Skip to content

Commit c62c7e1

Browse files
authored
Merge pull request #222066 from MicrosoftDocs/main
12/20 PM Publish
2 parents ceca0a4 + 9eae2e9 commit c62c7e1

File tree

178 files changed

+2292
-841
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

178 files changed

+2292
-841
lines changed

.openpublishing.publish.config.json

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -386,6 +386,12 @@
386386
"branch": "main",
387387
"branch_mapping": {}
388388
},
389+
{
390+
"path_to_root": "azureml-examples-mavaisma-r-azureml",
391+
"url": "https://github.com/azure/azureml-examples",
392+
"branch": "mavaisma-r-azureml",
393+
"branch_mapping": {}
394+
},
389395
{
390396
"path_to_root": "azureml-examples-v2samplesreorg",
391397
"url": "https://github.com/azure/azureml-examples",

articles/active-directory-b2c/TOC.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -66,7 +66,7 @@
6666
- name: Authentication library
6767
href: ../active-directory/develop/msal-overview.md?bc=%2fazure%2factive-directory-b2c%2fbread%2ftoc.json&toc=%2fazure%2factive-directory-b2c%2fTOC.json
6868
displayName: MSAL, client library, Microsoft Authentication Library
69-
- name: Azure AD B2C global identitiy framework
69+
- name: Azure AD B2C global identity framework
7070
items:
7171
- name: Global identity solutions
7272
href: azure-ad-b2c-global-identity-solutions.md

articles/active-directory/saas-apps/servicenow-provisioning-tutorial.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -149,6 +149,8 @@ After you've configured provisioning, use the following resources to monitor you
149149

150150
- Self-hosted ServiceNow instances aren't supported.
151151

152+
- When an update to the *active* attribute in ServiceNow is provisioned, the attribute *locked_out* is also updated accordingly, even if *locked_out* is not mapped in the Azure provisioning service.
153+
152154
## Additional resources
153155

154156
- [Managing user account provisioning for enterprise apps](../app-provisioning/configure-automatic-user-provisioning-portal.md)

articles/aks/TOC.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
href: ./index.yml
33
- name: Overview
44
items:
5-
- name: About AKS
5+
- name: What is AKS?
66
href: intro-kubernetes.md
77
- name: Quotas and regional limits
88
href: quotas-skus-regions.md

articles/aks/intro-kubernetes.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@ ms.date: 11/18/2022
77
ms.custom: mvc, ignite-2022
88
---
99

10-
# Azure Kubernetes Service
10+
# What is Azure Kubernetes Service?
1111

1212
Azure Kubernetes Service (AKS) simplifies deploying a managed Kubernetes cluster in Azure by offloading the operational overhead to Azure. As a hosted Kubernetes service, Azure handles critical tasks, like health monitoring and maintenance. When you create an AKS cluster, a control plane is automatically created and configured. This control plane is provided at no cost as a managed Azure resource abstracted from the user. You only pay for and manage the nodes attached to the AKS cluster.
1313

articles/application-gateway/mutual-authentication-overview.md

Lines changed: 49 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -69,11 +69,58 @@ For more information on how to extract trusted client CA certificate chains, see
6969

7070
## Server variables
7171

72-
With mutual authentication, there are additional server variables that you can use to pass information about the client certificate to the backend servers behind the Application Gateway. For more information about which server variables are available and how to use them, check out [server variables](./rewrite-http-headers-url.md#mutual-authentication-server-variables).
72+
With mutual TLS authentication, there are additional server variables that you can use to pass information about the client certificate to the backend servers behind the Application Gateway. For more information about which server variables are available and how to use them, check out [server variables](./rewrite-http-headers-url.md#mutual-authentication-server-variables).
7373

