Merge pull request #206127 from MicrosoftDocs/main

7/27 AM Publish

Author: huypub

articles/active-directory/develop/index-web-app.yml

@@ -39,7 +39,7 @@ landingContent:
           - text: ASP.NET
             url: tutorial-v2-asp-webapp.md
           - text: Blazor Server
-            url: tutorial-blazor-webassembly.md
+            url: tutorial-blazor-server.md
           - text: Node.js with Express
             url: tutorial-v2-nodejs-webapp-msal.md
   - title: "Web apps in depth"

articles/aks/limit-egress-traffic.md

@@ -462,23 +462,20 @@ You'll define the outbound type to use the UDR that already exists on the subnet
 
 > [!NOTE]
 > AKS will create a system-assigned kubelet identity in the Node resource group if you do not [specify your own kubelet managed identity][Use a pre-created kubelet managed identity].
+> 
+> For user defined routing (UDR), system-assigned identity only supports CNI network plugin. Because for kubelet network plugin, AKS cluster needs permission on route table as kubernetes cloud-provider manages rules. 
 
-You can create an AKS cluster using a system-assigned managed identity by running the following CLI command.
+You can create an AKS cluster using a system-assigned managed identity with CNI network plugin by running the following CLI command.
 
 ```azurecli
 az aks create -g $RG -n $AKSNAME -l $LOC \
   --node-count 3 \
-  --network-plugin $PLUGIN \
+  --network-plugin azure \
   --outbound-type userDefinedRouting \
   --vnet-subnet-id $SUBNETID \
   --api-server-authorized-ip-ranges $FWPUBLIC_IP
 ```
 
-> [!NOTE]
-> For creating and using your own VNet and route table where the resources are outside of the worker node resource group, the CLI will add the role assignment automatically. If you are using an ARM template or other client, you need to use the Principal ID of the cluster managed identity to perform a [role assignment.][add role to identity]
-> 
-> If you are not using the CLI but using your own VNet or route table which are outside of the worker node resource group, it's recommended to use [user-assigned control plane identity][Create an AKS cluster with user-assigned identities]. For system-assigned control plane identity, we cannot get the identity ID before creating cluster, which causes delay for role assignment to take effect.
-
 #### Create an AKS cluster with user-assigned identities
 
 ##### Create user-assigned managed identities
@@ -529,14 +526,17 @@ The output should resemble the following:
 }
 ```
 
+> [!NOTE]
+> For creating and using your own VNet and route table where the resources are outside of the worker node resource group, the CLI will add the role assignment automatically. If you are using an ARM template or other client, you need to use the Principal ID of the cluster managed identity to perform a [role assignment.][add role to identity]
+
 ##### Create an AKS cluster with user-assigned identities
 
 Now you can use the following command to create your AKS cluster with your existing identities in the subnet. Provide the control plane identity resource ID via `assign-identity` and the kubelet managed identity via `assign-kubelet-identity`:
 
