Merge pull request #300370 from MicrosoftDocs/main

5/26/2025 AM Publish

Author: Taojunshen

articles/backup/backup-azure-arm-restore-vms.md

@@ -3,7 +3,7 @@ title: Restore VMs by using the Azure portal using Azure Backup
 description: Restore an Azure virtual machine from a recovery point by using the Azure portal, including the Cross Region Restore feature.
 ms.reviewer: nikhilsarode
 ms.topic: how-to
-ms.date: 04/14/2025
+ms.date: 05/26/2025
 ms.service: azure-backup
 author: jyothisuri
 ms.author: jsuri
@@ -20,7 +20,7 @@ Azure Backup provides several ways to restore a VM.
 --- | ---
 **Create a new VM** | Quickly creates and gets a basic VM up and running from a restore point.<br/><br/> You can specify a name for the VM and select the resource group and virtual network (VNet) in which it will be placed. The new VM must be created in the same region as the source VM.<br><br>If a VM restore fails because an Azure VM SKU wasn't available in the specified region of Azure, or because of any other issues, Azure Backup still restores the disks in the specified resource group.
 **Restore disk** | Restores a VM disk, which can then be used to create a new VM.<br/><br/> Azure Backup provides a template to help you customize and create a VM. <br/><br> The restore job generates a template that you can download and use to specify custom VM settings, and create a VM.<br/><br/> The disks are copied to the Resource Group you specify.<br/><br/> Alternatively, you can attach the disk to an existing VM, or create a new VM using PowerShell.<br/><br/> This option is useful if you want to customize the VM, add configuration settings that weren't there at the time of backup, or add settings that must be configured using the template or PowerShell.
-**Replace existing** | You can restore a disk, and use it to replace a disk on the existing VM.<br/><br/> The current VM must exist. If it's been deleted, this option can't be used.<br/><br/> Azure Backup takes a snapshot of the existing VM before replacing the disk. The snapshot is copied to the vault and retained in accordance with the retention policy.　<br/><br/> When you choose a Vault-Standard recovery point, a VHD file with the content of the chosen recovery point is also created in the staging location you specify. Existing disks connected to the VM are replaced with the selected restore point. <br/><br/> After the disk replacement operation is complete, the original disk is retained in the resource group. You can choose to manually delete the original disks if they aren't needed. <br/><br/>Replace existing is supported for unencrypted managed VMs, including VMs [created using custom images](https://azure.microsoft.com/resources/videos/create-a-custom-virtual-machine-image-in-azure-resource-manager-with-powershell/). It's unsupported for classic VMs, unmanaged VMs, and [generalized VMs](/azure/virtual-machines/windows/upload-generalized-managed).<br/><br/> If the restore point has more or less disks than the current VM, then the number of disks in the restore point will only reflect the VM configuration.<br><br> Replace existing is also supported for VMs with linked resources, like [user-assigned managed-identity](../active-directory/managed-identities-azure-resources/overview.md) or [Key Vault](/azure/key-vault/general/overview).
+**Replace existing** | You can restore a disk, and use it to replace a disk on the existing VM.<br/><br/> The current VM must exist. If it's been deleted, this option can't be used.<br/><br/> Azure Backup takes a snapshot of the existing VM before replacing the disk. The snapshot is copied to the vault and retained in accordance with the retention policy.　<br/><br/> When you choose a Vault-Standard recovery point, a VHD file with the content of the chosen recovery point is also created in the staging location you specify. Existing disks connected to the VM are replaced with the selected restore point. <br/><br/> After the disk replacement operation is complete, the original disk is retained in the resource group. You can choose to manually delete the original disks if they aren't needed. <br/><br/>Replace existing is supported for unencrypted managed VMs, including VMs [created using custom images](/azure/virtual-machines/windows/tutorial-custom-images). It's unsupported for classic VMs, unmanaged VMs, and [generalized VMs](/azure/virtual-machines/windows/upload-generalized-managed).<br/><br/> If the restore point has more or less disks than the current VM, then the number of disks in the restore point will only reflect the VM configuration.<br><br> Replace existing is also supported for VMs with linked resources, like [user-assigned managed-identity](../active-directory/managed-identities-azure-resources/overview.md) or [Key Vault](/azure/key-vault/general/overview).