7474
## Certificate Revocation
7575

76-
Client certificate revocation with OCSP (Online Certificate Status Protocol) will be supported shortly.
76+
When a client initiates a connection to an Application Gateway configured with mutual TLS authentication, not only can the certificate chain and issuer's distinguished name be validated, but revocation status of the client certificate can be checked with OCSP (Online Certificate Status Protocol). During validation, the certificate presented by the client will be looked up via the defined OCSP responder defined in its Authority Information Access (AIA) extension. In the event the client certificate has been revoked, the application gateway will respond to the client with an HTTP 400 status code and reason. If the certificate is valid, the request will continue to be processed by application gateway and forwarded on to the defined backend pool.
77+
78+
Client certificate revocation can be enabled via REST API, ARM, Bicep, or PowerShell.
79+
80+
# [Azure PowerShell](#tab/powershell)
81+
To configure client revocation check on an existing Application Gateway via Azure PowerShell, the following commands can be referenced:
82+
```azurepowershell
83+
# Get Application Gateway configuration
84+
$AppGw = Get-AzApplicationGateway -Name "ApplicationGateway01" -ResourceGroupName "ResourceGroup01"
85+
86+
# Create new SSL Profile
87+
$profile = Get-AzApplicationGatewaySslProfile -Name "SslProfile01" -ApplicationGateway $AppGw
88+
89+
# Verify Client Cert Issuer DN and enable Client Revocation Check
90+
Set-AzApplicationGatewayClientAuthConfiguration -SslProfile $profile -VerifyClientCertIssuerDN -VerifyClientRevocation OCSP
91+
92+
# Update Application Gateway
93+
Set-AzApplicationGateway -ApplicationGateway $AppGw
94+
95+
```
96+
97+
A list of all Azure PowerShell references for Client Authentication Configuration on Application Gateway can be found here:
98+
- [Set-AzApplicationGatewayClientAuthConfiguration](/powershell/module/az.network/set-azapplicationgatewayclientauthconfiguration)
99+
- [New-AzApplicationGatewayClientAuthConfiguration](/powershell/module/az.network/new-azapplicationgatewayclientauthconfiguration)
100+
101+
# [Azure CLI](#tab/cli)
102+
```azurecli
103+
# Update existing gateway's SSL Profile
104+
az network application-gateway update -n ApplicationGateway01 -g ResourceGroup01 --ssl-profiles [0].client-auth-configuration.verify-client-revocation=OCSP
105+
106+
```
107+
108+
A list of all Azure CLI references for client authentication configuration on Application Gateway can be found here:
109+
- [Azure CLI - Application Gateway](/cli/azure/network/application-gateway)
110+
111+
# [Azure portal](#tab/portal)
112+
Azure portal support is currently not available.
113+
114+
To verify OCSP revocation status has been evaluated, [access logs](./application-gateway-diagnostics.md#access-log) will contain a property called "sslClientVerify", with the status of the OCSP response.
115+
116+
It is critical that the OCSP responder is highly available and network connectivity between Application Gateway and the responder is possible. In the event Application Gateway is unable to resolve the fully qualified domain name (FQDN) of the defined responder or network connectivity is blocked to/from the responder, certificate revocation status will fail and Application Gateway will return a 400 HTTP response to the requesting client.
117+
118+
Note: OCSP checks are validated via local cache based on the nextUpdate time defined by a previous OCSP response. If the OCSP cache has not been populated from a previous request, the first response may fail. Upon retry of the client, the response should be found in the cache and the request will be processed as expected.
119+
120+
Limitations
121+
- Revocation check via CRL is not supported
122+
- Client revocation check was introduced in API version 2022-05-01
123+
- Azure portal support is not available
77124

78125
## Next steps
79126

Lines changed: 36 additions & 49 deletions
Original file line numberDiff line numberDiff line change
@@ -1,85 +1,72 @@
11
---
22
title: "Move Arc-enabled Kubernetes clusters between regions"
3-
ms.date: 03/03/2021
3+
ms.date: 12/20/2022
44
ms.topic: how-to
55
ms.custom: subject-moving-resources
6-
author: anraghun
7-
ms.author: anraghun
8-
description: "Manually move your Azure Arc-enabled Kubernetes (or connected cluster resources) between regions."
9-
#Customer intent: As a Kubernetes cluster administrator, I want to move my Arc-enabled Kubernetes cluster to another Azure region.
6+
description: "Manually move your Azure Arc-enabled Kubernetes and connected cluster resources between regions."
107
---
118

129
# Move Arc-enabled Kubernetes clusters across Azure regions
1310

14-
This article describes how to move Arc-enabled Kubernetes clusters (or connected cluster resources) to a different Azure region. You might move your resources to another region for a number of reasons. For example, to take advantage of a new Azure region, to deploy features or services available in specific regions only, to meet internal policy and governance requirements, or in response to capacity planning requirements.
11+
In some circumstances, you may want to move your [Arc-enabled Kubernetes clusters](overview.md) to another region. For example, you might want to deploy features or services that are only available in specific regions, or you need to change regions due to internal policy and governance requirements or capacity planning considerations.
12+
13+
This article describes how to move Arc-enabled Kubernetes clusters and any connected cluster resources to a different Azure region.
1514

