Merge pull request #261977 from MicrosoftDocs/main

Merge main to live, 4 AM

Author: v-ccolin

articles/aks/http-proxy.md

@@ -15,6 +15,8 @@ Azure Kubernetes Service (AKS) clusters, whether deployed into a managed or cust
 
 This feature adds HTTP proxy support to AKS clusters, exposing a straightforward interface that cluster operators can use to secure AKS-required network traffic in proxy-dependent environments.
 
+Both AKS nodes and Pods will be configured to use the HTTP proxy.
+
 Some more complex solutions may require creating a chain of trust to establish secure communications across the network. The feature also enables installation of a trusted certificate authority onto the nodes as part of bootstrapping a cluster.
 
 ## Limitations and other details
@@ -30,6 +32,16 @@ The following scenarios are **not** supported:
 
 By default, *httpProxy*, *httpsProxy*, and *trustedCa* have no value.
 
+The Pods will be injected with the following environment variables:
+- `HTTP_PROXY`
+- `http_proxy`
+- `HTTPS_PROXY`
+- `https_proxy`
+- `NO_PROXY`
+- `no_proxy`
+
+To disable the injection of the proxy environment variables the Pod should be annotated with: `"kubernetes.azure.com/no-http-proxy-vars":"true"`
+
 ## Prerequisites
 
 The latest version of the Azure CLI. Run `az --version` to find the version, and run `az upgrade` to upgrade the version. If you need to install or upgrade, see [Install Azure CLI][install-azure-cli].
@@ -111,7 +123,7 @@ In your template, provide values for *httpProxy*, *httpsProxy*, and *noProxy*. I
 > [!NOTE]
 > If switching to a new proxy, the new proxy must already exist for the update to be successful.  Then, after the upgrade is completed the old proxy can be deleted.
 
-Values for *httpProxy*, *httpsProxy*, *trustedCa* and *NoProxy* can be changed and applied to the cluster with the [az aks update][az-aks-update] command. An aks update for *httpProxy*, *httpsProxy*, and/or *NoProxy* will automatically inject new environment variables into pods with the new *httpProxy*, *httpsProxy*, or *NoProxy* values.  Pods must be rotated for the apps to pick it up.  For components under kubernetes, like containerd and the node itself, this won't take effect until a node image upgrade is performed.
+Values for *httpProxy*, *httpsProxy*, *trustedCa* and *NoProxy* can be changed and applied to the cluster with the [az aks update][az-aks-update] command. An aks update for *httpProxy*, *httpsProxy*, and/or *NoProxy* will automatically inject new environment variables into pods with the new *httpProxy*, *httpsProxy*, or *NoProxy* values.  Pods must be rotated for the apps to pick it up, because the environment variable values are injected at the Pod creating by a mutating admission webhook.  For components under kubernetes, like containerd and the node itself, this won't take effect until a node image upgrade is performed.
 
 For example, assuming a new file has been created with the base64 encoded string of the new CA cert called *aks-proxy-config-2.json*, the following action updates the cluster.  Or, you need to add new endpoint urls for your applications to No Proxy:
 

