MicrosoftDocs
diff --git a/‎articles/advisor/advisor-how-to-calculate-total-cost-savings.md
Lines changed: 25 additions & 0 deletions b/‎articles/advisor/advisor-how-to-calculate-total-cost-savings.md
Lines changed: 25 additions & 0 deletions
diff --git a/‎articles/advisor/advisor-reference-operational-excellence-recommendations.md
Lines changed: 8 additions & 0 deletions b/‎articles/advisor/advisor-reference-operational-excellence-recommendations.md
Lines changed: 8 additions & 0 deletions
diff --git a/‎articles/advisor/media/advisor-how-to-calculate-total-cost-savings.png
89.3 KB b/‎articles/advisor/media/advisor-how-to-calculate-total-cost-savings.png
89.3 KB
diff --git a/‎articles/advisor/toc.yml
Lines changed: 2 additions & 0 deletions b/‎articles/advisor/toc.yml
Lines changed: 2 additions & 0 deletions
diff --git a/‎articles/ai-services/openai/how-to/manage-costs.md
Lines changed: 10 additions & 1 deletion b/‎articles/ai-services/openai/how-to/manage-costs.md
Lines changed: 10 additions & 1 deletion
diff --git a/‎articles/ai-services/openai/includes/model-matrix/quota.md
Lines changed: 5 additions & 1 deletion b/‎articles/ai-services/openai/includes/model-matrix/quota.md
Lines changed: 5 additions & 1 deletion
diff --git a/‎articles/ai-studio/concepts/architecture.md
Lines changed: 20 additions & 3 deletions b/‎articles/ai-studio/concepts/architecture.md
Lines changed: 20 additions & 3 deletions
diff --git a/‎articles/ai-studio/concepts/vulnerability-management.md
Lines changed: 12 additions & 12 deletions b/‎articles/ai-studio/concepts/vulnerability-management.md
Lines changed: 12 additions & 12 deletions
diff --git a/‎articles/ai-studio/how-to/configure-private-link.md
Lines changed: 1 addition & 1 deletion b/‎articles/ai-studio/how-to/configure-private-link.md
Lines changed: 1 addition & 1 deletion
@@ -0,0 +1,25 @@
+---
+title: Export cost savings in Azure Advisor
+ms.topic: article
+ms.date: 02/06/2024
+description: Export cost savings in Azure Advisor and calculate the aggregated potential yearly savings by using the cost savings amount for each recommendation.
+---
+
+# Export cost savings
+
+To calculate aggregated potential yearly savings, follow these steps: 
+
+1. Sign in to the [**Azure portal**](https://portal.azure.com).
+
+1. Search for and select [**Advisor**](https://aka.ms/azureadvisordashboard) from any page.\
+The Advisor **Overview** page opens.
+
+1. Export cost recommendations by navigating to the **Cost** tab on the left navigation menu and choosing **Download as CSV**.
+
+1. Use the cost savings amount for each recommendation to calculate aggregated potential yearly savings.
+
+    [![Screenshot of the Azure Advisor cost recommendations page that shows download option.](./media/advisor-how-to-calculate-total-cost-savings.png)](./media/advisor-how-to-calculate-total-cost-savings.png#lightbox)
+
+> [!NOTE]
+> Recommendations show savings individually, and may overlap with the savings shown in other recommendations, for example – you can only benefit from savings plans for compute or reservations for virtual machines, but not from both.
+
@@ -516,7 +516,15 @@ Virtual Network flow log allows you to record IP traffic flowing in a virtual ne
 
 Learn more about [Resource - UpgradeNSGToVnetFlowLog (Upgrade NSG flow logs to VNet flow logs)](https://aka.ms/vnetflowlogspreviewdocs).
 
+### Migrate Azure Front Door (classic) to Standard/Premium tier
 
+On 31 March 2027, Azure Front Door (classic) will be retired for the public cloud, and you’ll need to migrate to Front Door Standard or Premium by that date.
+
+Beginning 1 April 2025, you’ll no longer be able to create new Front Door (classic) resources via the Azure portal, Terraform, or any command line tools. However, you can continue to make modifications to existing resources until Front Door (classic) is fully retired.
+
+Azure Front Door Standard and Premium combine the capabilities of static and dynamic content delivery with turnkey security, enhanced DevOps experiences, simplified pricing, and better Azure integrations
+
+Learn more about [Azure Front Door (classic) will be retired on 31 March 2027](https://azure.microsoft.com/updates/azure-front-door-classic-will-be-retired-on-31-march-2027/).
 
