Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into update-classic-account

Author: pauljewellmsft

.github/policies/disallow-edits.yml

@@ -155,13 +155,16 @@ configuration:
         if:
           # If a 'sign-off' comment is added to a PR in the articles/reliability folder , and the PR author isn't Anastasia or John...
           - payloadType: Issue_Comment
-          - isPullRequest
           - filesMatchPattern:
               matchAny: true
               pattern: articles/reliability/*
-          - commentContains:
-              pattern: '\#sign-off'
-              isRegex: true
+          - or:
+              - commentContains:
+                  pattern: ^(#sign-off)$
+                  isRegex: True
+              - commentContains:
+                  pattern: ^(\#sign-off)$
+                  isRegex: True
           - not:
               or:
                 - isActivitySender:

.openpublishing.redirection.json

@@ -200,6 +200,11 @@
       "redirect_url": "https://azuremarketplace.microsoft.com/marketplace/apps?page=1",
       "redirect_document_id": false
     },
+    {
+      "source_path": "articles/partner-solutions/logzio/index.yml",
+      "redirect_url": "/previous-versions/azure/partner-solutions/logzio/index",
+      "redirect_document_id": false
+    },
     {
       "source_path": "articles/partner-solutions/logzio/create.md",
       "redirect_url": "/previous-versions/azure/partner-solutions/logzio/create",

articles/api-management/TOC.yml

@@ -544,6 +544,8 @@
       href: json-to-xml-policy.md
     - name: limit-concurrency
       href: limit-concurrency-policy.md
+    - name: llm-content-safety
+      href: llm-content-safety-policy.md
     - name: llm-emit-token-metric
       href: llm-emit-token-metric-policy.md
     - name: llm-semantic-cache-lookup

articles/api-management/api-management-policies.md

@@ -59,6 +59,7 @@ More information about policies:
 
 |Policy  |Description  | Classic | V2  | Consumption |Self-hosted  |Workspace |
 |---------|---------|---------|---------|---------|--------|------|
+| [Enforce content safety checks on LLM requests](llm-content-safety-policy.md) | Enforces content safety checks on LLM requests (prompts) by transmitting them to the [Azure AI Content Safety](/azure/ai-services/content-safety/overview) service before sending to the backend LLM. | Yes | Yes | Yes | Yes | Yes |
 | [Validate content](validate-content-policy.md) | Validates the size or content of a request or response body against one or more API schemas. The supported schema formats are JSON and XML. | Yes | Yes | Yes | Yes | Yes |
 | [Validate GraphQL request](validate-graphql-request-policy.md) | Validates and authorizes a request to a GraphQL API. | Yes | Yes | Yes | Yes | No |
 | [Validate OData request](validate-odata-request-policy.md) | Validates a request to an OData API to ensure conformance with the OData specification. | Yes | Yes | Yes | Yes | Yes |