articles/azure-arc/vmware-vsphere/enable-virtual-hardware.md

@@ -0,0 +1,58 @@
+---
+title:  Enable virtual hardware and VM CRUD capabilities in a machine with Arc agent installed
+description: Enable virtual hardware and VM CRUD capabilities in a machine with Arc agent installed
+ms.topic: how-to 
+ms.date: 12/27/2023
+ms.service: azure-arc
+ms.subservice: azure-arc-vmware-vsphere
+author: Farha-Bano
+ms.author: v-farhabano
+manager: jsuri
+ms.custom: 
+---
+
+# Enable virtual hardware and VM CRUD capabilities in a machine with Arc agent installed
+
+In this article, you learn how to enable virtual hardware management and VM CRUD operational ability on a VMware VM that has Arc agents installed via the Arc-enabled Servers route.
+
+>[!IMPORTANT]
+> This article is applicable only if you've installed Arc agents directly in VMware machines before onboarding to Azure Arc-enabled VMware vSphere by deploying Arc resource bridge. 
+
+## Prerequisites
+
+- An Azure subscription and resource group where you have *Azure Arc VMware Administrator role*. 
+- Your vCenter instance must be [onboarded](quick-start-connect-vcenter-to-arc-using-script.md) to Azure Arc.
+
+## Enable virtual hardware management and self-service access to vCenter VMs with Arc agent installed
+
+1. From your browser, go to [Azure portal](https://portal.azure.com/).
+
+1. Navigate to the Virtual machines inventory page of your vCenter. <br>
+   The virtual machines that have Arc agent installed via the Arc-enabled Servers route will have **Link to vCenter** status under virtual hardware management.
+
+1. Select **Link to vCenter** to view the pane with the list of all the machines under vCenter with Arc agent installed but not linked to the vCenter in Azure Arc.
+
+1. Choose all the machines that need to be enabled in Azure, and select **Link** to link the machines to vCenter.
+
+1. After you link to vCenter, the virtual hardware status will reflect as **Enabled for all the VMs**, and you can perform [virtual hardware operations](perform-vm-ops-through-azure.md). 
+
+### Known issue
+ 
+During the first scan of the vCenter inventory after onboarding to Azure Arc-enabled VMware vSphere, Arc-enabled Servers machines will be discovered under vCenter inventory. If the Arc-enabled Server machines aren't discovered and you try to perform the **Enable in Azure** operation, you'll encounter the following error:<br>
+
+
+```
+A machine '/subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXXXX/resourceGroups/rg-contoso/providers/Microsoft.HybridCompute/machines/testVM1' already exists with the specified virtual machine MoRefId: 'vm-4441'. The existing machine resource can be extended with private cloud capabilities by creating the VirtualMachineInstance resource under it.
+```
+
+When you encounter this error message, try performing the **Link to vCenter** operation again after a few minutes (5-10 minutes). Alternatively, you can use the following Azure CLI command to link an existing Arc-enabled Server machine to vCenter:<br>
+
+
+```azurecli-interactive
+az connectedvmware vm create --subscription XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXXXX --location eastus --resource-group rg-contoso --custom-location /providers/microsoft.extendedlocation/customlocations/contoso-cl --name contoso-hcrp-machine-name --inventory-item /subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXXXX/resourceGroups/contoso-rg/providers/Microsoft.ConnectedVMwarevSphere/VCenters/contoso-vcenter/InventoryItems/vm-142359
+```
+
+## Next steps
+
+[Set up and manage self-service access to VMware resources through Azure RBAC](setup-and-manage-self-service-access.md).
+

articles/azure-arc/vmware-vsphere/toc.yml

@@ -26,6 +26,8 @@
       href: support-matrix-for-arc-enabled-vmware-vsphere.md
     - name: Enable VMware vCenter resources in Azure
       href: browse-and-enable-vcenter-resources-in-azure.md
+    - name: Enable virtual hardware and VM CRUD capabilities in a machine with Arc agent installed
+      href: enable-virtual-hardware.md
   - name: Use Azure Management services for VMware VMs
     items: 
     - name: Install Arc agent at scale for your VMware VMs

articles/defender-for-cloud/defender-for-storage-malware-scan.md

@@ -173,8 +173,8 @@ Malware Scanning doesn't block access or change permissions to the uploaded blob
 
 - Unsupported storage accounts: Legacy v1 storage accounts aren't supported by malware scanning.
 - Unsupported service: Azure Files isn't supported by malware scanning.
-- Unsupported regions: Australia Central 2, Jio India West, Korea South.
-   - Regions that are supported by Defender for Storage but not by malware scanning. Learn more about [availability for Defender for Storage.](/azure/defender-for-cloud/defender-for-storage-introduction)
+- Unsupported regions: Jio India West, Korea South.
+- Regions that are supported by Defender for Storage but not by malware scanning. Learn more about [availability for Defender for Storage.](/azure/defender-for-cloud/defender-for-storage-introduction)
 - Unsupported blob types: [Append and Page blobs](/rest/api/storageservices/understanding-block-blobs--append-blobs--and-page-blobs) aren't supported for Malware Scanning.
 - Unsupported encryption: Client-side encrypted blobs aren't supported as they can't be decrypted before scanning by the service. However, data encrypted at rest by Customer Managed Key (CMK) is supported.
 - Unsupported index tag results: Index tag scan result isn't supported in storage accounts with Hierarchical namespace enabled (Azure Data Lake Storage Gen2).

articles/defender-for-cloud/upcoming-changes.md

@@ -2,7 +2,7 @@
 title: Important upcoming changes
 description: Upcoming changes to Microsoft Defender for Cloud that you might need to be aware of and for which you might need to plan 
 ms.topic: overview
-ms.date: 12/24/2023
+ms.date: 12/27/2023
 ---
 
