 
-    ```bash
+    ```azurecli-interactive
     az aks mesh get-upgrades --resource-group $RESOURCE_GROUP --name $CLUSTER
     ```
 
     If you expect to see a newer revision not returned by this command, you may need to upgrade your AKS cluster first so that it's compatible with the newest revision.
 
 1. If you've set up [mesh configuration][meshconfig] for the existing mesh revision on your cluster, you need to create a separate ConfigMap corresponding to the new revision in the `aks-istio-system` namespace **before initiating the canary upgrade** in the next step. This configuration is applicable the moment the new revision's control plane is deployed on cluster. More details can be found [here][meshconfig-canary-upgrade].
 
-1. Initiate a canary upgrade from revision `asm-1-18` to `asm-1-19` using [az aks mesh upgrade start](/cli/azure/aks/mesh#az-aks-mesh-upgrade-start):
+1. Initiate a canary upgrade from revision `asm-1-20` to `asm-1-21` using [az aks mesh upgrade start](/cli/azure/aks/mesh/upgrade#az-aks-mesh-upgrade-start):
 
-    ```bash
-    az aks mesh upgrade start --resource-group $RESOURCE_GROUP --name $CLUSTER --revision asm-1-19
+    ```azurecli-interactive
+    az aks mesh upgrade start --resource-group $RESOURCE_GROUP --name $CLUSTER --revision asm-1-21
     ```
 
-    A canary upgrade means the 1.18 control plane is deployed alongside the 1.17 control plane. They continue to coexist until you either complete or roll back the upgrade.
+    A canary upgrade means the 1.20 control plane is deployed alongside the 1.21 control plane. They continue to coexist until you either complete or roll back the upgrade.
 
-1. Verify control plane pods corresponding to both `asm-1-18` and `asm-1-19` exist:
+1. Verify control plane pods corresponding to both `asm-1-20` and `asm-1-21` exist:
 
     * Verify `istiod` pods:
 
@@ -52,10 +53,10 @@ The following example illustrates how to upgrade from revision `asm-1-18` to `as
 
         ```
         NAME                                        READY   STATUS    RESTARTS   AGE
-        istiod-asm-1-18-55fccf84c8-dbzlt            1/1     Running   0          58m
-        istiod-asm-1-18-55fccf84c8-fg8zh            1/1     Running   0          58m
-        istiod-asm-1-19-f85f46bf5-7rwg4             1/1     Running   0          51m
-        istiod-asm-1-19-f85f46bf5-8p9qx             1/1     Running   0          51m
+        istiod-asm-1-20-55fccf84c8-dbzlt            1/1     Running   0          58m
+        istiod-asm-1-20-55fccf84c8-fg8zh            1/1     Running   0          58m
+        istiod-asm-1-21-f85f46bf5-7rwg4             1/1     Running   0          51m
+        istiod-asm-1-21-f85f46bf5-8p9qx             1/1     Running   0          51m
         ```
 
     * If ingress is enabled, verify ingress pods:
@@ -68,22 +69,22 @@ The following example illustrates how to upgrade from revision `asm-1-18` to `as
 
         ```
         NAME                                                          READY   STATUS    RESTARTS   AGE
-        aks-istio-ingressgateway-external-asm-1-18-58f889f99d-qkvq2   1/1     Running   0          59m
-        aks-istio-ingressgateway-external-asm-1-18-58f889f99d-vhtd5   1/1     Running   0          58m
-        aks-istio-ingressgateway-external-asm-1-19-7466f77bb9-ft9c8   1/1     Running   0          51m
-        aks-istio-ingressgateway-external-asm-1-19-7466f77bb9-wcb6s   1/1     Running   0          51m
-        aks-istio-ingressgateway-internal-asm-1-18-579c5d8d4b-4cc2l   1/1     Running   0          58m
-        aks-istio-ingressgateway-internal-asm-1-18-579c5d8d4b-jjc7m   1/1     Running   0          59m
-        aks-istio-ingressgateway-internal-asm-1-19-757d9b5545-g89s4   1/1     Running   0          51m
-        aks-istio-ingressgateway-internal-asm-1-19-757d9b5545-krq9w   1/1     Running   0          51m
+        aks-istio-ingressgateway-external-asm-1-20-58f889f99d-qkvq2   1/1     Running   0          59m
+        aks-istio-ingressgateway-external-asm-1-20-58f889f99d-vhtd5   1/1     Running   0          58m
+        aks-istio-ingressgateway-external-asm-1-21-7466f77bb9-ft9c8   1/1     Running   0          51m
+        aks-istio-ingressgateway-external-asm-1-21-7466f77bb9-wcb6s   1/1     Running   0          51m
+        aks-istio-ingressgateway-internal-asm-1-20-579c5d8d4b-4cc2l   1/1     Running   0          58m
+        aks-istio-ingressgateway-internal-asm-1-20-579c5d8d4b-jjc7m   1/1     Running   0          59m
+        aks-istio-ingressgateway-internal-asm-1-21-757d9b5545-g89s4   1/1     Running   0          51m
+        aks-istio-ingressgateway-internal-asm-1-21-757d9b5545-krq9w   1/1     Running   0          51m
         ```
 
         Observe that ingress gateway pods of both revisions are deployed side-by-side. However, the service and its IP remain immutable.
 