 
 
 
@@ -74,6 +74,8 @@
     href: advisor-azure-resource-graph.md
   - name: Consume Advisor score 
     href: azure-advisor-score.md
+  - name: Export cost savings
+    href: advisor-how-to-calculate-total-cost-savings.md
 - name: Reference
   items:
   - name: Security baseline
 
@@ -48,7 +48,16 @@ Azure OpenAI fine-tuned models are charged based on three factors:
 
 The hosting hours cost is important to be aware of since after a fine-tuned model is deployed, it continues to incur an hourly cost regardless of whether you're actively using it. Monitor fine-tuned model costs closely.
 
-[!INCLUDE [Fine-tuning deletion](../includes/fine-tune.md)]
+> [!IMPORTANT]
+> After you deploy a customized model, if at any time the deployment remains inactive for greater than fifteen (15) days,
+> the deployment is deleted. The deployment of a customized model is _inactive_ if the model was deployed more than fifteen (15) days ago
+> and no completions or chat completions calls were made to it during a continuous 15-day period.
+>
+> The deletion of an inactive deployment doesn't delete or affect the underlying customized model,
+> and the customized model can be redeployed at any time.
+>
+> Each customized (fine-tuned) model that's deployed incurs an hourly hosting cost regardless of whether completions
+> or chat completions calls are being made to the model. .
 
 ### Other costs that might accrue with Azure OpenAI Service
 
 
@@ -10,6 +10,8 @@ ms.date: 03/13/2024
 
 The default quota for models varies by model and region. Default quota limits are subject to change.
 
+Quota for standard deployments is described in of terms of [Tokens-Per-Minute (TPM)](../../how-to/quota.md).
+
 | Region           | GPT-4   | GPT-4-32K   | GPT-4-Turbo   | GPT-4-Turbo-V   | GPT-35-Turbo   | GPT-35-Turbo-Instruct   | Text-Embedding-Ada-002   | text-embedding-3-small   | text-embedding-3-large   | Babbage-002   | Babbage-002 - finetune   | Davinci-002   | Davinci-002 - finetune   | GPT-35-Turbo - finetune   | GPT-35-Turbo-1106 - finetune   | GPT-35-Turbo-0125 - finetune   |
 |:-----------------|:-------:|:-----------:|:-------------:|:---------------:|:--------------:|:-----------------------:|:------------------------:|:------------------------:|:------------------------:|:-------------:|:------------------------:|:-------------:|:------------------------:|:-------------------------:|:------------------------------:|:-------------------------------|
 | australiaeast    | 40 K    | 80 K        | 80 K          | 30 K            | 300 K          | -                       | 350 K                    | -                        | -                        | -             | -                        | -             | -                        | -                         | -                              | -                              |
@@ -28,4 +30,6 @@ The default quota for models varies by model and region. Default quota limits ar
 | switzerlandnorth | 40 K    | 80 K        | -             | 30 K            | 300 K          | -                       | 350 K                    | -                        | -                        | -             | -                        | -             | -                        | -                         | -                              | -                              |
 | uksouth          | -       | -           | 80 K          | -               | 240 K          | -                       | 350 K                    | -                        | -                        | -             | -                        | -             | -                        | -                         | -                              | -                              |
 | westeurope       | -       | -           | -             | -               | 240 K          | -                       | 240 K                    | -                        | -                        | -             | -                        | -             | -                        | -                         | -                              | -                              |
-| westus           | -       | -           | 80 K          | 30 K            | 300 K          | -                       | 350 K                    | -                        | -                        | -             | -                        | -             | -                        | -                         | -                              | -                              |
+| westus           | -       | -           | 80 K          | 30 K            | 300 K          | -                       | 350 K                    | -                        | -                        | -             | -                        | -             | -                        | -                         | -                              | -                              |
+
+1 K = 1000 Tokens-Per-Minute (TPM). The relationship between TPM and Requests Per Minute (RPM) is [currently defined as 6 RPM per 1000 TPM](../../how-to/quota.md#understanding-rate-limits).
@@ -5,7 +5,7 @@ description: Learn about the architecture of Azure AI Studio.
 manager: scottpolly
 ms.service: azure-ai-studio
 ms.topic: conceptual
-ms.date: 02/06/2024
+ms.date: 04/03/2024
 ms.reviewer: deeikele
 ms.author: larryfr
 author: Blackmist
@@ -67,15 +67,32 @@ For information on registering resource providers, see [Register an Azure resour
 
 ## Role-based access control and control plane proxy
 
-Azure AI Services and Azure OpenAI provide control plane endpoints for operations such as listing model deployments. These endpoints are secured using a separate Azure role-based access control (RBAC) configuration than the one used for Azure AI hub. 
+Azure AI Services and Azure OpenAI provide control plane endpoints for operations such as listing model deployments. These endpoints are secured using a separate Azure role-based access control (Azure RBAC) configuration than the one used for Azure AI hub. 
 
