Merge pull request #252293 from MicrosoftDocs/main

9/20/2023 AM Publish

Author: Taojunshen

articles/active-directory/app-provisioning/provision-on-demand.md

@@ -173,6 +173,7 @@ There are currently a few known limitations to on-demand provisioning. Post your
 * On-demand provisioning of roles isn't supported.
 * On-demand provisioning supports disabling users that have been unassigned from the application. However, it doesn't support disabling or deleting users that have been disabled or deleted from Azure AD. Those users don't appear when you search for a user.
 * On-demand provisioning doesn't support nested groups that aren't directly assigned to the application.
+* The on-demand provisioning request API can only accept a single group with up to 5 members at a time.
 
 ## Next steps
 

articles/aks/private-clusters.md

@@ -110,6 +110,17 @@ You can configure private DNS zones using the following parameters:
   * If your AKS cluster is configured with an Active Directory service principal, AKS doesn't support using a system-assigned managed identity with custom private DNS zone.
   * If you are specifying a `<subzone>` there is a 32 character limit for the `<subzone>` name.
 
+>[!NOTE]
+>**CUSTOM_PRIVATE_DNS_ZONE_RESOURCE_ID** can be configured using an ARM Template in addition to the Azure CLI. `privateDNSZone` accepts the private DNZ zone resourceID as shown in the following example:
+>
+>```json
+>properties.apiServerAccessProfile.privateDNSZone.
+>"apiServerAccessProfile": {
+>"enablePrivateCluster": true,
+>"privateDNSZone": "system|none|[resourceId(..., 'Microsoft.Network/privateDnsZones', 'privatelink.<region>.azmk8s.io']"
+>}
+>```
+
   > [!IMPORTANT]
   > The **CUSTOM_PRIVATE_DNS_ZONE_RESOURCE_ID** cannot be changed after the cluster has been created and it can't be deleted. Otherwise, the cluster will have issues performing upgrade operations.
 

articles/app-service/manage-backup.md

@@ -15,10 +15,10 @@ In [Azure App Service](overview.md), you can easily restore app backups. You can
 Back up and restore are supported in **Basic**, **Standard**, **Premium**, and **Isolated** tiers. For **Basic** tier, only the production slot can be backed up and restored. For more information about scaling your App Service plan to use a higher tier, see [Scale up an app in Azure](manage-scale-up.md).
 
 > [!NOTE]
-> For App Service environments:
+> For App Service Environments:
 > 
-> - Automatic backups can be restored to a target app within the ASE itself, not in another ASE.
-> - Custom backups can be restored to a target app in another ASE, such as from a V2 ASE to a V3 ASE.
+> - Automatic backups can be restored to a target app within the App Service environment itself, not in another App Service environment.
+> - Custom backups can be restored to a target app in another App Service environment, such as from App Service Environment v2 to App Service Environment v3.
 > - Backups can be restored to target app of the same OS platform as the source app.
 
 [!INCLUDE [backup-restore-vs-disaster-recovery](./includes/backup-restore-disaster-recovery.md)]
@@ -38,6 +38,7 @@ There are two types of backups in App Service. Automatic backups made for your a
 | Retention | 30 days, not configurable. <br>- Days 1-3: hourly backups retained.<br>- Days 4-14: every 3 hourly backup retained.<br>- Days 15-30: every 6 hourly backup retained. | 0-30 days or indefinite. |
 | Downloadable | No. | Yes, as Azure Storage blobs. |
 | Partial backups | Not supported. | Supported. |
+| Back up over VNet | Not supported. | Supported. |
 
 <!-- - No file copy errors due to file locks. -->
 
@@ -155,7 +156,7 @@ There are two types of backups in App Service. Automatic backups made for your a
 
 #### Back up and restore a linked database
 
-Custom backups can include linked databases. To make sure your backup includes a linked database, do the following:
+Custom backups can include linked databases (except when the backup is configured over an Azure Virtual Network). To make sure your backup includes a linked database, do the following:
 
 1. Make sure the linked database is [supported](#automatic-vs-custom-backups).
 1. Create a connection string that points to your database. A database is considered "linked" to your app when there's a valid connection string for it in your app's configuration.
@@ -168,6 +169,22 @@ To restore a database that's included in a custom backup:
 
 For troubleshooting information, see [Why is my linked database not backed up](#why-is-my-linked-database-not-backed-up).
 