 **Cross Region (secondary region)** | Cross Region restore can be used to restore Azure VMs in the secondary region, which is an [Azure paired region](../availability-zones/cross-region-replication-azure.md).<br><br> You can restore all the Azure VMs for the selected recovery point if the backup is done in the secondary region.<br><br> During the backup, snapshots aren't replicated to the secondary region. Only the data stored in the vault is replicated. So secondary region restores are only [vault tier](about-azure-vm-restore.md#concepts) restores. The restore time for the secondary region will be almost the same as the vault tier restore time for the primary region.  <br><br> This feature is available for the options below:<br><br> - [Create a VM](#create-a-vm) <br> - [Restore Disks](#restore-disks) <br><br> If the source machine has more than 16 disks, VHD's won't be created in Cross Region Restore. <br><br> We don't currently support the [Replace existing disks](#replace-existing-disks) option.<br><br> Permissions<br> The restore operation on secondary region can be performed by Backup Admins and App admins.
 **Cross Subscription Restore** | Allows you to restore Azure Virtual Machines or disks to a different subscription within the same tenant as the source subscription (as per the Azure RBAC capabilities) from restore points.  <br><br> Allowed only if the [Cross Subscription Restore property](backup-azure-arm-restore-vms.md#cross-subscription-restore-for-azure-vm) is enabled for your Recovery Services vault.  <br><br>  Works with [Cross Region Restore](backup-azure-arm-restore-vms.md#cross-region-restore) and [Cross Zonal Restore](backup-azure-arm-restore-vms.md#create-a-vm).   <br><br>   You can trigger Cross Subscription Restore for managed virtual machines only. <br><br> Cross Subscription Restore is supported for [Restore with Managed System Identities (MSI)](backup-azure-arm-restore-vms.md#restore-vms-with-managed-identities). <br><br> It's unsupported for [snapshots tier](backup-azure-vms-introduction.md#snapshot-creation) recovery points. <br><br>  It's unsupported for [unmanaged VMs](#restoring-unmanaged-vms-and-disks-as-managed) and [ADE encrypted VMs](backup-azure-vms-encryption.md#encryption-support-using-ade).
 **Cross Zonal Restore** |	Allows you to restore Azure Virtual Machines or disks pinned to any zone to different available zones (as per the Azure RBAC capabilities) from restore points. Note that when you select a zone to restore, it selects the [logical zone](../reliability/availability-zones-overview.md#zonal-and-zone-redundant-services) (and not the physical zone) as per the Azure subscription you will use to restore to.           <br><br> You can trigger Cross Zonal Restore for managed virtual machines only. <br><br> Cross Zonal Restore is supported for [Restore with Managed System Identities (MSI)](#restore-vms-with-managed-identities). <br><br> Cross Zonal Restore supports restore of an Azure zone pinned/non-zone pinned VM from a vault with Zonal-redundant storage (ZRS) enabled. Learn [how to set Storage Redundancy](backup-create-rs-vault.md#set-storage-redundancy). <br><br> It's supported to restore an Azure zone pinned VM only from a [vault with Cross Region Restore (CRR)](backup-create-rs-vault.md#set-storage-redundancy) (if the secondary region supports zones) or Zone Redundant Storage (ZRS) enabled. <br><br> Cross Zonal Restore is supported from [secondary regions](#restore-in-secondary-region). <br><br> It's unsupported from [snapshots](backup-azure-vms-introduction.md#snapshot-creation) restore point. <br><br> It's unsupported for [Encrypted Azure VMs](backup-azure-vms-introduction.md#encryption-of-azure-vm-backups).
@@ -39,7 +39,7 @@ Some details about storage accounts:
 - **Restore disk**: The VM restore job generates a template, which you can download and use to specify custom VM settings. VHD files are also copied when restoring managed disks **< 4 TB** or VMs containing **< 16 disks** from a Vault-Standard recovery point, or when restoring unmanaged disks. These files are then moved to Managed storage. To prevent extra charges, delete VHDs from the Staging Storage Account.
 - **Replace disk**: When replacing a managed disk from a Vault-Standard recovery point that's **< 4 TB** or a VM containing **< 16 disks**, a VHD file is created in the specified storage account. After replacement, source VM disks remain in the designated Resource Group, and VHDs stay in the storage account; you can delete or retain the source disk and the VHDs as needed.
 - **Storage account location**: The storage account must be in the same region as the vault. Only these accounts are displayed. If there are no storage accounts in the location, you need to create one.
-- **Storage type**: Blob storage isn't supported.
+- **Storage type**: Blob Storage account isn't supported because the Premium Storage account  it requires is excluded for cost optimization.
 - **Premium storage**:
   - When you restore non-premium VMs, premium storage accounts aren't supported.
   - When you restore managed VMs, premium storage accounts configured with network rules aren't supported.