 # Important upcoming changes to Microsoft Defender for Cloud
@@ -25,6 +25,7 @@ If you're looking for the latest release notes, you can find them in the [What's
 
 | Planned change | Announcement date | Estimated date for change |
 |--|--|--|
+| [Deprecation and severity changes to security alerts](#deprecation-and-severity-changes-to-security-alerts) | December 27, 2023 | January 2024 |
 | [Deprecation of two DevOps security recommendations](#deprecation-of-two-devops-security-recommendations) | November 30, 2023 | January 2024 |
 | [Consolidation of Defender for Cloud's Service Level 2 names](#consolidation-of-defender-for-clouds-service-level-2-names) | November 1, 2023 | December 2023 |
 | [Changes to how Microsoft Defender for Cloud's costs are presented in Microsoft Cost Management](#changes-to-how-microsoft-defender-for-clouds-costs-are-presented-in-microsoft-cost-management) | October 25, 2023 | November 2023 |
@@ -35,6 +36,69 @@ If you're looking for the latest release notes, you can find them in the [What's
 | [Deprecating two security incidents](#deprecating-two-security-incidents) |  | November 2023 |
 | [Defender for Cloud plan and strategy for the Log Analytics agent deprecation](#defender-for-cloud-plan-and-strategy-for-the-log-analytics-agent-deprecation) |  | August 2024 |
 
+## Deprecation and severity changes to security alerts
+
+**Announcement date: December 27, 2023**
+
+**Estimated date for change: January 2024** 
+
+The following security alerts are set for deprecation or are set for update to the **informational** severity level .
+
+- The following container security alerts are set for deprecation:
+
+  - `Anomalous pod deployment (Preview) (K8S_AnomalousPodDeployment)`
+  - `Excessive role permissions assigned in Kubernetes cluster (Preview) (K8S_ServiceAcountPermissionAnomaly)`
+  - `Anomalous access to Kubernetes secret (Preview) (K8S_AnomalousSecretAccess)`
+
+- The following security alerts are set to be updated to the **informational** severity level:
+
+  - **Alerts for Windows machines**:
+  
+    - `Adaptive application control policy violation was audited (VM_AdaptiveApplicationControlWindowsViolationAudited)`
+    - `Adaptive application control policy violation was audited (VM_AdaptiveApplicationControlLinuxViolationAudited)`
+  
+  - **Alerts for containers**:
+  
+    - `Attempt to create a new Linux namespace from a container detected (K8S.NODE_NamespaceCreation)`
+    - `Attempt to stop apt-daily-upgrade.timer service detected (K8S.NODE_TimerServiceDisabled)`
+    - `Command within a container running with high privileges (K8S.NODE_PrivilegedExecutionInContainer)`
+    - `Container running in privileged mode (K8S.NODE_PrivilegedContainerArtifacts)`
+    - `Container with a sensitive volume mount detected (K8S_SensitiveMount)`
+    - `Creation of admission webhook configuration detected (K8S_AdmissionController)`
+    - `Detected suspicious file download (K8S.NODE_SuspectDownloadArtifacts)`
+    - `Docker build operation detected on a Kubernetes node (K8S.NODE_ImageBuildOnNode)`
+    - `New container in the kube-system namespace detected (K8S_KubeSystemContainer)`
+    - `New high privileges role detected (K8S_HighPrivilegesRole)`
+    - `Privileged container detected (K8S_PrivilegedContainer)`
+    - `Process seen accessing the SSH authorized keys file in an unusual way (K8S.NODE_SshKeyAccess)`
+    - `Role binding to the cluster-admin role detected (K8S_ClusterAdminBinding)`
+    - `SSH server is running inside a container (K8S.NODE_ContainerSSH)`
+  
+  - **Alerts for DNS**:
+
+    - `Communication with suspicious algorithmically generated domain (AzureDNS_DomainGenerationAlgorithm)`
+    - `Communication with suspicious algorithmically generated domain (DNS_DomainGenerationAlgorithm)`
+    - `Communication with suspicious random domain name (Preview) (DNS_RandomizedDomain)`
+    - `Communication with suspicious random domain name (AzureDNS_RandomizedDomain)`
+    - `Communication with possible phishing domain (AzureDNS_PhishingDomain)`
+    - `Communication with possible phishing domain (Preview) (DNS_PhishingDomain)`
+  
+  - **Alerts for Azure App Service**:
+
+    - `NMap scanning detected (AppServices_Nmap)`
+    - `Suspicious User Agent detected (AppServices_UserAgentInjection)`
+  
+  - **Alerts for Azure network layer**
+  
+    - `Possible incoming SMTP brute force attempts detected (Generic_Incoming_BF_OneToOne)`
+    - `Traffic detected from IP addresses recommended for blocking (Network_TrafficFromUnrecommendedIP)`
+ 
+  - **Alerts for Azure Resource Manager**:
+
+    - `Privileged custom role created for your subscription in a suspicious way (Preview)(ARM_PrivilegedRoleDefinitionCreation)`
+  
+See the full [list of security alerts](alerts-reference.md).
+
 ## Deprecation of two DevOps security recommendations
 