+## Back up and restore over Azure Virtual Network (preview)
+
+With [custom backups](#create-a-custom-backup), you can back up your app's files and configuration data to a firewall-protected storage account if the following requirements are fulfilled:
+
+- The app is [integrated with a virtual network](overview-vnet-integration.md), or the app is in a v3 [App Service environment](environment/app-service-app-service-environment-intro.md).
+- The storage account has [granted access from the virtual network](../storage/common/storage-network-security.md#grant-access-from-a-virtual-network) that the app is integrated with, or that the v3 App Service environment is created with.
+
+To back up and restore over Azure Virtual Network:
+
+1. When configuring [custom backups](#create-a-custom-backup), select **Backup/restore over virtual network integration**. 
+1. Save your settings by selecting **Configure**.
+
+If you don't see the checkbox, or if the checkbox is disabled, verify that you have fulfilled the aforementioned requirements. 
+
+Once the configuration is saved, any manual, scheduled backup, or restore is made through the virtual network. If you make changes to the app, the virtual network, or the storage account that prevent the app from accessing the storage account through the virtual network, the backup or restore operations will fail.
+
 <a name="partialbackups"></a>
 
 ## Configure partial backups
@@ -300,6 +317,8 @@ The following table shows which app configuration is restored when you choose to
 
 A custom backup (on-demand backup or scheduled backup) includes all content and configuration that's included in an [automatic backup](#whats-included-in-an-automatic-backup), plus any linked database, up to the allowable maximum size.
 
+When [backing up over an Azure Virtual Network](#back-up-and-restore-over-azure-virtual-network-preview), you can't [back up the linked database](#back-up-and-restore-a-linked-database).
+
 #### Why is my linked database not backed up?
 
 Linked databases are backed up only for custom backups, up to the allowable maximum size. If the maximum backup size (10 GB) or the maximum database size (4 GB) is exceeded, your backup fails. Here are a few common reasons why your linked database isn't backed up: 
@@ -314,10 +333,7 @@ Automatic backups can't be restored if the backup size exceeds the maximum size.
 
 #### Can I use a storage account that has security features enabled?
 
-The following security features in Azure storage aren't supported for custom backups:
-
-* Using a [firewall enabled storage account](../storage/common/storage-network-security.md) as the destination for your backups isn't supported. If a backup is configured, you will encounter backup failures.
-* Using a [private endpoint enabled storage account](../storage/common/storage-private-endpoints.md) for backup and restore isn't supported.
+You can back up to a firewall-protected storage account if it's part of the same virtual network topology as your app. See [Back up and restore over Azure Virtual Network (preview)](#back-up-and-restore-over-azure-virtual-network-preview).
 
 #### How do I restore to an app in a different subscription?
 

articles/application-gateway/application-gateway-ssl-policy-overview.md

@@ -131,6 +131,7 @@ Application Gateway supports the following cipher suites from which you can choo
 
 - The connections to backend servers are always with minimum protocol TLS v1.0 and up to TLS v1.2. Therefore, only TLS versions 1.0, 1.1 and 1.2 are supported to establish a secured connection with backend servers. 
 - As of now, the TLS 1.3 implementation is not enabled with "Zero Round Trip Time (0-RTT)" feature.
+- TLS session (ID or Tickets) resumption is not supported.
 - Application Gateway v2 doesn't support the following DHE ciphers. These won't be used for the TLS connections with clients even though they are mentioned in the predefined policies. Instead of DHE ciphers, secure and faster ECDHE ciphers are recommended.
   - TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
   - TLS_DHE_RSA_WITH_AES_128_CBC_SHA

articles/application-gateway/media/tutorial-protect-application-gateway/ddos-protection-app-gateway.png