1615
## Prerequisites
1716

18-
- Ensure that Azure Arc-enabled Kubernetes resource (Microsoft.Kubernetes/connectedClusters) is supported in the target region.
19-
- Ensure that Azure Arc-enabled Kubernetes configuration (Microsoft.KubernetesConfiguration/SourceControlConfigurations, Microsoft.KubernetesConfiguration/Extensions, Microsoft.KubernetesConfiguration/FluxConfigurations) resources are supported in the target region.
20-
- Ensure that the Arc-enabled services you've deployed on top are supported in the target region.
21-
- Ensure you have network access to the api server of your underlying Kubernetes cluster.
17+
- Ensure that Azure Arc-enabled Kubernetes resources (`Microsoft.Kubernetes/connectedClusters`) are [supported in the target region](https://azure.microsoft.com/explore/global-infrastructure/products-by-region/?products=azure-arc).
18+
- Ensure that any Azure Arc-enabled Kubernetes configuration resources (`Microsoft.KubernetesConfiguration/SourceControlConfigurations`, `Microsoft.KubernetesConfiguration/Extensions`, `Microsoft.KubernetesConfiguration/FluxConfigurations`) are supported in the target region.
19+
- Ensure that the Arc-enabled services you've deployed on top of the cluster are supported in the target region.
20+
- Ensure you have network access to the API server of your underlying Kubernetes cluster.
2221

2322
## Prepare
2423

25-
Before you begin, it's important to understand what moving these resources mean.
26-
27-
### Kubernetes configurations
28-
29-
Source control configurations, Flux configurations and extensions are child resources to the connected cluster resource. In order to move these resources, you'll first need to move the parent connected cluster resource.
24+
Before you begin, it's important to understand what moving these resources involves.
3025

31-
### Connected cluster
26+
The `connectedClusters` resource is the Azure Resource Manager representation of a Kubernetes cluster outside of Azure (such as on-premises, another cloud, or edge). The underlying infrastructure lies in your environment, and Azure Arc provides a representation of the cluster on Azure by installing agents on the cluster.
3227

33-
The connectedClusters resource is the ARM representation of your Kubernetes clusters outside of Azure (on-premises, another cloud, edge...). The underlying infrastructure lies in your environment and Arc provides a first-class representation of the cluster on Azure, by installing agents on your cluster.
28+
Moving a connected cluster to a new region means deleting the ARM resource in the source region, cleaning up the agents on your cluster, and then connecting your cluster again in the target region.
3429

35-
When it comes to "moving" your Arc connected cluster, it means deleting the ARM resource in the source region, cleaning up the agents on your cluster and re-onboarding your cluster again in the target region.
30+
Source control configurations, [Flux configurations](conceptual-gitops-flux2.md) and [extensions](conceptual-extensions.md) within the cluster are child resources of the connected cluster resource. To move these resources, you'll need to save details about the resources, then move the parent `connectedClusters` resource. After that, you can recreate the child resources in the target cluster resource.
3631

3732
## Move
3833

39-
### Kubernetes configurations
34+
1. Do a LIST to get all configuration resources in the source cluster (the cluster to be moved) and save the response body:
4035

41-
1. Do a LIST of all configuration resources in the source cluster (the cluster to be moved) and save the response body to be used as the request body when re-creating these resources.
42-
- [Microsoft.KubernetesConfiguration/SourceControlConfigurations](/cli/azure/k8s-configuration?view=azure-cli-latest&preserve-view=true#az-k8sconfiguration-list)
43-
- [Microsoft.KubernetesConfiguration/Extensions](/cli/azure/k8s-extension?view=azure-cli-latest&preserve-view=true#az-k8s-extension-list)
44-
- [Microsoft.KubernetesConfiguration/FluxConfigurations](/cli/azure/k8s-configuration/flux?view=azure-cli-latest&preserve-view=true#az-k8s-configuration-flux-list)
45-
> [!NOTE]
46-
> LIST/GET of configuration resources **do not** return `ConfigurationProtectedSettings`.
47-
> For such cases, the only option is to save the original request body and reuse them while creating the resources in the new region.
48-
2. [Delete](./move-regions.md#kubernetes-configurations-3) the above configuration resources.
49-
2. Ensure the Arc connected cluster is up and running in the new region. This is the target cluster.
50-
3. Re-create each of the configuration resources obtained in the LIST command from the source cluster on the target cluster.
36+
- [Microsoft.KubernetesConfiguration/SourceControlConfigurations](/cli/azure/k8s-configuration?view=azure-cli-latest&preserve-view=true#az-k8sconfiguration-list)
37+
- [Microsoft.KubernetesConfiguration/Extensions](/cli/azure/k8s-extension?view=azure-cli-latest&preserve-view=true#az-k8s-extension-list)
38+
- [Microsoft.KubernetesConfiguration/FluxConfigurations](/cli/azure/k8s-configuration/flux?view=azure-cli-latest&preserve-view=true#az-k8s-configuration-flux-list)
5139

