Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into fixedMetrics

Author: roygara

.openpublishing.redirection.virtual-desktop.json

@@ -434,6 +434,11 @@
             "source_path_from_root": "/articles/virtual-desktop/configure-rdp-shortpath-limit-ports-public-networks.md",
             "redirect_url": "/azure/virtual-desktop/configure-rdp-shortpath",
             "redirect_document_id": true
+        },
+        {
+            "source_path_from_root": "/articles/virtual-desktop/disaster-recovery.md",
+            "redirect_url": "/azure/virtual-desktop/disaster-recovery-concepts",
+            "redirect_document_id": true
         }
     ]
 }

articles/aks/app-routing.md

@@ -63,10 +63,14 @@ az aks create \
 
 ### Enable on an existing cluster
 
-To enable application routing on an existing cluster, use the [`az aks approuting enable`][az-aks-approuting-enable] command.
+To enable application routing on an existing cluster, use the [`az aks approuting enable`][az-aks-approuting-enable] or the [`az aks enable-addons`][az-aks-enable-addons] command with the `--addons` parameter set to `http_application_routing`.
 
 ```azurecli-interactive
+# az aks approuting enable
 az aks approuting enable --resource-group <ResourceGroupName> --name <ClusterName>
+
+# az aks enable-addons
+az aks enable-addons --resource-group <ResourceGroupName> --name <ClusterName> --addons http_application_routing
 ```
 
 # [Open Service Mesh (OSM) (retired)](#tab/with-osm)

articles/aks/gpu-cluster.md

@@ -177,9 +177,10 @@ To use Azure Linux, you specify the OS SKU by setting `os-sku` to `AzureLinux` d
             name: nvidia-device-plugin-ds
         spec:
           tolerations:
-          - key: nvidia.com/gpu
-            operator: Exists
-            effect: NoSchedule
+          - key: "sku"
+            operator: "Equal"
+            value: "gpu"
+            effect: "NoSchedule"
           # Mark this pod as a critical add-on; when enabled, the critical add-on
           # scheduler reserves resources for critical add-on pods so that they can
           # be rescheduled after a failure.

articles/aks/private-clusters.md

@@ -58,7 +58,7 @@ Create a private cluster with default basic networking using the [`az aks create
 ```azurecli-interactive
 az aks create \
     --name <private-cluster-name> \
-    --resource-group-name <private-cluster-resource-group> \
+    --resource-group <private-cluster-resource-group> \
     --load-balancer-sku standard \
     --enable-private-cluster \
     --generate-ssh-keys

articles/app-service/app-service-web-configure-tls-mutual-auth.md

@@ -6,9 +6,9 @@ author: msangapu-msft
 ms.author: msangapu
 ms.assetid: cd1d15d3-2d9e-4502-9f11-a306dac4453a
 ms.topic: article
-ms.date: 12/11/2020
+ms.date: 06/21/2024
 ms.devlang: csharp
-ms.custom: devx-track-csharp, devx-track-extended-java, devx-track-js
+ms.custom: devx-track-csharp, devx-track-extended-java, devx-track-js, devx-track-python
 ---
 # Configure TLS mutual authentication for Azure App Service
 
@@ -36,7 +36,7 @@ az webapp update --set clientCertEnabled=true --name <app-name> --resource-group
 ```
 ### [Bicep](#tab/bicep)
 
-For Bicep, modify the properties `clientCertEnabled`, `clientCertMode`, and `clientCertExclusionPaths`. A sampe Bicep snippet is provided for you:
+For Bicep, modify the properties `clientCertEnabled`, `clientCertMode`, and `clientCertExclusionPaths`. A sample Bicep snippet is provided for you:
 
 ```bicep
 resource appService 'Microsoft.Web/sites@2020-06-01' = {
@@ -57,7 +57,7 @@ resource appService 'Microsoft.Web/sites@2020-06-01' = {
 
 ### [ARM](#tab/arm)
 
-For ARM templates, modify the properties `clientCertEnabled`, `clientCertMode`, and `clientCertExclusionPaths`. A sampe ARM template snippet is provided for you:
+For ARM templates, modify the properties `clientCertEnabled`, `clientCertMode`, and `clientCertExclusionPaths`. A sample ARM template snippet is provided for you:
 