 ```azurecli
 az aks create -g $RG -n $AKSNAME -l $LOC \
   --node-count 3 \
-  --network-plugin $PLUGIN \
+  --network-plugin kubenet \
   --outbound-type userDefinedRouting \
   --vnet-subnet-id $SUBNETID \
   --api-server-authorized-ip-ranges $FWPUBLIC_IP
@@ -545,8 +545,6 @@ az aks create -g $RG -n $AKSNAME -l $LOC \
   --assign-kubelet-identity <kubelet-identity-resource-id>
 ```
 
-> [!NOTE]
-> For creating and using your own VNet and route table where the resources are outside of the worker node resource group, the CLI will add the role assignment automatically. If you are using an ARM template or other client, you need to use the Principal ID of the cluster managed identity to perform a [role assignment.][add role to identity]
 
 ### Enable developer access to the API server
 

articles/availability-zones/TOC.yml

@@ -26,6 +26,8 @@
       href: migrate-app-gateway-v2.md
     - name: Cache for Redis
       href: migrate-cache-redis.md
+    - name: Log Analytics workspaces
+      href: migrate-monitor-log-analytics.md
     - name: Container instances
       href: migrate-container-instances.md
     - name: Recovery Services vault

articles/availability-zones/az-region.md

@@ -119,7 +119,7 @@ In the Product Catalog, always-available services are listed as "non-regional" s
 | Azure Logic Apps | ![An icon that signifies this service is zone redundant.](media/icon-zone-redundant.svg) |
 | [Azure Monitor](../azure-monitor/logs/availability-zones.md)  | ![An icon that signifies this service is zone redundant.](media/icon-zone-redundant.svg) |
 | [Azure Monitor: Application Insights](../azure-monitor/logs/availability-zones.md)  | ![An icon that signifies this service is zone redundant.](media/icon-zone-redundant.svg) |
-| [Azure Monitor: Log Analytics](../azure-monitor/logs/availability-zones.md) | ![An icon that signifies this service is zone redundant.](media/icon-zone-redundant.svg) |
+| [Azure Monitor: Log Analytics](migrate-monitor-log-analytics.md) | ![An icon that signifies this service is zone redundant.](media/icon-zone-redundant.svg) |
 | [Azure Network Watcher](../network-watcher/frequently-asked-questions.yml) | ![An icon that signifies this service is zone redundant.](media/icon-zone-redundant.svg) |
 | Azure Network Watcher: [Traffic Analytics](../network-watcher/frequently-asked-questions.yml) | ![An icon that signifies this service is zone redundant.](media/icon-zone-redundant.svg) |
 | Azure Notification Hubs | ![An icon that signifies this service is zone redundant.](media/icon-zone-redundant.svg) |

articles/availability-zones/migrate-monitor-log-analytics.md

@@ -0,0 +1,71 @@
+---
+title: Migrate Log Analytics workspaces to availability zone support 
+description: Learn how to migrate Log Analytics workspaces to availability zone support.
+author: anaharris-ms
+ms.service: azure
+ms.topic: conceptual
+ms.date: 07/21/2022
+ms.author: anaharris
+ms.reviewer: noakuper
+ms.custom: references_regions
+---
+
+# Migrate Log Analytics workspaces to availability zone support
+ 
+This guide describes how to migrate Log Analytics workspaces from non-availability zone support to availability support. We'll take you through the different options for migration.
+
+> [!NOTE]
+> Application Insights resources can also use availability zones, but only if they are workspace-based and the workspace uses a dedicated cluster as explained below. Classic (non-workspace-based) Application Insights resources cannot use availability zones.
+
+
+## Prerequisites
+
+For availability zone support, your workspace must be located in one of the following supported regions:
+
+- East US 2
+- West US 2
+
+## Dedicated clusters
+
+Azure Monitor support for availability zones requires a Log Analytics workspace linked to an [Azure Monitor dedicated cluster](../azure-monitor/logs/logs-dedicated-clusters.md). Dedicated clusters are a deployment option that enables advanced capabilities for Azure Monitor Logs including availability zones.
+
+Not all dedicated clusters can use availability zones. Dedicated clusters created after mid-October 2020 can be set to support availability zones when they are created. New clusters created after that date default to be enabled for availability zones in regions where Azure Monitor supports them.
+
+## Downtime requirements
+
+There are no downtime requirements.
+
+## Migration process: Moving to a dedicated cluster
+
+### Step 1: Determine the current cluster for your workspace
+
+To determine the current workspace link status for your workspace, use [CLI, PowerShell or REST](../azure-monitor/logs/logs-dedicated-clusters.md#check-workspace-link-status) to retrieve the [cluster details](../azure-monitor/logs/logs-dedicated-clusters.md#check-cluster-provisioning-status). If the cluster uses an availability zone, then it will have a property called `isAvailabilityZonesEnabled` with a value of `true`. Once a cluster is created, this property cannot be altered.
+
+### Step 2: Create a dedicated cluster with availability zone support
+
+Move your workspace to an availability zone by [creating a new dedicated cluster](../azure-monitor/logs/logs-dedicated-clusters.md#create-a-dedicated-cluster) in a region that supports availability zones. The cluster will automatically be enabled for availability zones. Then [link your workspace to the new cluster](../azure-monitor/logs/logs-dedicated-clusters.md#link-a-workspace-to-a-cluster).