@@ -5,7 +5,7 @@ description: Learn how to set up an application gateway and protect it with Azur
 services: application-gateway
 author: duongau
 ms.author: duau
-ms.date: 04/06/2023
+ms.date: 09/20/2023
 ms.topic: quickstart
 ms.service: application-gateway
 ms.custom: template tutorial
@@ -15,6 +15,8 @@ ms.custom: template tutorial
 
 This article helps you create an Azure Application Gateway with a DDoS protected virtual network. Azure DDoS Network Protection enables enhanced DDoS mitigation capabilities such as adaptive tuning, attack alert notifications, and monitoring to protect your application gateways from large scale DDoS attacks.
 
+:::image type="content" source="./media/tutorial-protect-application-gateway/ddos-protection-app-gateway.png" alt-text="Diagram of DDoS Protection connecting to an Application Gateway.":::
+
 > [!IMPORTANT]
 > Azure DDoS Protection incurs a cost when you use the Network Protection SKU. Overages charges only apply if more than 100 public IPs are protected in the tenant. Ensure you delete the resources in this tutorial if you aren't using the resources in the future. For information about pricing, see [Azure DDoS Protection Pricing]( https://azure.microsoft.com/pricing/details/ddos-protection/). For more information about Azure DDoS protection, see [What is Azure DDoS Protection?](../ddos-protection/ddos-protection-overview.md).
 
@@ -27,6 +29,8 @@ In this tutorial, you learn how to:
 > * Add VMs to the backend of the application gateway
 > * Test the application gateway
 
+
+
 ## Prerequisites
 
 An Azure account with an active subscription is required.  If you don't already have an account, you can [create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

articles/application-gateway/tutorial-protect-application-gateway-ddos.md

@@ -64,7 +64,6 @@ The following Azure Arc control plane functionality is offered at no extra cost:
 * Searching and indexing through Azure Resource Graph
 * Access and security through Azure Role-based access control (RBAC)
 * Environments and automation through templates and extensions
-* Update management
 
 Any Azure service that is used on Azure Arc-enabled servers, such as Microsoft Defender for Cloud or Azure Monitor, will be charged as per the pricing for that service. For more information, see the [Azure pricing page](https://azure.microsoft.com/pricing/).
 

articles/azure-arc/overview.md

@@ -0,0 +1,85 @@
+---
+title: Programmatically deploy and manage Azure Arc Extended Security Updates licenses
+description: Learn how to programmatically deploy and manage Azure Arc Extended Security Updates licenses for Windows Server 2012.
+ms.date: 09/20/2023
+ms.topic: conceptual
+---
+
+# Programmatically deploy and manage Azure Arc Extended Security Updates licenses
+
+This article provides instructions to programmatically provision and manage Windows Server 2012 and Windows Server 2012 R2 Extended Security Updates lifecycle operations through the Azure Arc WS2012 ESU ARM APIs.
+
+> [!NOTE]
+> For each of the API commands, be sure to enter accurate parameter information for location, state, edition, type, and processors depending on your particular scenario
+> 
+## Provision a license
+
+To provision a license, execute the following commands:
+
+```
+PUT  
+https://management.azure.com/subscriptions/SUBSCRIPTION_ID/resourceGroups/RESOURCE_GROUP_NAME/providers/Microsoft.HybridCompute/licenses/LICENSE_NAME?api-version=2023-06-20-preview 
+{  
+    "location": "ENTER-REGION",  
+    "properties": {  
+        "licenseDetails": {  
+            "state": "Activated",  
+            "target": "Windows Server 2012",  
+            "Edition": "Datacenter",  
+            "Type": "pCore",  
+            "Processors": 12  
+        }  
+    }  
+}
+```
+
+## Link a license
+
+To link a license, execute the following commands:
+
+```
+PUT  
+https://management.azure.com/subscriptions/SUBSCRIPTION_ID/resourceGroups/RESOURCE_GROUP_NAME/providers/Microsoft.HybridCompute/machines/MACHINE_NAME/licenseProfiles/default?api-version=2023-06-20-preview 
+{ 
+  “location”: “SAME_REGION_AS_MACHINE”, 
+  “properties”: { 
+    “esuProfile”: { 
+      “assignedLicense”: “RESOURCE_ID_OF_LICENSE” 
+    } 
+  } 
+}
+```
+
+## Modify a license
+
+To modify a license, execute the following commands:
+
+```
+PUT/PATCH 
+https://management.azure.com/subscriptions/SUBSCRIPTION_ID/resourceGroups/RESOURCE_GROUP_NAME/providers/Microsoft.HybridCompute/licenses/LICENSE_NAME?api-version=2023-06-20-preview 
+{  
+    "location": "ENTER-REGION",  
+    "properties": {  
+        "licenseDetails": {  
+            "state": "Activated",  
+            "target": "Windows Server 2012",  
+            "Edition": "Datacenter",  
+            "Type": "pCore",  
+            "Processors": 12  
+        }  
+    }  
+}
+```
+
+> [!NOTE]
+> For PUT, all of the properties must be provided. For PATCH, a subset may be provided. 
+> 
+
+## Delete a license
+
+To delete a license, execute the following commands:
+
+```
+DELETE  
+https://management.azure.com/subscriptions/SUBSCRIPTION_ID/resourceGroups/RESOURCE_GROUP_NAME/providers/Microsoft.HybridCompute/licenses/LICENSE_NAME?api-version=2023-06-20-preview
+```