articles/api-management/llm-content-safety-policy.md

@@ -0,0 +1,118 @@
+---
+title: Azure API Management policy reference - llm-content-safety
+description: Reference for the llm-content-safety policy available for use in Azure API Management. Provides policy usage, settings, and examples.
+services: api-management
+author: dlepow
+
+ms.service: azure-api-management
+ms.collection: ce-skilling-ai-copilot
+ms.custom:
+ms.topic: article
+ms.date: 03/04/2025
+ms.author: danlep
+---
+
+# Enforce content safety checks on LLM requests
+
+[!INCLUDE [api-management-availability-premium-dev-standard-basic-premiumv2-standardv2-basicv2](../../includes/api-management-availability-premium-dev-standard-basic-premiumv2-standardv2-basicv2.md)]
+
+The `llm-content-safety` policy enforces content safety checks on large language model (LLM) requests (prompts) by transmitting them to the [Azure AI Content Safety](/azure/ai-services/content-safety/overview) service before sending to the backend LLM API. When the policy is enabled and Azure AI Content Safety detects malicious content, API Management blocks the request and returns a `403` error code. 
+
+Use the policy in scenarios such as the following:
+
+* Block requests that contain predefined categories of harmful content or hate speech
+* Apply custom blocklists to prevent specific content from being sent
+* Shield against prompts that match attack patterns
+
+[!INCLUDE [api-management-policy-generic-alert](../../includes/api-management-policy-generic-alert.md)]
+
+## Prerequisites
+
+* An [Azure AI Content Safety](/azure/ai-services/content-safety/) resource. 
+* An API Management [backend](backends.md) configured to route content safety API calls and authenticate to the Azure AI Content Safety service, in the form `https://<content-safety-service-name>.cognitiveservices.azure.com`. Managed identity with Cognitive Services User role is recommended for authentication.
+
+
+## Policy statement
+
+```xml
+<llm-content-safety backend-id="name of backend entity" shield-prompt="true | false" >
+    <categories output-type="FourSeverityLevels | EightSeverityLevels">
+        <category name="Hate | SelfHarm | Sexual | Violence" threshold="integer" />
+        <!-- If there are multiple categories, add more category elements -->
+        [...]
+    </categories>
+    <blocklists>
+        <id>blocklist-identifier</id>
+        <!-- If there are multiple blocklists, add more id elements -->
+        [...]
+    </blocklists>
+</llm-content-safety>
+```
+
+## Attributes
+
+| Attribute           | Description                                                                                           | Required | Default |
+| -------------- | ----------------------------------------------------------------------------------------------------- | -------- | ------- |
+| backend-id	| Identifier (name) of the Azure AI Content Safety backend to route content-safety API calls to. Policy expressions are allowed.	|  Yes	| N/A |
+| shield-prompt	| If set to `true`, content is checked for user attacks. Otherwise, skip this check. Policy expressions are allowed.	| No	| `false` |
+
+
+## Elements
+
+| Element	| Description	| Required |
+| -------------- | -----| -------- |
+| categories	| A list of `category` elements that specify settings for blocking requests when the category is detected. | 	No |
+| blocklists	| A list of [blocklist](/azure/ai-services/content-safety/how-to/use-blocklist) `id` elements from the Azure AI Content Safety instance for which detection causes the request to be blocked. Policy expressions are allowed.	| No |
+
+### categories attributes
+
+| Attribute           | Description                                                                                           | Required | Default |
+| -------------- | ----------------------------------------------------------------------------------------------------- | -------- | ------- |
+| output-type	| Specifies how severity levels are returned by Azure AI Content Safety. The attribute must have one of the following values.<br /><br />- `FourSeverityLevels`: Output severities in four levels: 0,2,4,6.<br/>- `EightSeverityLevels`: Output severities in eight levels: 0,1,2,3,4,5,6,7.<br/><br/>Policy expressions are allowed.	| No	| `FourSeverityLevels` |
+
+
+### category attributes
+
+| Attribute           | Description                                                                                           | Required | Default |
+| -------------- | ----------------------------------------------------------------------------------------------------- | -------- | ------- |
+| name	| Specifies the name of this category. The attribute must have one of the following values: `Hate`, `SelfHarm`, `Sexual`, `Violence`. Policy expressions are allowed.	| Yes	| N/A |
+| threshold	| Specifies the threshold value for this category at which request are blocked. Requests with content severities less than the threshold aren't blocked. The value must be between 0 and 7. Policy expressions are allowed.	| Yes	| N/A |
+
+
+## Usage
+
+- [**Policy sections:**](./api-management-howto-policies.md#sections) inbound
+- [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API
+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted, workspace
+
+### Usage notes
+
+* The policy runs on a concatenation of all text content in a completion or chat completion request.
+* If the request exceeds the character limit of Azure AI Content Safety, a `403` error is returned.
+* This policy can be used multiple times per policy definition.
+
+## Example
+
+The following example enforces content safety checks on LLM requests using the Azure AI Content Safety service. The policy blocks requests that contain speech in the `Hate` or `Violence` category with a severity level of 4 or higher. The `shield-prompt` attribute is set to `true` to check for adversarial attacks.
+
+```xml
+<policies>
+    <inbound>
+        <llm-content-safety backend-id="content-safety-backend" shield-prompt="true">
+            <categories output-type="EightSeverityLevels">
+                <category name="Hate" threshold="4" />
+                <category name="Violence" threshold="4" />
+            </categories>
+        </llm-content-safety>
+    </inbound>
+</policies>
+
+```
+
+## Related policies
+
+* [Content validation](api-management-policies.md#content-validation)
+* [llm-token-limit](llm-token-limit-policy.md) policy
+* [llm-emit-token-metric](llm-emit-token-metric-policy.md) policy
+
+[!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)]

