Merge branch 'main' into avnm-IPAM-region-updates

Author: mbender-ms

.openpublishing.redirection.json

@@ -6879,6 +6879,11 @@
       "redirect_url": "/azure/sre-agent/troubleshoot-azure-container-apps",
       "redirect_document_id": false
     },
+    {
+      "source_path": "articles/sre-agent/permissions.md",
+      "redirect_url": "/azure/sre-agent/security-context",
+      "redirect_document_id": false
+    },
     {
       "source_path": "articles/reliability/whats-new.md",
       "redirect_url": "/azure/reliability/overview",

articles/active-directory-b2c/partner-whoiam.md

@@ -60,7 +60,7 @@ The following diagram shows the implementation architecture.
 
     * [Key Vault](https://azure.microsoft.com/services/key-vault/): Store passwords
     * [App Service](https://azure.microsoft.com/services/app-service/): Host the BRIMS API and admin portal services
-    * [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/): Authenticate administrative users for the portal
+    * [Microsoft Entra ID](https://www.microsoft.com/en-us/security/business/identity-access/microsoft-entra-id): Authenticate administrative users for the portal
     * [Azure Cosmos DB](https://azure.microsoft.com/services/cosmos-db/): Store and retrieve settings
     * [Application Insights overview](/azure/azure-monitor/app/app-insights-overview) (optional): Sign in to the API and the portal
 

articles/api-management/api-management-capacity.md

@@ -56,6 +56,8 @@ Available aggregations for these metrics are as follows.
 
 In the Developer, Basic, Standard, and Premium tiers, the **Capacity** metric is available for making decisions about scaling or upgrading an API Management instance. Its construction is complex and imposes certain behavior.
 
+[!INCLUDE [capacity-change.md](../../includes/api-management-capacity-change.md)]
+
 Available aggregations for this metric are as follows.
 
 * **Avg** - Average percentage of capacity used across gateway processes in every [unit](upgrade-and-scale.md) of an API Management instance. 
@@ -171,6 +173,7 @@ Use capacity metrics for making decisions whether to scale an API Management ins
 + Ignore sudden spikes that are most likely not related to an increase in load (see [Capacity metric behavior](#capacity-metric-behavior) section for explanation).
 + As a general rule, upgrade or scale your instance when a capacity metric value exceeds **60% - 70%** for a long period of time (for example, 30 minutes). Different values may work better for your service or scenario.
 + If your instance or workspace gateway is configured with only 1 unit, upgrade or scale it when a capacity metric value exceeds **40%** for a long period. This recommendation is based on the need to reserve capacity for guest OS updates in the underlying service platform.
++ Use [available diagnostics](monitor-api-management.md) to monitor the response times of API calls. Consider adjusting scaling thresholds if you notice degraded response times with increasing value of capacity metric. 
 
 > [!TIP]  
 > If you are able to estimate your traffic beforehand, test your API Management instance or workspace gateway on workloads you expect. You can increase the request load gradually and monitor the value of the capacity metric that corresponds to your peak load. Follow the steps from the previous section to use Azure portal to understand how much capacity is used at any given time.

articles/api-management/api-management-howto-use-managed-service-identity.md

@@ -317,7 +317,7 @@ API Management is a trusted Microsoft service to the following resources. This t
 
 
 - [Trusted access for Key Vault](/azure/key-vault/general/overview-vnet-service-endpoints#trusted-services)
-- [Trusted access for Azure Storage](../storage/common/storage-network-security.md?tabs=azure-portal#trusted-access-based-on-system-assigned-managed-identity)
+- [Trusted access for Azure Storage](../storage/common/storage-network-security-trusted-azure-services.md?tabs=azure-portal#trusted-access-based-on-system-assigned-managed-identity)
 - [Trusted access for Azure Services Bus](../service-bus-messaging/service-bus-ip-filtering.md#trusted-microsoft-services)
 - [Trusted access for Azure Event Hubs](../event-hubs/event-hubs-ip-filtering.md#trusted-microsoft-services)
 

articles/app-service/app-service-configure-premium-v4-tier.md

@@ -38,7 +38,7 @@ The Premium V4 tier is available for source code applications on Windows, and bo
 > [!NOTE]
 > The Premium V4 tier lacks stable outbound IP addresses. This behavior is intentional. Although Premium V4 apps can make outbound calls, the platform doesn't provide stable outbound IPs for this tier. This differs from previous App Service tiers. The portal shows "Dynamic" for outbound IP addresses for Premium V4 apps. ARM and CLI calls return empty strings for *outboundIpAddresses* and *possibleOutboundIpAddresses*. If Premium V4 apps need stable outbound IPs, use [Azure NAT Gateway](overview-nat-gateway-integration.md) for predictable outbound IPs.
 