 1. Relabel the namespace so that any new pods get the Istio sidecar associated with the new revision and its control plane:
 
     ```bash
-    kubectl label namespace default istio.io/rev=asm-1-19 --overwrite
+    kubectl label namespace default istio.io/rev=asm-1-21 --overwrite
     ```
 
     Relabeling doesn't affect your workloads until they're restarted.
@@ -98,7 +99,7 @@ The following example illustrates how to upgrade from revision `asm-1-18` to `as
 
     * **Complete the canary upgrade**: If you're satisfied that the workloads are all running in a healthy state as expected, you can complete the canary upgrade. Completion of the upgrade removes the previous revision's control plane and leaves behind the new revision's control plane on the cluster. Run the following command to complete the canary upgrade:
 
-      ```bash
+      ```azurecli-interactive
       az aks mesh upgrade complete --resource-group $RESOURCE_GROUP --name $CLUSTER
       ```
 
@@ -107,7 +108,7 @@ The following example illustrates how to upgrade from revision `asm-1-18` to `as
       * Relabel the namespace to the previous revision:
 
           ```bash
-          kubectl label namespace default istio.io/rev=asm-1-18 --overwrite
+          kubectl label namespace default istio.io/rev=asm-1-20 --overwrite
           ```
 
       * Roll back the workloads to use the sidecar corresponding to the previous Istio revision by restarting these workloads again:
@@ -118,7 +119,7 @@ The following example illustrates how to upgrade from revision `asm-1-18` to `as
 
       * Roll back the control plane to the previous revision:
 
-          ```
+          ```azurecli-interactive
           az aks mesh upgrade rollback --resource-group $RESOURCE_GROUP --name $CLUSTER
           ```
 
@@ -147,8 +148,8 @@ Thus, during the canary upgrade, when two revisions exist simultaneously on the
     Example output:
 
     ```bash
-    "image": "mcr.microsoft.com/oss/istio/proxyv2:1.18.2-distroless",
-    "image": "mcr.microsoft.com/oss/istio/proxyv2:1.18.2-distroless"
+    "image": "mcr.microsoft.com/oss/istio/proxyv2:1.20.6-distroless",
+    "image": "mcr.microsoft.com/oss/istio/proxyv2:1.20.6-distroless"
     ```
 
   * Check the Istio proxy image version for all pods in a namespace:
@@ -162,7 +163,7 @@ Thus, during the canary upgrade, when two revisions exist simultaneously on the
     Example output:
 
     ```bash
-    productpage-v1-979d4d9fc-p4764:	docker.io/istio/examples-bookinfo-productpage-v1:1.18.0, mcr.microsoft.com/oss/istio/proxyv2:1.18.1-distroless
+    productpage-v1-979d4d9fc-p4764:	docker.io/istio/examples-bookinfo-productpage-v1:1.20.0, mcr.microsoft.com/oss/istio/proxyv2:1.20.6-distroless
     ```
 
   * To trigger reinjection, restart the workloads. For example:
@@ -182,11 +183,15 @@ Thus, during the canary upgrade, when two revisions exist simultaneously on the
     Example output:
 
     ```bash
-    productpage-v1-979d4d9fc-p4764:	docker.io/istio/examples-bookinfo-productpage-v1:1.18.0, mcr.microsoft.com/oss/istio/proxyv2:1.18.2-distroless
+    productpage-v1-979d4d9fc-p4764:	docker.io/istio/examples-bookinfo-productpage-v1:1.20.0, mcr.microsoft.com/oss/istio/proxyv2:1.20.7-distroless
     ```
 
+> [!NOTE]
+> In case of any issues encountered during upgrades, refer to [article on troubleshooting mesh revision upgrades][upgrade-istio-service-mesh-tsg]
+
 [aks-release-notes]: https://github.com/Azure/AKS/releases
 [istio-canary-upstream]: https://istio.io/latest/docs/setup/upgrade/canary/
 [meshconfig]: ./istio-meshconfig.md
 [meshconfig-canary-upgrade]: ./istio-meshconfig.md#mesh-configuration-and-upgrades
+[upgrade-istio-service-mesh-tsg]: /troubleshoot/azure/azure-kubernetes/extensions/istio-add-on-minor-revision-upgrade
 