+
+> [!IMPORTANT]
+> Availability zone is defined on the cluster at creation time and can’t be modified.
+
+Transitioning to a new cluster can be a gradual process. Don't remove the previous cluster until it has been purged of any data. For example, if your workspace retention is set 60 days, you may want to keep your old cluster running for that period before removing it.
+
+Any queries against your workspace will query both clusters as required to provide you with a single, unified result set. That means that all Azure Monitor features relying on the workspace such as workbooks and dashboards will keep getting the full, unified result set based on data from both clusters.
+
+## Billing
+There is a [cost for using a dedicated cluster](../azure-monitor/logs/logs-dedicated-clusters.md#create-a-dedicated-cluster). It requires a daily capacity reservation of 500 GB. 
+
+If you already have a dedicated cluster and choose to retain it to access its data, you’ll be charged for both dedicated clusters. Starting August 4, 2021, the minimum required capacity reservation for dedicated clusters is reduced from 1000GB/Daily to 500GB/Daily, so we’d recommend applying that minimum to your old cluster to reduce charges.
+
+The new cluster isn’t billed during its first day to avoid double billing during configuration. Only the data ingested before the migration completes would still be billed on the date of migration. 
+
+
+## Next steps
+
+Learn more about:
+
+> [!div class="nextstepaction"]
+> [Azure Monitor Logs Dedicated Clusters](../azure-monitor/logs/logs-dedicated-clusters.md)
+
+> [!div class="nextstepaction"]
+> [Azure Services that support Availability Zones](az-region.md)

articles/azure-arc/kubernetes/cluster-connect.md

@@ -179,8 +179,13 @@ A conceptual overview of this feature is available in [Cluster connect - Azure A
     ```
 
     ```console
-    $TOKEN=(kubectl get secret demo-user-secret -o jsonpath='{$.data.token}' | base64 -d | sed $'s/$/\\\n/g')
+    TOKEN=$(kubectl get secret demo-user-secret -o jsonpath='{$.data.token}' | base64 -d | sed $'s/$/\\\n/g')
     ```
+1. Get the token to output to console
+  
+     ```console
+     echo $TOKEN
+     ```
 
 ### [Azure PowerShell](#tab/azure-powershell)
 

articles/azure-monitor/logs/customer-managed-keys.md

@@ -36,7 +36,7 @@ After the Customer-managed key configuration, new ingested data to workspaces li
 > [!IMPORTANT]
 > Customer-managed key capability is regional. Your Azure Key Vault, cluster and linked workspaces must be in the same region, but they can be in different subscriptions.
 
-![Customer-managed key overview](media/customer-managed-keys/cmk-overview.png)
+[![Customer-managed key overview](media/customer-managed-keys/cmk-overview.png "Screenshot of Customer-managed key diagram.")](media/customer-managed-keys/cmk-overview.png#lightbox)
 
 1. Key Vault
 2. Log Analytics cluster resource having managed identity with permissions to Key Vault—The identity is propagated to the underlay dedicated cluster storage
@@ -73,7 +73,7 @@ Customer-managed key configuration isn't supported in Azure portal currently and
 
 Create or use an existing Azure Key Vault in the region that the cluster is planed, and generate or import a key to be used for logs encryption. The Azure Key Vault must be configured as recoverable, to protect your key and the access to your data in Azure Monitor. You can verify this configuration under properties in your Key Vault, both *Soft delete* and *Purge protection* should be enabled.
 
-![Soft delete and purge protection settings](media/customer-managed-keys/soft-purge-protection.png)
+[![Soft delete and purge protection settings](media/customer-managed-keys/soft-purge-protection.png "Screenshot of Key Vault soft delete and purge protection properties")](media/customer-managed-keys/soft-purge-protection.png#lightbox)
 
 These settings can be updated in Key Vault via CLI and PowerShell:
 
@@ -97,16 +97,23 @@ Follow the procedure illustrated in [Dedicated Clusters article](./logs-dedicate
 
 ## Grant Key Vault permissions
 
-Create Access Policy in Key Vault to grants permissions to your cluster. These permissions are used by the underlay cluster storage. Open your Key Vault in Azure portal and click *Access Policies* then *+ Add Access Policy* to create a policy with these settings:
+There are two permission models in Key Vault to grants permissions to your cluster and underlay storage, Vault access policy and Azure role-based access control.
 
-- Key permissions—select *Get*, *Wrap Key* and *Unwrap Key*.
-- Select principal—depending on the identity type used in the cluster (system or user assigned managed identity)
-  - System assigned managed identity - enter the cluster name or cluster principal ID 
-  - User assigned managed identity - enter the identity name
+1. Vault access policy
 
-![grant Key Vault permissions](media/customer-managed-keys/grant-key-vault-permissions-8bit.png)
+    Open your Key Vault in Azure portal and click *Access Policies*, select *Vault access policy*, then click *+ Add Access Policy* to create a policy with these settings:
 
-The *Get* permission is required to verify that your Key Vault is configured as recoverable to protect your key and the access to your Azure Monitor data.