-Premium V4 and its SKUs are available in select Azure regions. Microsoft continually adds availability to other regions. To check regional availability for a specific Premium V4 offering, run the following Azure CLI command in [Azure Cloud Shell](../cloud-shell/overview.md). Substitute *P1V4* with the desired SKU:
+Premium V4 and its SKUs are available in select Azure regions. Microsoft continually adds availability to other regions. To check regional availability for a specific Premium V4 offering, run the following Azure CLI command in [Azure Cloud Shell](../cloud-shell/overview.md). Use Azure CLI version 2.73.0 or above. Substitute *P1V4* with the desired SKU:
 
 **Windows** SKU availability
 

articles/app-service/configure-sidecar.md

@@ -0,0 +1,206 @@
+---
+title: Configure sidecars
+description: Step-by-step guide to configuring sidecars, including adding built-in extensions.
+ms.topic: how-to
+ms.date: 07/14/2025
+ms.author: cephalin
+author: cephalin
+---
+
+# Configure sidecars in Azure App Service
+
+This article provides practical steps for enabling and configuring sidecars in your App Service app.
+
+## Create a sidecar in the Azure portal
+
+1. Go to your App Service resource in the Azure portal.
+2. Select **Deployment Center** and go to the **Containers** tab.
+3. Click **Add container** to add a sidecar.
+4. Fill in the image name, registry authentication (if needed), and environment variables.
+5. Save your changes. The sidecar will be deployed alongside your main app container.
+
+## Enable sidecar support for Linux custom containers
+
+For a custom container, you need to explicitly enable sidecar support. In the portal, you can make the selection in the [App Service create wizard](https://portal.azure.com/#view/WebsitesExtension/AppServiceWebAppCreateV3Blade). You can also enable it for an existing app in the **Deployment Center** > **Containers** page of an existing application, as shown in the following screenshot:
+
+:::image type="content" source="media/configure-sidecar/enable-sidecar.png" alt-text="A screenshot showing a custom container app's container settings with the Start Update button highlighted.":::
+
+With the Azure CLI, set `LinuxFxVersion` to `sitecontainers`. For example:
+
+```azurecli
+az webapp config set --name <app-name> --resource-group <resource-group> --linux-fx-version sitecontainers
+```
+
+For more information, see [What are the differences for sidecar-enabled custom containers?](#what-are-the-differences-for-sidecar-enabled-custom-containers)
+
+### What are the differences for sidecar-enabled custom containers?
+
+Sidecar-enabled apps are configured differently than apps that aren't sidecar-enabled.
+
+- Sidecar-enabled apps are designated by `LinuxFxVersion=sitecontainers` and configured with [`sitecontainers`](/azure/templates/microsoft.web/sites/sitecontainers) resources.
+- Apps that aren't sidecar enabled configure the container name and type directly with `LinuxFxVersion=DOCKER|<image-details>`.
+
+For more information, see [az webapp config set --linux-fx-version](/cli/azure/webapp/config).
+
+Apps that aren't sidecar-enabled configure the main container with app settings such as:
+
+- `DOCKER_REGISTRY_SERVER_URL`
+- `DOCKER_REGISTRY_SERVER_USERNAME`
+- `DOCKER_REGISTRY_SERVER_PASSWORD`
+- `WEBSITES_PORT`
+
+These settings don't apply for sidecar-enabled apps.
+
+## Define a sidecar with an ARM template
+
+Add the `Microsoft.Web/sites/sitecontainers` resource type to an app. To pull a sidecar image from ACR using a user-assigned managed identity, specify `authType` as `UserAssigned` and provide the `userManagedIdentityClientId`:
+
+```json
+{
+  "type": "Microsoft.Web/sites/sitecontainers",
+  "apiVersion": "2024-04-01",
+  "name": "<app-name>/<sidecar-name>",
+  "properties": {
+    "image": "<acr-name>.azurecr.io/<image-name>:<version>",
+    "isMain": false,
+    "authType": "UserAssigned",
+    "userManagedIdentityClientId": "<client-id>",
+    "environmentVariables": [