articles/application-gateway/configuration-infrastructure.md

@@ -83,13 +83,11 @@ Depending on whether you're creating new resources or using existing ones, add t
 
 |Resource | Resource status | Required Azure permissions |
 |---|---|---|
-| Subnet | Create new| Microsoft.Network/virtualNetworks/subnets/write<br>Microsoft.Network/virtualNetworks/subnets/join/action |
-| Subnet | Use existing| Microsoft.Network/virtualNetworks/subnets/read<br>Microsoft.Network/virtualNetworks/subnets/join/action |
-| IP addresses| Create new| Microsoft.Network/publicIPAddresses/write<br>Microsoft.Network/publicIPAddresses/join/action |
-| IP addresses  | Use existing| Microsoft.Network/publicIPAddresses/read<br>Microsoft.Network/publicIPAddresses/join/action |
-| ApplicationGatewayWebApplicationFirewallPolicies | Create new / Update existing | Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/write 
-Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/read 
-Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/join/action |
+| Subnet | Create new| `Microsoft.Network/virtualNetworks/subnets/write' <br> 'Microsoft.Network/virtualNetworks/subnets/join/action` |
+| Subnet | Use existing| `Microsoft.Network/virtualNetworks/subnets/read` <br> `Microsoft.Network/virtualNetworks/subnets/join/action` |
+| IP addresses| Create new| `Microsoft.Network/publicIPAddresses/write` <br> `Microsoft.Network/publicIPAddresses/join/action` |
+| IP addresses  | Use existing| `Microsoft.Network/publicIPAddresses/read` <br> `Microsoft.Network/publicIPAddresses/join/action` |
+| ApplicationGatewayWebApplicationFirewallPolicies | Create new / Update existing | `Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/write` <br> `Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/read` <br> `Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/join/action` |
 
 For more information, see [Azure permissions for Networking](../role-based-access-control/permissions/networking.md) and [Virtual network permissions](../virtual-network/virtual-network-manage-subnet.md#permissions).
 ## Roles scope

articles/azure-vmware/azure-vmware-solution-platform-updates.md

@@ -13,7 +13,9 @@ Microsoft regularly applies important updates to the Azure VMware Solution for n
 
 ## March 2025
 
-To address the vulnerabilities (CVE-2025-22224, CVE-2025-22225, CVE-2025-22226) reported in Broadcom security advisory [VMSA-2025-0004](https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25390), ESXi hosts are being patched in all Azure VMware Solution private clouds to [ESXi 8.0 U2d, Patch Release 24585300](https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/8-0/release-notes/esxi-update-and-patch-release-notes/vsphere-esxi-80u2d-release-notes.html). All new Azure VMware Solution private clouds are deployed with the same version. [Learn more](https://techcommunity.microsoft.com/blog/azuremigrationblog/azure-vmware-solution-broadcom-vmsa-2025-0004-remediation/4388074)
+To address the vulnerabilities (CVE-2025-22224, CVE-2025-22225, CVE-2025-22226) reported in Broadcom security advisory [VMSA-2025-0004](https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25390), ESXi hosts are being patched in all Azure VMware Solution private clouds to [ESXi 8.0 U2d, Patch Release 24585300](https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/8-0/release-notes/esxi-update-and-patch-release-notes/vsphere-esxi-80u2d-release-notes.html). All new Azure VMware Solution private clouds are deployed with the same version. [Learn more](https://techcommunity.microsoft.com/blog/azuremigrationblog/azure-vmware-solution-broadcom-vmsa-2025-0004-remediation/4388074) 
+
+vSAN in-transit encryption is now available in Azure VMware Solution through a Run Command. This new feature enhances data security by encrypting data as it moves between hosts in your vSAN cluster in the Azure VMware Solution. [Learn more](https://techdocs.broadcom.com/us/en/vmware-cis/vsan/vsan/8-0/vsan-administration/using-encryption-in-a-vsan-cluster-1/vsan-data-in-transit-encryption.html)
 
 ## February 2025