 To reduce the complexity of Azure RBAC management, AI Studio provides a *control plane proxy* that allows you to perform operations on connected Azure AI Services and Azure OpenAI resources. Performing operations on these resources through the control plane proxy only requires Azure RBAC permissions on the AI hub. The Azure AI Studio service then performs the call to the Azure AI Services or Azure OpenAI control plane endpoint on your behalf.
 
 For more information, see [Role-based access control in Azure AI Studio](rbac-ai-studio.md).
 
+## Attribute-based access control
+
+Each AI hub you create has a default storage account. Each child AI project of the AI hub inherits the storage account of the AI hub. The storage account is used to store data and artifacts.
+
+To secure the shared storage account, Azure AI Studio uses both Azure RBAC and Azure attribute-based access control (Azure ABAC). Azure ABAC is a security model that defines access control based on attributes associated with the user, resource, and environment. Each AI project has:
+
+- A service principal that is assigned the Storage Blob Data Contributor role on the storage account.
+- A unique ID (workspace ID).
+- A set of containers in the storage account. Each container has a prefix that corresponds to the workspace ID value for the AI project.
+
+The role assignment for each AI project's service principal has a condition that only allows the service principal access to containers with the matching prefix value. This condition ensures that each AI project can only access its own containers.
+
+> [!NOTE]
+> For data encryption in the storage account, the scope is the entire storage and not per-container. So all containers are encrypted using the same key (provided either by Microsoft or by the customer).
+
+For more information on Azure access-based control, see [What is Azure attribute-based access control](/azure/role-based-access-control/conditions-overview).
+
 ## Encryption
 
-Azure AI Studio uses encryption to protect data at rest and in transit. By default, Microsoft-managed keys are used for encryption, however you can use your own encryption keys. For more information, see [Customer-managed keys](../../ai-services/encryption/cognitive-services-encryption-keys-portal.md?context=/azure/ai-studio/context/context).
+Azure AI Studio uses encryption to protect data at rest and in transit. By default, Microsoft-managed keys are used for encryption. However you can use your own encryption keys. For more information, see [Customer-managed keys](../../ai-services/encryption/cognitive-services-encryption-keys-portal.md?context=/azure/ai-studio/context/context).
 
 ## Virtual network
 
 
@@ -5,7 +5,7 @@ description: Learn how Azure AI Studio manages vulnerabilities in images that th
 manager: scottpolly
 ms.service: azure-ai-studio
 ms.topic: conceptual
-ms.date: 02/22/2024
+ms.date: 4/4/2024
 ms.reviewer: deeikele
 ms.author: larryfr
 author: Blackmist
@@ -21,42 +21,42 @@ This article discusses these responsibilities and outlines the vulnerability man
 
 ## Microsoft-managed VM images
 
-Azure AI Studio manages host OS virtual machine (VM) images for compute instances and serverless compute clusters. The update frequency is monthly and includes the following details:
+Microsoft manages host OS virtual machine (VM) images for compute instances and serverless compute clusters. The update frequency is monthly and includes the following details:
 
 * For each new VM image version, the latest updates are sourced from the original publisher of the OS. Using the latest updates helps ensure that you get all applicable OS-related patches. For Azure AI Studio, the publisher is Canonical for all the Ubuntu images.
 
 * VM images are updated monthly.  
 
-* In addition to patches that the original publisher applies, Azure AI Studio updates system packages when updates are available.
+* In addition to patches that the original publisher applies, Microsoft updates system packages when updates are available.
 
-* Azure AI Studio checks and validates any machine learning packages that might require an upgrade. In most circumstances, new VM images contain the latest package versions.  
+* Microsoft checks and validates any machine learning packages that might require an upgrade. In most circumstances, new VM images contain the latest package versions.  
 
-* All VM images are built on secure subscriptions that run vulnerability scanning regularly. Azure AI Studio flags any unaddressed vulnerabilities and fixes them within the next release.  
+* All VM images are built on secure subscriptions that run vulnerability scanning regularly. Microsoft flags any unaddressed vulnerabilities and fixes them within the next release.  
 
-* The frequency is a monthly interval for most images. For compute instances, the image release is aligned with the release cadence of the Azure AI Studio SDK that's preinstalled in the environment.
+* The frequency is a monthly interval for most images. For compute instances, the image release is aligned with the release cadence of the Azure AI SDK that's preinstalled in the environment.
 
-In addition to the regular release cadence, Azure AI Studio applies hotfixes if vulnerabilities surface. Microsoft rolls out hotfixes within 72 hours for serverless compute clusters and within a week for compute instances.
+In addition to the regular release cadence, Microsoft applies hotfixes if vulnerabilities surface. Microsoft rolls out hotfixes within 72 hours for serverless compute clusters and within a week for compute instances.
 