 ```ARM
 {
@@ -438,4 +438,147 @@ public class ClientCertValidator {
 }
 ```
 
+## Python sample
+
+The following Flask and Django Python code samples implement a decorator named `authorize_certificate` that can be used on a view function to permit access only to callers that present a valid client certificate. It expects a PEM formatted certificate in the `X-ARR-ClientCert` header and uses the Python [cryptography](https://pypi.org/project/cryptography/) package to validate the certificate based on its fingerprint (thumbprint), subject common name, issuer common name, and beginning and expiration dates. If validation fails, the decorator ensures that an HTTP response with status code 403 (Forbidden) is returned to the client.
+
+### [Flask](#tab/flask)
+
+```python
+from functools import wraps
+from datetime import datetime, timezone
+from flask import abort, request
+from cryptography import x509
+from cryptography.x509.oid import NameOID
+from cryptography.hazmat.primitives import hashes
+
+
+def validate_cert(request):
+
+    try:
+        cert_value =  request.headers.get('X-ARR-ClientCert')
+        if cert_value is None:
+            return False
+        
+        cert_data = ''.join(['-----BEGIN CERTIFICATE-----\n', cert_value, '\n-----END CERTIFICATE-----\n',])
+        cert = x509.load_pem_x509_certificate(cert_data.encode('utf-8'))
+    
+        fingerprint = cert.fingerprint(hashes.SHA1())
+        if fingerprint != b'12345678901234567890':
+            return False
+        
+        subject = cert.subject
+        subject_cn = subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value
+        if subject_cn != "contoso.com":
+            return False
+        
+        issuer = cert.issuer
+        issuer_cn = issuer.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value
+        if issuer_cn != "contoso.com":
+            return False
+    
+        current_time = datetime.now(timezone.utc)
+    
+        if current_time < cert.not_valid_before_utc:
+            return False
+        
+        if current_time > cert.not_valid_after_utc:
+            return False
+        
+        return True
+
+    except Exception as e:
+        # Handle any errors encountered during validation
+        print(f"Encountered the following error during certificate validation: {e}")
+        return False
+    
+def authorize_certificate(f):
+    @wraps(f)
+    def decorated_function(*args, **kwargs):
+        if not validate_cert(request):
+            abort(403)
+        return f(*args, **kwargs)
+    return decorated_function
+```
+
+The following code snippet shows how to use the decorator on a Flask view function.
+
+```python
+@app.route('/hellocert')
+@authorize_certificate
+def hellocert():
+   print('Request for hellocert page received')
+   return render_template('index.html')
+```
+
+### [Django](#tab/django)
+
+```python
+from functools import wraps
+from datetime import datetime, timezone
+from django.core.exceptions import PermissionDenied
+from cryptography import x509
+from cryptography.x509.oid import NameOID
+from cryptography.hazmat.primitives import hashes
+
+
+def validate_cert(request):
+
+    try:
+        cert_value =  request.headers.get('X-ARR-ClientCert')
+        if cert_value is None:
+            return False
+        
+        cert_data = ''.join(['-----BEGIN CERTIFICATE-----\n', cert_value, '\n-----END CERTIFICATE-----\n',])
+        cert = x509.load_pem_x509_certificate(cert_data.encode('utf-8'))
+    
+        fingerprint = cert.fingerprint(hashes.SHA1())
+        if fingerprint != b'12345678901234567890':
+            return False
+        
+        subject = cert.subject
+        subject_cn = subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value
+        if subject_cn != "contoso.com":
+            return False
+        
+        issuer = cert.issuer
+        issuer_cn = issuer.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value
+        if issuer_cn != "contoso.com":
+            return False
+    
+        current_time = datetime.now(timezone.utc)
+    
+        if current_time < cert.not_valid_before_utc:
+            return False
+        
+        if current_time > cert.not_valid_after_utc:
+            return False