+    - Key permissions—select *Get*, *Wrap Key* and *Unwrap Key*.
+    - Select principal—depending on the identity type used in the cluster (system or user assigned managed identity)
+      - System assigned managed identity - enter the cluster name or cluster principal ID 
+      - User assigned managed identity - enter the identity name
+
+    [![grant Key Vault permissions](media/customer-managed-keys/grant-key-vault-permissions-8bit.png "Screenshot of Key Vault access policy permissions")](media/customer-managed-keys/grant-key-vault-permissions-8bit.png#lightbox)
+
+    The *Get* permission is required to verify that your Key Vault is configured as recoverable to protect your key and the access to your Azure Monitor data.
+
+2. Azure role-based access control
+   Open your Key Vault in Azure portal and click *Access Policies*, select *Azure role-based access control*, then enter *Access control (IAM)* and add *Key Vault Crypto Service Encryption User* role assignment.
 
 ## Update cluster with key identifier details
 
@@ -118,7 +125,7 @@ This step updates dedicated cluster storage with the key and version to use for
 >- Key rotation can be automatic or require explicit key update, see [Key rotation](#key-rotation) to determine approach that is suitable for you before updating the key identifier details in cluster.
 >- Cluster update should not include both identity and key identifier details in the same operation. If you need to update both, the update should be in two consecutive operations.
 
-![Grant Key Vault permissions](media/customer-managed-keys/key-identifier-8bit.png)
+[![Grant Key Vault permissions](media/customer-managed-keys/key-identifier-8bit.png "Screenshot of Key Vault key identifier details")](media/customer-managed-keys/key-identifier-8bit.png#lightbox)
 
 Update KeyVaultProperties in cluster with key identifier details.
 

articles/azure-resource-manager/management/azure-subscription-service-limits.md

@@ -2,7 +2,7 @@
 title: Azure subscription limits and quotas
 description: Provides a list of common Azure subscription and service limits, quotas, and constraints. This article includes information on how to increase limits along with maximum values.
 ms.topic: conceptual
-ms.date: 04/27/2022
+ms.date: 07/27/2022
 ---
 
 # Azure subscription and service limits, quotas, and constraints
@@ -342,6 +342,10 @@ The following table applies to v1, v2, Standard, and WAF SKUs unless otherwise s
 
 [!INCLUDE [azure-front-door-service-limits](../../../includes/front-door-limits.md)]
 
+### Azure Route Server limits
+
+[!INCLUDE [Azure Route Server Limits](../../../includes/route-server-limits.md)]
+
 ### ExpressRoute limits
 
 [!INCLUDE [expressroute-limits](../../../includes/expressroute-limits.md)]

articles/cognitive-services/Speech-Service/includes/quickstarts/captioning/cpp.md

@@ -45,6 +45,10 @@ Follow these steps to create a new console application and install the Speech SD
     --key YourSubscriptionKey --region YourServiceRegion --input c:\caption\caption.this.mp4 --format any --output c:\caption\caption.output.txt - --srt --recognizing --threshold 5 --profanity mask --phrases "Contoso;Jessie;Rehaan"
     ```
     Replace `YourSubscriptionKey` with your Speech resource key, and replace `YourServiceRegion` with your Speech resource [region](~/articles/cognitive-services/speech-service/regions.md), such as `westus` or `northeurope`. Make sure that the paths specified by `--input` and `--output` are valid. Otherwise you must change the paths.
+
+    > [!IMPORTANT]
+    > Remember to remove the key from your code when you're done, and never post it publicly. For production, use a secure way of storing and accessing your credentials like [Azure Key Vault](../../../../../key-vault/general/overview.md). See the Cognitive Services [security](../../../../cognitive-services-security.md) article for more information.
+
 1. [Build and run](/cpp/build/vscpp-step-2-build) the console application. The output file with complete captions is written to `c:\caption\caption.output.txt`. Intermediate results are shown in the console:
     ```console
     00:00:00,180 --> 00:00:01,600

articles/cognitive-services/Speech-Service/includes/quickstarts/captioning/csharp.md

@@ -48,6 +48,9 @@ Follow these steps to create a new console application and install the Speech SD
     ```
     Replace `YourSubscriptionKey` with your Speech resource key, and replace `YourServiceRegion` with your Speech resource [region](~/articles/cognitive-services/speech-service/regions.md), such as `westus` or `northeurope`. Make sure that the paths specified by `--input` and `--output` are valid. Otherwise you must change the paths.
 
+    > [!IMPORTANT]
+    > Remember to remove the key from your code when you're done, and never post it publicly. For production, use a secure way of storing and accessing your credentials like [Azure Key Vault](../../../../../key-vault/general/overview.md). See the Cognitive Services [security](../../../../cognitive-services-security.md) article for more information.
+
     The output file with complete captions is written to `c:\caption\caption.output.txt`. Intermediate results are shown in the console:
     ```console
     00:00:00,180 --> 00:00:01,600