 > [!NOTE]
 > The host OS is not the OS version that you might specify for an environment when you're training or deploying a model. Environments run inside Docker. Docker runs on the host OS.
 
 ## Microsoft-managed container images
 
-[Base docker images](https://github.com/Azure/AzureML-Containers) that Azure AI Studio maintains get security patches frequently to address newly discovered vulnerabilities.  
+[Base docker images](https://github.com/Azure/AzureML-Containers) that Microsoft maintains for Azure AI Studio get security patches frequently to address newly discovered vulnerabilities.  
 
-Azure AI Studio releases updates for supported images every two weeks to address vulnerabilities. As a commitment, we aim to have no vulnerabilities older than 30 days in the latest version of supported images.
+Microsoft releases updates for supported images every two weeks to address vulnerabilities. As a commitment, we aim to have no vulnerabilities older than 30 days in the latest version of supported images.
 
 Patched images are released under a new immutable tag and an updated `:latest` tag. Using the `:latest` tag or pinning to a particular image version might be a tradeoff between security and environment reproducibility for your machine learning job.
 
 ## Managing environments and container images  
 
 In Azure AI Studio, Docker images are used to provide a runtime environment for [prompt flow deployments](../how-to/flow-deploy.md). The images are built from a base image that Azure AI Studio provides.
 
-Although Azure AI Studio patches base images with each release, whether you use the latest image might be tradeoff between reproducibility and vulnerability management. It's your responsibility to choose the environment version that you use for your jobs or model deployments.  
+Although Microsoft patches base images with each release, whether you use the latest image might be tradeoff between reproducibility and vulnerability management. It's your responsibility to choose the environment version that you use for your jobs or model deployments.  
 
 By default, dependencies are layered on top of base images when you're building an image. After you install more dependencies on top of the Microsoft-provided images, vulnerability management becomes your responsibility.  
 
-Associated with your AI hub resource is an Azure Container Registry instance that functions as a cache for container images. Any image that materializes is pushed to the container registry. The workspace uses it when deployment is triggered for the corresponding environment.
+Associated with your AI hub resource is an Azure Container Registry instance that functions as a cache for container images. Any image that materializes is pushed to the container registry. The AI hub uses it when deployment is triggered for the corresponding environment.
 
 The AI hub doesn't delete any image from your container registry. You're responsible for evaluating the need for an image over time. To monitor and maintain environment hygiene, you can use [Microsoft Defender for Container Registry](/azure/defender-for-cloud/defender-for-container-registries-usage) to help scan your images for vulnerabilities. To automate your processes based on triggers from Microsoft Defender, see [Automate remediation responses](/azure/defender-for-cloud/workflow-automation).
 
@@ -65,7 +65,7 @@ The AI hub doesn't delete any image from your container registry. You're respons
 
 Managed compute nodes in Azure AI Studio use Microsoft-managed OS VM images. When you provision a node, it pulls the latest updated VM image. This behavior applies to compute instance, serverless compute cluster, and managed inference compute options.
 
-Although OS VM images are regularly patched, Azure AI Studio doesn't actively scan compute nodes for vulnerabilities while they're in use. For an extra layer of protection, consider network isolation of your computes.
+Although OS VM images are regularly patched, Microsoft doesn't actively scan compute nodes for vulnerabilities while they're in use. For an extra layer of protection, consider network isolation of your computes.
 
 Ensuring that your environment is up to date and that compute nodes use the latest OS version is a shared responsibility between you and Microsoft. Nodes that aren't idle can't be updated to the latest VM image. Considerations are slightly different for each compute type, as listed in the following sections.
 
 
@@ -16,7 +16,7 @@ author: Blackmist
 
 [!INCLUDE [Azure AI Studio preview](../includes/preview-ai-studio.md)]
 
-We have two network isolation aspects. One is the network isolation to access an Azure AI. Another is the network isolation of computing resources in your Azure AI and Azure AI projects such as Compute Instance, Serverless and Managed Online Endpoint. This document explains the former highlighted in the diagram. You can use private link to establish the private connection to your Azure AI and its default resources.
+We have two network isolation aspects. One is the network isolation to access an Azure AI. Another is the network isolation of computing resources in your Azure AI and Azure AI projects such as Compute Instance, Serverless and Managed Online Endpoint. This document explains the former highlighted in the diagram. You can use private link to establish the private connection to your Azure AI and its default resources. This article is for Azure AI. For information on Azure AI Services, see the [Azure AI Services documentation](/azure/ai-services/cognitive-services-virtual-networks).
 
 :::image type="content" source="../media/how-to/network/azure-ai-network-inbound.svg" alt-text="Diagram of Azure AI network isolation." lightbox="../media/how-to/network/azure-ai-network-inbound.png":::