+      { "name": "MY_ENV_VAR", "value": "my-value" }
+    ]
+  }
+}
+```
+
+> [!IMPORTANT]
+> Only the main container (`"isMain": true`) receives external traffic. In a Linux custom container app with sidecar support enabled, your main container has `isMain` set to `true`. All sidecar containers should have `"isMain": false`.
+
+For more information, see [Microsoft.Web sites/sitecontainers](/azure/templates/microsoft.web/sites/sitecontainers).
+
+## Create sidecars with Azure CLI
+
+Create a sidecar-enabled app with [az webapp create](/cli/azure/webapp#az-webapp-create). For example:
+
+```azurecli-interactive
+az webapp create --name <app-name> --resource-group <group-name> --sitecontainers-app
+```
+
+Create a sidecar container with [az webapp sitecontainers create](/cli/azure/webapp/sitecontainers#az-webapp-sitecontainers-create). For example:
+
+```azurecli-interactive
+az webapp sitecontainers create --name <app-name> --resource-group <group-name> --container-name <container> --image <image> --target-port <port>
+```
+
+Create a sidecar container with a JSON file:
+
+```azurecli-interactive
+az webapp sitecontainers create --name <app-name> --resource-group <group-name> --sitecontainers-spec-file <file-path>
+```
+
+For all sidecar commands, see [az webapp sitecontainers](/cli/azure/webapp/sitecontainers).
+
+## Set environment variables
+
+In a Linux app, all containers (main and sidecars) share environment variables. To override a specific variable for a sidecar, add it in the sidecar's configuration.
+
+- In ARM templates, use the `environmentVariables` array in the sidecar's properties.
+- In the Portal, add environment variables in the container configuration UI.
+- Environment variables can reference app settings by name; the value will be resolved at runtime.
+
+## Add the Redis sidecar extension
+
+From the Azure portal, you can add a Redis sidecar extension to your app for caching. The Redis sidecar is for lightweight caching only, not a replacement for Azure Cache for Redis.
+
+To use the Redis sidecar:
+
+- In your application code, set the Redis connection string to `localhost:6379`.
+- Configure Redis in your app’s startup code.
+- Use caching patterns to store and retrieve data.
+- Test by accessing your app and checking logs to confirm cache usage.
+
+## Add the Datadog sidecar extension
+
+From the Azure portal, you can add a Datadog sidecar extension to collect logs, metrics, and traces for observability without modifying app code. When you add the extension, you specify your Datadog account information so that the sidecar extension can ship telemetry directly to Datadog.
+
+**For code-based apps:**
+
+1. Create a `startup.sh` script to download and initialize the Datadog tracer. The following script is an example for a .NET app:
+
+    ```bash
+    #!/bin/bash
+    
+    # Create log directory. This should correspond to the "Datadog Trace Log Directory" extension setting
+    mkdir -p /home/LogFiles/dotnet
+    
+    # Download the Datadog tracer tarball
+    wget -O /datadog/tracer/datadog-dotnet-apm-2.49.0.tar.gz https://github.com/DataDog/dd-trace-dotnet/releases/download/v2.49.0/datadog-dotnet-apm-2.49.0.tar.gz
+    
+    # Navigate to the tracer directory, extract the tarball, and return to the original directory
+    mkdir -p /datadog/tracer
+    pushd /datadog/tracer
+    tar -zxf datadog-dotnet-apm-2.49.0.tar.gz
+    popd
+    
+    dotnet /home/site/wwwroot/<yourapp>.dll
+    ```
+    
+2. Set the startup command in App Service to run this script.
+
+3. Run the application and confirm the telemetry is shipped by signing into your Datadog dashboard.
+
+**For container-based apps:**
+
+Before you add the Datadog sidecar extension, add the Datadog tracer setup in your Dockerfile, similar to the script example for code-based apps.
+
+## Add the Phi-3/Phi-4 sidecar extension
+
+From the Azure portal, you can add a Phi-3 or Phi-4 sidecar extension to your app to provide a local inference model for AI workloads. Your app must be in a pricing tier that supports the inferencing needs. For unsupported tiers, you don't see the options for the Phi-3/Phi-4 sidecar extensions.