52-
### Connected cluster
40+
> [!NOTE]
41+
> LIST/GET of configuration resources **do not** return `ConfigurationProtectedSettings`. For such cases, the only option is to save the original request body and reuse them while creating the resources in the new region.
5342
54-
1. [Delete](./move-regions.md#connected-cluster-3) the previous Arc deployment from the underlying Kubernetes cluster.
55-
2. With network access to the underlying Kubernetes cluster, run [this command](./quickstart-connect-cluster.md?tabs=azure-cli#connect-an-existing-kubernetes-cluster) to create the Arc connected cluster in the new region.
56-
> [!NOTE]
57-
> The above command creates the cluster by default in the same location as its resource group.
58-
> Use the `--location` parameter to explicitly provide the target region value.
43+
1. [Delete](./move-regions.md#clean-up-source-resources) the previous Arc deployment from the underlying Kubernetes cluster.
44+
1. With network access to the underlying Kubernetes cluster, run [this command](./quickstart-connect-cluster.md?tabs=azure-cli#connect-an-existing-kubernetes-cluster) to connect that cluster in the new region.
5945

60-
## Verify
46+
> [!NOTE]
47+
> The above command creates the cluster by default in the same location as its resource group. Use the `--location` parameter to explicitly provide the target region value.
48+
49+
1. [Verify](#verify) that the Arc connected cluster is successfully running in the new region. This is the target cluster.
50+
1. Using the response body you saved, recreate each of the configuration resources obtained in the LIST command from the source cluster on the target cluster.
6151

62-
### Kubernetes configurations
52+
If you don't need to move the cluster, but want to move configuration resources to an Arc-enabled Kubernetes cluster in a different region, do the following:
6353

64-
Do a LIST of all configuration resources in the target cluster. This should match the LIST response from the source cluster.
54+
1. Do a LIST to get all configuration resources in the source cluster as noted above, and save the response body.
55+
1. Delete the resources from the source cluster.
56+
1. In the target cluster, recreate each of the configuration resources obtained in the LIST command from the source cluster.
6557

66-
### Connected cluster
58+
## Verify
6759

6860
1. Run `az connectedk8s show -n <connected-cluster-name> -g <resource-group>` and ensure the `connectivityStatus` value is `Connected`.
69-
2. Run [this command](./quickstart-connect-cluster.md?tabs=azure-cli#view-azure-arc-agents-for-kubernetes) to verify all Arc agents are successfully deployed on the underlying cluster.
61+
1. Run [this command](./quickstart-connect-cluster.md?tabs=azure-cli#view-azure-arc-agents-for-kubernetes) to verify all Arc agents are successfully deployed on the underlying cluster.
62+
1. Do a LIST of all configuration resources in the target cluster. This should match the original LIST response from the source cluster.
7063

7164
## Clean up source resources
7265

73-
### Kubernetes configurations
66+
With network access to the underlying Kubernetes cluster, run [this command](./quickstart-connect-cluster.md?tabs=azure-cli#clean-up-resources) to delete the Arc connected cluster. This command deletes the Azure Arc-enabled Kubernetes cluster resource, any associated configuration resources, and any agents running on the cluster.
67+
68+
If you need to delete individual configuration resources in the source cluster without deleting the cluster resource, you can delete these resources individually:
7469

75-
Delete each of the configuration resources returned in the LIST command in the source cluster:
7670
- [Microsoft.KubernetesConfiguration/SourceControlConfigurations](/cli/azure/k8s-configuration?view=azure-cli-latest&preserve-view=true#az-k8s-configuration-delete)
7771
- [Microsoft.KubernetesConfiguration/Extensions](/cli/azure/k8s-extension?view=azure-cli-latest&preserve-view=true#az-k8s-extension-delete)
7872
- [Microsoft.KubernetesConfiguration/FluxConfigurations](/cli/azure/k8s-configuration/flux?view=azure-cli-latest&preserve-view=true#az-k8s-configuration-flux-delete)
79-
80-
> [!NOTE]
81-
> This step may be skipped if the parent Arc connected cluster is also being deleted. Doing so would automatically remove the configuration resources on top.
82-
83-
### Connected cluster
84-
85-
With network access to the underlying Kubernetes cluster, run [this command](./quickstart-connect-cluster.md?tabs=azure-cli#clean-up-resources) to delete the Arc connected cluster. This command will clean up the Arc footprint on the underlying cluster as well as on ARM.

0 commit comments

Comments
 (0)