Merge pull request #301890 from MicrosoftDocs/main

Merged by Learn.Build PR Management system

Author: learn-build-service-prod[bot]

articles/azure-functions/functions-develop-vs-code.md

@@ -6,6 +6,7 @@ ms.devlang: csharp
 # ms.devlang: csharp, java, javascript, powershell, python
 ms.custom: devdivchpfy22, vscode-azure-extension-update-complete, devx-track-extended-java, devx-track-js, devx-track-python, ignite-2023, devx-track-ts
 ms.date: 05/27/2025
+
 zone_pivot_groups: programming-languages-set-functions
 #Customer intent: As an Azure Functions developer, I want to understand how Visual Studio Code supports Azure Functions so that I can more efficiently create, publish, and maintain my Functions projects.
 ---
@@ -321,13 +322,16 @@ You can't use the [quick create](functions-develop-vs-code.md?tabs=quick-create#
    | Prompt |  Selection |
    | ------ |  --------- |
    | Enter a globally unique name for the new function app. | Type a globally unique name that identifies your new function app and then select Enter. Valid characters for a function app name are `a-z`, `0-9`, and `-`. |
+   | Select a hosting plan. | Choose your [hosting plan](functions-scale.md). The [Flex Consumption plan](flex-consumption-plan.md) is the recommended plan, which provides serverless hosting on Linux that scales dynamically as needed. |
+   | Select a location for new resources. | Select a location in a [region](https://azure.microsoft.com/regions/) near you or near other services that your functions access. Only regions that support your chosen hosting plan are displayed. If you chose an existing resource group, that location is used and you don't see this prompt. |
    | Select a runtime stack. | Choose the language version that you're locally running. |
    | Select an OS. | Choose either Linux or Windows. Python apps must run on Linux. |
+   | Select App Service Plan. | For Elastic Premium and App Service plans, you must explicitly **Create a new app service plan** and enter the plan name or select an existing plan in which to run. When creating a plan, you must also select a pricing tier. For consumption plans, you won't see this prompt. |
+   | Select resource authentication type | Determines how your app connects to the [default host storage account](storage-considerations.md#storage-account-guidance) by using either a shared secret key or Microsoft Entra ID with managed identities. Selecting **Managed identity** provides the most secure connection to your host storage account and is recommended for Flex Consumption plans. When using managed identities with Consumption and Elastic Premium plans, secret key access to the default host storage remains enabled for Azure Files access. For more information, see [run without Azure Files](storage-considerations.md#create-an-app-without-azure-files). |
    | Select a resource group for new resources. | Choose **Create new resource group**, and enter a resource group name such as **myResourceGroup**. You can also select an existing resource group. |
-   | Select a location for new resources. | Select a location in a [region](https://azure.microsoft.com/regions/) near you or near other services that your functions access. If you chose an existing resource group, that location is used and you don't see this prompt. |
-   | Select a hosting plan. | Choose **Consumption** for serverless [Consumption plan hosting](consumption-plan.md), where you're charged only when your functions run. |
-   | Select a storage account. | Choose **Create new storage account**, and at the prompt, enter a globally unique name for the new storage account used by your function app. Storage account names must be between 3 and 24 characters long and can contain only numbers and lowercase letters. You can also select an existing account. |
+   | Select a storage account. | Choose **Create new storage account**, and at the prompt, enter a globally unique name for the new storage account used by your function app. Storage account names must be between 3 and 24 characters long and can contain only numbers and lowercase letters. You can also select an existing account. When using managed identity authentication, you should create a new storage account. |
    | Select an Application Insights resource for your app. | Choose **Create new Application Insights resource**, and at the prompt, enter a name for the instance used to store runtime data from your functions. |
+   | Select a user assigned identity | Choose **Create a new user assigned identity**. You can also select an existing identity. This identity is used when accessing the default host storage account using Microsoft Entra ID authentication. You won't see this prompt when you select the **Secrets** authentication type. | 
 
    A notification appears after your function app is created, and the deployment package is applied. To view the creation and deployment results, including the Azure resources that you created, select **View Output** in this notification.
 

articles/azure-functions/functions-reference-python.md

@@ -1089,7 +1089,7 @@ The runtime uses the available Python version when you run it locally.
 
 ### Changing Python version
 
-To set a Python function app to a specific language version, you need to specify the language and the version of the language in the `LinuxFxVersion` field in the site configuration. For example, to change the Python app to use Python 3.8, set `linuxFxVersion` to `python|3.8`.
+To set a Python function app to a specific language version, you need to specify the language and the version of the language in the `LinuxFxVersion` field in the site configuration. For example, to change the Python app to use Python 3.12, set `linuxFxVersion` to `python|3.12`.
 
 To learn how to view and change the `linuxFxVersion` site setting, see [How to target Azure Functions runtime versions](set-runtime-version.md#manual-version-updates-on-linux).  
 

articles/azure-functions/set-runtime-version.md

@@ -144,7 +144,7 @@ The function app restarts after the change is made to the application setting.
 To pin your function app to a specific runtime version on Linux, you set a version-specific base image URL in the [`linuxFxVersion` site setting][`linuxFxVersion`] in the format `DOCKER|<PINNED_VERSION_IMAGE_URI>`.
 