+        
+        return True
+
+    except Exception as e:
+        # Handle any errors encountered during validation
+        print(f"Encountered the following error during certificate validation: {e}")
+        return False
+
+def authorize_certificate(view):
+    @wraps(view)
+    def _wrapped_view(request, *args, **kwargs):
+        if not validate_cert(request):
+            raise PermissionDenied
+        return view(request, *args, **kwargs)
+    return _wrapped_view
+```
+
+The following code snippet shows how to use the decorator on a Django view function.
+
+```python
+@authorize_certificate
+def hellocert(request):
+    print('Request for hellocert page received')
+    return render(request, 'hello_azure/index.html')
+```
+
+---
+
 [exclusion-paths]: ./media/app-service-web-configure-tls-mutual-auth/exclusion-paths.png

articles/app-service/configure-ssl-certificate.md

@@ -311,18 +311,19 @@ After the certificate renews inside your key vault, App Service automatically sy
 
 ## Frequently asked questions
 
-- [How can I automate adding a bring-your-owncertificate to an app?](#how-can-i-automate-adding-a-bring-your-owncertificate-to-an-app)
-- [Frequently asked questions for App Service certificates](configure-ssl-app-service-certificate.md#frequently-asked-questions)
-#### How can I automate adding a bring-your-owncertificate to an app?
+### How can I automate adding a bring-your-owncertificate to an app?
 
 - [Azure CLI: Bind a custom TLS/SSL certificate to a web app](scripts/cli-configure-ssl-certificate.md)
 - [Azure PowerShell Bind a custom TLS/SSL certificate to a web app using PowerShell](scripts/powershell-configure-ssl-certificate.md)
 
-#### Can I configure a private CA certificate on my app?
-
-App Service has a list of Trusted Root Certificates which you cannot modify in the multi-tenant variant version of App Service, but you can load your own CA certificate in the Trusted Root Store in an App Service Environment (ASE), which is a single-tenant environment in App Service. (The Free, Basic, Standard, and Premium App Service Plans are all multi-tenant, and the Isolated Plans are single-tenant.)
-- [Private client certificate](environment/overview-certificates.md)
-
+### Can I use a private CA (certificate authority) certificate for inbound TLS on my app?
+You can use a private CA certificate for inbound TLS in an [App Service Environment version 3 (ASEv3)](./environment/overview-certificates.md). This isn't possible in App Service (multi-tenant). For more information on App Service multi-tenant vs. single-tenant, see [App Service Environment v3 and App Service public multitenant comparison](./environment/ase-multi-tenant-comparison.md).
+ 
+### Can I make outbound calls using a private CA (certificate authority) client certificate from my app?
+This is only supported for Windows container apps in multi-tenant App Service. In addition, you can make outbound calls using a private CA client certificate with both code-based and container-based apps in an [App Service Environment version 3 (ASEv3)](./environment/overview-certificates.md). For more information on App Service multi-tenant vs. single-tenant, see [App Service Environment v3 and App Service public multitenant comparison](./environment/ase-multi-tenant-comparison.md).
+ 
+### Can I load a private CA (certificate authority) certificate in my App Service Trusted Root Store?
+You can load your own CA certificate into the Trusted Root Store in an [App Service Environment version 3 (ASEv3)](./environment/overview-certificates.md). You can't modify the list of Trusted Root Certificates in App Service (multi-tenant). For more information on App Service multi-tenant vs. single-tenant, see [App Service Environment v3 and App Service public multitenant comparison](./environment/ase-multi-tenant-comparison.md).
 
 ## More resources
 

articles/azure-cache-for-redis/cache-best-practices-client-libraries.md

@@ -28,7 +28,7 @@ Although we don't own or support any client libraries, we do recommend some libr
 | ioredis             | Node.js |  [Link](https://github.com/luin/ioredis)                     | [More information here](https://ioredis.readthedocs.io/en/stable/API/) |
 
 > [!NOTE]