articles/azure-arc/servers/api-extended-security-updates.md

@@ -43,12 +43,12 @@ To prepare for this new offer, you need to plan and prepare to onboard your mach
 We recommend you deploy your machines to Azure Arc in preparation for when the related Azure services deliver supported functionality to manage ESU. Once these machines are onboarded to Azure Arc-enabled servers, you'll have visibility into their ESU coverage and enroll through the Azure portal or using Azure Policy one month before Windows Server 2012 end of support. Billing for this service starts from October 2023, after Windows Server 2012 end of support.
 
 > [!NOTE]
-> In order to purchase ESUs, you must have Software Assurance through Volume Licensing Programs such as an Enterprise Agreement (EA), Enterprise Agreement Subscription (EAS), Enrollment for Education Solutions (EES), or Server and Cloud Enrollment (SCE).
+> In order to purchase ESUs, you must have Software Assurance through Volume Licensing Programs such as an Enterprise Agreement (EA), Enterprise Agreement Subscription (EAS), Enrollment for Education Solutions (EES), or Server and Cloud Enrollment (SCE). Alternatively, if your Windows Server 2012/2012 R2 machines are licensed through SPLA or with a Server Subscription, Software Assurance is not required to purchase ESUs.
 > 
 ## Next steps
 
 * Find out more about [planning for Windows Server and SQL Server end of support](https://www.microsoft.com/en-us/windows-server/extended-security-updates) and [getting Extended Security Updates](/windows-server/get-started/extended-security-updates-deploy).
 
 * Learn about best practices and design patterns through the [Azure Arc landing zone accelerator for hybrid and multicloud](/azure/cloud-adoption-framework/scenarios/hybrid/arc-enabled-servers/eslz-identity-and-access-management).
 * Learn more about [Arc-enabled servers](overview.md) and how they work with Azure through the Azure Connected Machine agent.
-* Explore options for [onboarding your machines](plan-at-scale-deployment.md) to Azure Arc-enabled servers.
+* Explore options for [onboarding your machines](plan-at-scale-deployment.md) to Azure Arc-enabled servers.

articles/azure-arc/servers/prepare-extended-security-updates.md

@@ -135,6 +135,8 @@
       href: license-extended-security-updates.md
     - name: Deliver Extended Security Updates
       href: deliver-extended-security-updates.md
+    - name: Programmatically manage Extended Security Updates licenses
+      href: api-extended-security-updates.md
     - name: Troubleshoot Extended Security Updates
       href: troubleshoot-extended-security-updates.md
   - name: Troubleshooting