articles/aks/media/windows-aks-customer-stories/finastra.png

@@ -103,7 +103,7 @@ For more information on the difference between collection modes including how to
 > The ability to select the collection mode isn't available in the Azure portal in all regions yet. For those regions where it's not yet available, use CLI to create the diagnostic setting with a command such as the following:
 > 
 > ```azurecli
-> az monitor diagnostic-settings create --name AKS-Diagnostics --resource /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/myresourcegroup/providers/Microsoft.ContainerService/managedClusters/my-cluster --logs '[{""category"": ""kube-audit"",""enabled"": true}, {""category"": ""kube-audit-admin"", ""enabled"": true}, {""category"": ""kube-apiserver"", ""enabled"": true}, {""category"": ""kube-controller-manager"", ""enabled"": true}, {""category"": ""kube-scheduler"", ""enabled"": true}, {""category"": ""cluster-autoscaler"", ""enabled"": true}, {""category"": ""cloud-controller-manager"", ""enabled"": true}, {""category"": ""guard"", ""enabled"": true}, {""category"": ""csi-azuredisk-controller"", ""enabled"": true}, {""category"": ""csi-azurefile-controller"", ""enabled"": true}, {""category"": ""csi-snapshot-controller"", ""enabled"": true}]'  --workspace /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourcegroups/myresourcegroup/providers/microsoft.operationalinsights/workspaces/myworkspace --export-to-resource-specific true
+> az monitor diagnostic-settings create --name AKS-Diagnostics --resource /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/myresourcegroup/providers/Microsoft.ContainerService/managedClusters/my-cluster --logs '[{"category": "kube-audit","enabled": true}, {"category": "kube-audit-admin", "enabled": true}, {"category": "kube-apiserver", "enabled": true}, {"category": "kube-controller-manager", "enabled": true}, {"category": "kube-scheduler", "enabled": true}, {"category": "cluster-autoscaler", "enabled": true}, {"category": "cloud-controller-manager", "enabled": true}, {"category": "guard", "enabled": true}, {"category": "csi-azuredisk-controller", "enabled": true}, {"category": "csi-azurefile-controller", "enabled": true}, {"category": "csi-snapshot-controller", "enabled": true}]'  --workspace /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourcegroups/myresourcegroup/providers/microsoft.operationalinsights/workspaces/myworkspace --export-to-resource-specific true
 > ```
 
 #### Sample log queries

articles/aks/monitor-aks.md

@@ -4,7 +4,7 @@ description: Learn how to use Key Management Service (KMS) etcd encryption with
 ms.topic: article
 ms.subservice: aks-security
 ms.custom: devx-track-azurecli
-ms.date: 06/19/2024
+ms.date: 06/26/2024
 ---
 
 # Add Key Management Service etcd encryption to an Azure Kubernetes Service cluster
@@ -191,7 +191,7 @@ After you change the key ID (including changing either the key name or the key v
 > [!WARNING]
 > Remember to update all secrets after key rotation. If you don't update all secrets, the secrets are inaccessible if the keys that were created earlier don't exist or no longer work.
 >
-> After you rotate the key, the previous key (key1) is still cached and shouldn't be deleted. If you want to delete the previous key (key1) immediately, you need to rotate the key twice. Then key2 and key3 are cached, and key1 can be deleted without affecting the existing cluster.
+> KMS uses 2 keys at the same time. After the first key rotation, you need to ensure both the old and new keys are valid (not expired) until the next key rotation. After the second key rotation, the oldest key can be safely removed/expired
 
 ```azurecli-interactive
 az aks update --name myAKSCluster --resource-group MyResourceGroup  --enable-azure-keyvault-kms --azure-keyvault-kms-key-vault-network-access "Public" --azure-keyvault-kms-key-id $NEW_KEY_ID 
@@ -336,7 +336,7 @@ kubectl get secrets --all-namespaces -o json | kubectl replace -f -
 > [!NOTE]
 > To change a different key vault with a different mode (whether public or private), you can run `az aks update` directly. To change the mode of an attached key vault, you must first turn off KMS, and then turn it on again by using the new key vault IDs.
 
-The following sections describe how to migrate an attached public key vault to private mode.
+The following sections describe how to migrate an attached public key vault to private mode.  These steps can also be used for migrating from private to public.
 
 ### Turn off KMS on the cluster
 
@@ -354,6 +354,8 @@ Update the key vault from public to private:
 az keyvault update --name MyKeyVault --resource-group MyResourceGroup --public-network-access Disabled
 ```
 
+To migrate from private to public set `--public-network-access` to `Enabled` in the command above.
+
 ### Turn on KMS for the cluster by using the updated key vault
 
 Turn on KMS by using the updated private key vault:

articles/aks/use-kms-etcd-encryption.md

@@ -16,11 +16,22 @@ Explore how various industries are using Windows Containers on Azure Kubernetes
 Learn directly from the customer stories listed here.
 
 ## Customer stories 
+- [Finastra](#finastra)
 - [Relativity](#relativity)
 - [Duck Creek](#duck-creek)
 - [Forza (Xbox Game Studios)](#forza)
 - [Microsoft Experience + Devices](#microsoft-experience--devices)
 
+
+### Finastra  
+
+![Logo of Finastra.](./media/windows-aks-customer-stories/finastra.png)
+
+LaserPro document management software is key to the Finastra vision of delivering the future of banking. Migrating from an on-premises management system to a cloud-based infrastructure using Windows containers on Azure Kubernetes Service has significantly increased agility through biweekly updates and reduced support costs for both customers and developers.
+
+For more information visit [Finastra's Windows AKS customer story](https://customers.microsoft.com/en-us/story/1759082810297807726-finastra-azure-kubernetes-service-professional-services-en-united-kingdom). 
+
+
 ### Relativity 
 
 ![Logo of Relativity.](./media/windows-aks-customer-stories/relativity.png)