-> Your application can to connect and use your Azure Cache for Redis instance with any client library that can also communicate with open-source Redis.
+> Your application can use any client library that is compatible with open-source Redis to connect to your Azure Cache for Redis instance.
 
 ## Client library-specific guidance
 

articles/azure-cache-for-redis/cache-troubleshoot-timeouts.md

@@ -145,11 +145,11 @@ There are several changes you can make to mitigate high server load:
 
 - Investigate what is causing high server load such as [long-running commands](#long-running-commands), noted in this article, because of high memory pressure.
 - [Scale](cache-how-to-scale.md) out to more shards to distribute load across multiple Redis processes or scale up to a larger cache size with more CPU cores. For more information, see  [Azure Cache for Redis planning FAQs](./cache-planning-faq.yml).
-- If your production workload on a _C1_ cache is negatively affected by extra latency from virus scanning, you can reduce the effect by to pay for a higher tier offering  with multiple CPU cores, such as _C2_.
+- If your production workload on a _C1_ cache is negatively affected by extra latency from some internal defender scan runs, you can reduce the effect by scaling to a higher tier offering  with multiple CPU cores, such as _C2_.
 
 #### Spikes in server load
 
-On _C0_ and _C1_ caches, you might see short spikes in server load not caused by an increase in requests a couple times a day while virus scanning is running on the VMs. You see higher latency for requests while virus scanning is happening on these tiers. Caches on the  _C0_ and _C1_ tiers only have a single core to multitask, dividing the work of serving virus scanning and Redis requests.
+On _C0_ and _C1_ caches, you might see short spikes in server load not caused by an increase in requests a couple times a day while internal defender scanning is running on the VMs. You see higher latency for requests while internal defender scans happen on these tiers. Caches on the  _C0_ and _C1_ tiers only have a single core to multitask, dividing the work of serving internal defender scanning and Redis requests.
 
 ### High memory usage
 

articles/azure-monitor/agents/data-collection-text-log.md

@@ -46,10 +46,11 @@ The table created in the script has two columns:
 
 - `TimeGenerated` (datetime) [Required]
 - `RawData` (string) [Optional if table schema provided]
-- 'FilePath' (string) [Optional]
+- `FilePath` (string) [Optional]
+- `Computer` (string) [Optional]
 - `YourOptionalColumn` (string) [Optional]
 
-The default table schema for log data collected from text files is 'TimeGenerated' and 'RawData'. Adding the 'FilePath' to either team is optional. If you know your final schema or your source is a JSON log, you can add the final columns in the script before creating the table. You can always [add columns using the Log Analytics table UI](../logs/create-custom-table.md#add-or-delete-a-custom-column) later.  
+The default table schema for log data collected from text files is 'TimeGenerated' and 'RawData'. Adding the 'FilePath' or 'Computer' to either stream is optional. If you know your final schema or your source is a JSON log, you can add the final columns in the script before creating the table. You can always [add columns using the Log Analytics table UI](../logs/create-custom-table.md#add-or-delete-a-custom-column) later.  
 
 Your column names and JSON attributes must exactly match to automatically parse into the table. Both columns and JSON attributes are case sensitive. For example `Rawdata` will not collect the event data. It must be `RawData`. Ingestion will drop JSON attributes that do not have a corresponding column. 
 
@@ -76,7 +77,11 @@ $tableParams = @'
                                 "name": "FilePath",
                                 "type": "String"
                        },
-                      {
+                       {
+                                "name": "Computer",
+                                "type": "String"
+                       },
+                       {
                                 "name": "YourOptionalColumn",
                                 "type": "String"
                      }