articles/backup/backup-azure-enhanced-soft-delete-configure-manage.md

@@ -2,7 +2,7 @@
 title: Configure and manage enhanced soft delete for Azure Backup
 description: This article describes about how to configure and manage enhanced soft delete for Azure Backup.
 ms.topic: how-to
-ms.date: 03/27/2025
+ms.date: 05/26/2025
 ms.service: azure-backup
 author: jyothisuri
 ms.author: jsuri
@@ -195,7 +195,7 @@ Here are some points to note:
 
 - Unregistering a container while its backup items are soft deleted (not permanently deleted) will change the state of the container to Soft deleted. 
 
-- You can re-register containers that are in soft deleted state to another vault. However, in such scenarios, the existing backups (that is soft deleted) will continue to be in the original vault and will be permanently deleted when the soft delete retention period expires. 
+-  You can reregister containers in a soft deleted state to a different vault. However, their existing backups stay in the original vault and get permanently deleted after the soft delete retention period ends. This process doesn’t work with Immutable vaults because the **Delete** operation isn't allowed, and you can’t access items in the Soft Delete state. Learn about [restricted operations for Immutable vault](backup-azure-immutable-vault-concept.md?tabs=recovery-services-vault#restricted-operations).
 
 - You can also *undelete* the container. Once undeleted, it's re-registered to the original vault.
 
@@ -263,4 +263,4 @@ For implementing other security measures on the vaults, see the following articl
 - [Immutable vault for Azure Backup](backup-azure-immutable-vault-concept.md).
 - [Private endpoints (v1 experience) for Azure Backup](private-endpoints-overview.md).
 - [Private endpoints (v2 experience) for Azure Backup](backup-azure-private-endpoints-concept.md).
-- [Secure by Default with Azure Backup (Preview)](secure-by-default.md).
+- [Secure by Default with Azure Backup (Preview)](secure-by-default.md).

articles/backup/backup-azure-private-endpoints-concept.md

@@ -3,7 +3,7 @@ title: Private endpoints for Azure Backup - Overview
 description: This article explains about the concept of private endpoints for Azure Backup that helps to perform backups while maintaining the security of your resources.
 ms.topic: overview
 ms.service: azure-backup
-ms.date: 04/04/2025
+ms.date: 05/26/2025
 author: jyothisuri
 ms.author: jsuri
 ---
@@ -31,7 +31,8 @@ This article describes how the [enhanced capabilities of private endpoints](#key
 - You can create private endpoints for new Recovery Services vaults that don't have any items registered/protected to the vault, only. However, private endpoints are currently not supported for Backup vaults.
 
   >[!Note]
-  >Private endpoints with static IPs are unsupported in the V2 experience due to dynamic IP expansion. While creation succeeds, registration might fail for vaults with existing protected items.
+  >- Private endpoints with static IPs are unsupported in the V2 experience due to dynamic IP expansion. While creation succeeds, registration might fail for vaults with existing protected items.
+  >- Creation of multiple private endpoints with the same name under Recovery Services Vaults is unsupported.
 
 - You can't upgrade vaults (that contains private endpoints) created using the classic experience to the new experience. You can delete all existing private endpoints, and then create new private endpoints with the v2 experience. 
 

articles/backup/backup-azure-private-endpoints-configure-manage.md

@@ -3,7 +3,7 @@ title: How to create and manage private endpoints (with v2 experience) for Azure
 description: This article explains how to configure and manage private endpoints for Azure Backup.
 ms.topic: how-to
 ms.service: azure-backup
-ms.date: 04/04/2025
+ms.date: 05/26/2025
 author: jyothisuri
 ms.author: jsuri
 ---
@@ -35,7 +35,8 @@ Follow these steps:
    :::image type="content" source="./media/backup-azure-private-endpoints/deny-public-network.png" alt-text="Screenshot showing how to select the Deny option.":::
 
    >[!Note]
-   >Once you deny access, you can still access the vault, but you can't move data to/from networks that don't contain private endpoints. For more information, see [Create private endpoints for Azure Backup](#create-private-endpoints-for-azure-backup).
+   >- When you deny access, you can still access the vault, but you can't move data to/from networks that don't contain private endpoints. For more information, see [Create private endpoints for Azure Backup](#create-private-endpoints-for-azure-backup).
+   >-  Denial of public access is currently not supported for [vaults that have cross-regions restore](backup-create-rs-vault.md#set-cross-region-restore) enabled.
    