 > [!IMPORTANT]
-> Pinned function apps on Linux don't receive regular security and host functionality updates. Unless recommended by a support professional, use the [`FUNCTIONS_EXTENSION_VERSION`](functions-app-settings.md#functions_extension_version) setting and a standard [`linuxFxVersion`] value for your language and version, such as `Python|3.9`. For valid values, see the [`linuxFxVersion` reference article][`linuxFxVersion`].
+> Pinned function apps on Linux don't receive regular security and host functionality updates. Unless recommended by a support professional, use the [`FUNCTIONS_EXTENSION_VERSION`](functions-app-settings.md#functions_extension_version) setting and a standard [`linuxFxVersion`] value for your language and version, such as `Python|3.12`. For valid values, see the [`linuxFxVersion` reference article][`linuxFxVersion`].
 >
 > Pinning to a specific runtime isn't currently supported for Linux function apps running in a Consumption plan.
 

articles/backup/backup-azure-monitor-alert-faq.yml

@@ -5,7 +5,7 @@ metadata:
   ms.reviewer: srinathv
   ms.topic: faq
   ms.service: azure-backup
-  ms.date: 12/30/2024
+  ms.date: 06/26/2025
   author: jyothisuri
   ms.author: jsuri
 title: Frequently asked questions - Azure Backup Monitoring and Reporting
@@ -102,7 +102,12 @@ sections:
           Can I view reports across tenants?
         answer: |
           If you're an [Azure Lighthouse](https://azure.microsoft.com/services/azure-lighthouse/) user with delegated access to your customers' subscriptions or Log Analytics Workspaces, you can use Backup Reports to view data across all your tenants.
-          
+
+      - question: |
+          What is the cost of the email generated by backup reports through logic app? 
+        answer: |
+          Email report is a free feature. However, the costs for log analytics workspaces and logic apps (used to configure email) are incurred based on their individual price models. learn [about Azure Monitor pricing](https://azure.microsoft.com/pricing/details/monitor/?cdn=disable).
+
   - name: Recovery Services vault
     questions:
       - question: |

articles/backup/backup-azure-private-endpoints-concept.md

@@ -3,7 +3,7 @@ title: Private endpoints for Azure Backup - Overview
 description: This article explains about the concept of private endpoints for Azure Backup that helps to perform backups while maintaining the security of your resources.
 ms.topic: overview
 ms.service: azure-backup
-ms.date: 05/26/2025
+ms.date: 06/26/2025
 author: jyothisuri
 ms.author: jsuri
 ---
@@ -38,7 +38,7 @@ This article describes how the [enhanced capabilities of private endpoints](#key
 
 - One virtual network can contain private endpoints for multiple Recovery Services vaults. Also, one Recovery Services vault can have private endpoints for it in multiple virtual networks. However, you can create a maximum of 12 private endpoints for a vault.
 
-- A private endpoint for a vault uses 10 private IPs, and the count may increase over time. Ensure that you've enough IPs available while creating private endpoints. 
+- A private endpoint for a vault uses 10 private IPs, and the count may increase over time. Ensure that you've enough IPs available while creating private endpoints. We recommend that you have enough private IPs (/25) available when you attempt to create private endpoints for Backup.
 
 - Private endpoints for Azure Backup don’t include access to Microsoft Entra ID. Ensure that you enable the access so that IPs and FQDNs required for Microsoft Entra ID to work in a region have outbound access in allowed state in the secured network when performing backup of databases in Azure VMs and backup using the MARS agent. You can also use NSG tags and Azure Firewall tags for allowing access to Microsoft Entra ID, as applicable.
 

articles/backup/backup-azure-private-endpoints-configure-manage.md

@@ -3,7 +3,7 @@ title: How to create and manage private endpoints (with v2 experience) for Azure
 description: This article explains how to configure and manage private endpoints for Azure Backup.
 ms.topic: how-to
 ms.service: azure-backup
-ms.date: 05/26/2025
+ms.date: 06/26/2025
 author: jyothisuri
 ms.author: jsuri
 ---
@@ -140,12 +140,11 @@ Once the private endpoints created for the vault in your VNet have been approved
 >[!IMPORTANT]
 >Ensure that you've completed all the steps mentioned above in the document successfully before proceeding. To recap, you must have completed the steps in the following checklist:
 >
->1. Created a (new) Recovery Services vault
->2. Enabled the vault to use system assigned Managed Identity
->3. Assigned relevant permissions to the Managed Identity of the vault
->4. Created a Private Endpoint for your vault
->5. Approved the Private Endpoint (if not auto approved)
->6. Ensured all DNS records are appropriately added (except blob and queue records for custom servers, which will be discussed in the following sections)
+>1. Created a (new) Recovery Services vault.
+>2. Enabled the vault to use system assigned Managed Identity.
+>3. Created a Private Endpoint for your vault.
+>4. Approved the Private Endpoint (if not auto approved).
+>5. Ensured all DNS records are appropriately added (except blob and queue records for custom servers, which will be discussed in the following sections).
 