+
+- The Phi-3/Phi-4 sidecar exposes a chat completion API at http://localhost:11434/v1/chat/completions.
+- After the sidecar is added, initial startup may be slow due to model loading.
+- To invoke the API, send POST requests to this endpoint, in the same style of the [OpenAPI chat completion API](https://platform.openai.com/docs/api-reference/chat/create).
+
+For end-to-end walkthroughs, see:
+
+- [Tutorial: Run chatbot in App Service with a Phi-4 sidecar extension (ASP.NET Core)](tutorial-ai-slm-dotnet.md)
+- [Tutorial: Run chatbot in App Service with a Phi-4 sidecar extension (Spring Boot)](tutorial-ai-slm-spring-boot.md)
+- [Tutorial: Run chatbot in App Service with a Phi-4 sidecar extension (FastAPI)](tutorial-ai-slm-fastapi.md)
+- [Tutorial: Run chatbot in App Service with a Phi-4 sidecar extension (Express.js)](tutorial-ai-slm-expressjs.md)
+
+
+## Access a sidecar from the main container or from another sidecar
+
+Sidecar containers share the same network host as the main container. The main container and other sidecars can reach any port on a sidecar using `localhost:<port>`. For example, if a sidecar listens on port 4318, the main app can access it at `localhost:4318`.
+
+The **Port** field in the Portal is metadata only and not used by App Service for routing.
+
+## Add volume mounts
+
+By default, the default `/home` volume is mounted to all containers unless disabled. You can configure additional volume mounts for your sidecars. 
+
+Volume mounts enable you to share non-persistent files and directories between containers within your Web App.
+
+- **Volume sub path:** Logical directory path created by App Service. Containers with the same sub path share files.
+- **Container mount path:** Directory path inside the container mapped to the volume sub path.
+
+Example configuration:
+
+| Sidecar name | Volume sub path | Container mount path | Read-only |
+| ------------ | --------------- | -------------------- | --------- |
+| Container1 | /directory1/directory2 | /container1Vol | False |
+| Container2 | /directory1/directory2 | /container2Vol | True |
+| Container3 | /directory1/directory2/directory3 | /container3Vol | False |
+| Container4 | /directory4 | /container1Vol | False |
+
+- If Container1 creates `/container1Vol/myfile.txt`, Container2 can read it via `/container2Vol/myfile.txt`.
+- If Container1 creates `/container1Vol/directory3/myfile.txt`, Container2 can read it via `/container2Vol/directory3/myfile.txt`, and Container3 can read/write via `/container3Vol/myfile.txt`.
+- Container4 does not share a volume with the others.
+
+> [!Note]
+> For code-based Linux apps, the built-in Linux container cannot use volume mounts.
+
+## More resources
+
+- [Sidecars overview](overview-sidecar.md)
+- [Migrate Docker Compose apps to sidecars in Azure App Service](migrate-sidecar-multi-container-apps.md)
+- [Microsoft Q&A for Azure App Service](/answers/tags/436/azure-app-service)

articles/app-service/configure-ssl-certificate.md

@@ -55,7 +55,7 @@ You can add up to 1,000 private certificates per webspace.
 
 ## Create a free managed certificate
 
-The free App Service managed certificate is a turnkey solution that helps to secure your custom DNS name in App Service. App Service manages this TLS/SSL server certificate without any action from you.
+The free App Service managed certificate is a turn-key solution for helping to secure your custom DNS name in App Service. Without any action from you, this TLS/SSL server certificate is fully managed by App Service and is automatically renewed, as long as the prerequisites that you set up stay the same. All the associated bindings are updated with the renewed certificate. You create and bind the certificate to a custom domain, and let App Service do the rest.
 
 Before you create a free managed certificate, make sure that you [meet the prerequisites](#prerequisites) for your app.