 
 3. Select **Apply** to save the changes. 

articles/backup/encryption-at-rest-with-cmk.md

@@ -2,7 +2,7 @@
 title: Encrypt backup data by using customer-managed keys
 description: Learn how to use Azure Backup to encrypt your backup data by using customer-managed keys (CMKs).
 ms.topic: how-to
-ms.date: 07/30/2024
+ms.date: 05/26/2025
 ms.custom: devx-track-azurepowershell-azurecli, devx-track-azurecli
 ms.service: azure-backup
 author: jyothisuri
@@ -586,6 +586,10 @@ If you don't follow the steps in the article and you proceed to protect items, t
 
 Using CMK encryption for Backup doesn't incur any additional costs. But you might continue to incur costs for using your key vault where your key is stored.
 
+### What happens to data encrypted with a CMK after its expiration?
+
+When a Customer Managed Key (CMK) expires, it can still unwrap keys, allowing backup and restore operations to succeed. However, it cannot encrypt new vaults. To ensure continuity, enable key rotation to automatically generate a new version upon expiration. Learn about [Key types, algorithms, and operations](/azure/key-vault/keys/about-keys-details).
+
 ## Next steps
 
 [Overview of security features in Azure Backup](security-overview.md)

articles/event-hubs/event-hubs-federation-patterns.md

@@ -146,7 +146,7 @@ discussed above will help you to skip events that were already handled and resum
 
 The merge pattern has one or more replication tasks pointing to one target, possibly concurrently with regular producers also sending events to the same target.
 
-Variations of these patters are:
+Variations of these patterns are:
 
 - Two or more replication functions concurrently acquiring events from separate sources and sending them to the same target.
 - One more replication function acquiring events from a source while the target is also used directly by producers.

articles/load-testing/concept-load-test-app-service.md

@@ -52,7 +52,7 @@ Azure Load Testing provides high-fidelity support of JMeter. You can create a ne
 - Test authenticated endpoints
 - Pass parameters to the load test, such as environment variables or secrets
 - Test non-HTTP based endpoints, such as database connections
-- Configure more advanced load patters
+- Configure more advanced load patterns
 - Reuse existing JMeter scripts
 
 Get started [create a load test by uploading a JMeter script](./how-to-create-and-run-load-test-with-jmeter-script.md).

articles/migrate/how-to-discover-applications.md

@@ -79,6 +79,16 @@ The sign-in used to connect to a source SQL Server instance requires sysadmin ro
 
 Once connected, the appliance gathers configuration and performance data of SQL Server instances and databases. The SQL Server configuration data is updated once every 24 hours, and the performance data is captured every 30 seconds. Hence, any change to the properties of the SQL Server instance and databases such as database status, compatibility level, etc. can take up to 24 hours to update on the portal.
 
+## Discover MySQL Server instances and databases (preview)
+
+- Software inventory also identifies the MySQL Server instances running in your VMware, Microsoft Hyper-V, and Physical/ Bare-metal environments as well as IaaS services of other public cloud.
+- If you haven't provided Windows or Linux authentication and MySQL Server authentication credentials on the appliance configuration manager, then add the credentials so that the appliance can use them to connect to respective MySQL Server instances.
+
+    > [!NOTE]
+    > Appliance can connect to only those MySQL Server instances to which it has network line of sight, whereas software inventory by itself may not need network line of sight.
+
+Once connected, the appliance gathers configuration and performance data of MySQL Server instances and databases. The MySQL Server configuration data is updated once every 24 hours, and the performance data is captured every 30 seconds. Hence, any change to the properties of the MySQL Server instance and databases such as database status, compatibility level, etc. can take up to 24 hours to update on the portal.
+
 ## Discover ASP.NET web apps
 
 - Software inventory identifies web server role existing on discovered servers. If a server has web server role enabled, Azure Migrate performs web apps discovery on the server.
@@ -107,4 +117,4 @@ Once connected, the appliance gathers configuration and performance data of SQL
 
 - [Create an assessment](how-to-create-assessment.md) for discovered servers.
 - [Assess web apps](how-to-create-azure-app-service-assessment.md) for migration to Azure App Service.
-- [Assess Spring Boot apps](how-to-create-azure-spring-apps-assessment.md) for migration to Azure Spring Apps.
+- [Assess Spring Boot apps](how-to-create-azure-spring-apps-assessment.md) for migration to Azure Spring Apps.