 ### Check VM connectivity
 
@@ -214,6 +213,8 @@ To perform Cross Subscription Restore to a Private Endpoint enabled vault:
 4. In the **Virtual Network** section, select the **VNet** of the target VM that you want to restore across subscription.
 5. Create the **Private Endpoint** and trigger the restore process.
 
+   >[!Note]
+   >In the **DNS** section, ensure that the virtual machine in the target subscription can resolve the DNS names associated with the new private endpoint. To enable access to the resource, create a private endpoint for the target virtual machine. For DNS resolution to work correctly, select a different private DNS zone other than the one used in the original vault subscription. Reuse of the same DNS zone overwrites existing entries.
 #### Cross region restore to a private endpoint enabled vault
 
 You can create a **Secondary Private Endpoint** before or after adding protected items in the vault.

articles/backup/private-endpoints-overview.md

@@ -2,7 +2,7 @@
 title: Private endpoints overview
 description: Understand the use of private endpoints for Azure Backup and the scenarios where using private endpoints helps maintain the security of your resources.
 ms.topic: overview
-ms.date: 04/04/2025
+ms.date: 06/26/2025
 ms.custom:
 ms.service: azure-backup
 author: jyothisuri
@@ -24,7 +24,7 @@ This article will help you understand how private endpoints for Azure Backup wor
 - CMK with network restricted key vault isn't supported with private endpoint enabled vault.
 - One virtual network can contain private endpoints for multiple Recovery Services vaults. Also, one Recovery Services vault can have private endpoints for it in multiple virtual networks. However, the maximum number of private endpoints that can be created for a vault is 12.
 - If the public network access for the vault is set to **Allow from all networks**, the vault allows backups and restores from any machine registered to the vault. If the public network access for the vault is set to **Deny**, the vault only allows backups and restores from the machines registered to the vault that are requesting backups/restores via private IPs allocated for the vault.
-- A private endpoint connection for Backup uses a total of 11 private IPs in your subnet, including those used by Azure Backup for storage. This number may be higher for certain Azure regions. So we suggest that you have enough private IPs (/26) available when you attempt to create private endpoints for Backup.
+- A private endpoint connection for Backup uses a total of 11 private IPs in your subnet, including those used by Azure Backup for storage. This number may be higher for certain Azure regions. We recommend that you have enough private IPs (/25) available when you attempt to create private endpoints for Backup.
 - While a Recovery Services vault is used by (both) Azure Backup and Azure Site Recovery, this article discusses use of private endpoints for Azure Backup only.
 - Private endpoints for Backup don’t include access to Microsoft Entra ID and the same needs to be ensured separately. So, IPs and FQDNs required for Microsoft Entra ID to work in a region will need outbound access to be allowed from the secured network when performing backup of databases in Azure VMs and backup using the MARS agent. You can also use NSG tags and Azure Firewall tags for allowing access to Microsoft Entra ID, as applicable.
 - You need to re-register the Recovery Services resource provider with the subscription if you registered it before May 1 2020. To re-register the provider, go to your subscription in the Azure portal, navigate to **Resource provider** on the left navigation bar, then select **Microsoft.RecoveryServices** and select **Re-register**.

articles/backup/private-endpoints.md

@@ -2,7 +2,7 @@
 title: Create and use private endpoints for Azure Backup
 description: Understand the process to creating private endpoints for Azure Backup where using private endpoints helps maintain the security of your resources.
 ms.topic: how-to
-ms.date: 04/04/2025
+ms.date: 06/26/2025
 ms.custom: devx-track-azurepowershell
 ms.service: azure-backup
 author: jyothisuri
@@ -48,7 +48,8 @@ Follow these steps:
    :::image type="content" source="./media/backup-azure-private-endpoints/deny-public-network.png" alt-text="Screenshot showing how to select the Deny option.":::
 
    >[!Note]
-   >- Once you deny access, you can still access the vault, but you can't move data to/from networks that don't contain private endpoints. For more information, see [Create private endpoints for Azure Backup](#create-private-endpoints-for-azure-backup).
+   >- After you deny access, you can still access the vault, but you can't move data to/from networks that don't contain private endpoints. For more information, see [Create private endpoints for Azure Backup](#create-private-endpoints-for-azure-backup).
+   >- If public access is denied and a private endpoint isn’t enabled, backups succeed, but restore operations fail for all workloads except Virtual Machines. However, Virtual Machine item-level recovery also fails. Ensure that you configure network restrictions carefully.
    >- Denying public access is currently not supported for [vaults that have cross-regions restore](backup-create-rs-vault.md#set-cross-region-restore) enabled.
 
 3. Select **Apply** to save the changes.