 **Announcement date: November 30, 2023**

articles/defender-for-iot/organizations/ot-deploy/activate-deploy-sensor.md

@@ -94,7 +94,7 @@ When you're done, select **Next: Interface configurations** to continue.
 
 ### Define the interfaces you want to monitor
 
-The **Interface connections** tab shows all interfaces detected by the sensor by default. Use this tab to turn monitoring on or off per interface, or define specific settings for each interface.
+The **Interface configurations** tab shows all interfaces detected by the sensor by default. Use this tab to turn monitoring on or off per interface, or define specific settings for each interface.
 
 > [!TIP]
 > We recommend that you optimize performance on your sensor by configuring your settings to monitor only the interfaces that are actively in use. 

articles/machine-learning/.openpublishing.redirection.machine-learning.json

@@ -455,6 +455,11 @@
         "redirect_url": "/azure/machine-learning/how-to-read-write-data-v2",
         " redirect_document_id": false
     },
+    {
+        "source_path_from_root": "/articles/machine-learning/concept-foundation-models.md",
+        "redirect_url": "/azure/machine-learning/concept-model-catalog",
+        "redirect_document_id": false
+    },
     {
         "source_path_from_root": "/articles/machine-learning/concept-open-source.md",
         "redirect_url": "https://azure.microsoft.com/solutions/open-source/machine-learning/",

articles/machine-learning/concept-deep-learning-vs-machine-learning.md

@@ -19,7 +19,7 @@ This article explains deep learning vs. machine learning and how they fit into t
 
 For guidance on choosing algorithms for your solutions, see the [Machine Learning Algorithm Cheat Sheet](./v1/algorithm-cheat-sheet.md?WT.mc_id=docs-article-lazzeri).
 
-Foundation Models in Azure Machine Learning are pre-trained deep learning models that can be fine-tuned for specific use cases. Learn more about [Foundation Models (preview) in Azure Machine Learning](concept-foundation-models.md), and [how to use Foundation Models in Azure Machine Learning (preview)](how-to-use-foundation-models.md).
+Foundation Models in Azure Machine Learning are pre-trained deep learning models that can be fine-tuned for specific use cases. Learn more about [Foundation Models (preview) in Azure Machine Learning](concept-model-catalog.md), and [how to use Foundation Models in Azure Machine Learning (preview)](how-to-use-foundation-models.md).
 
 ## Deep learning, machine learning, and AI
 

articles/machine-learning/concept-foundation-models.md renamed to articles/machine-learning/concept-model-catalog.md

@@ -72,3 +72,4 @@ Support | Supported by Microsoft and covered by [Azure Machine Learning SLA](htt
 * Explore the [Model Catalog in Azure Machine Learning studio](https://ml.azure.com/model/catalog). You need an [Azure Machine Learning workspace](./quickstart-create-resources.md) to explore the catalog.
 * [Evaluate, fine-tune and deploy models](./how-to-use-foundation-models.md) curated by Azure Machine Learning.
 
+

articles/machine-learning/how-to-auto-train-nlp-models.md

@@ -362,7 +362,7 @@ Note that the large models are larger than their base counterparts. They are typ
 
 ## Supported model algorithms - HuggingFace (preview)
 
-With the new backend that runs on [Azure Machine Learning pipelines](concept-ml-pipelines.md), you can additionally use any text/token classification model from the HuggingFace Hub for [Text Classification](https://huggingface.co/models?pipeline_tag=text-classification&library=transformers), [Token Classification](https://huggingface.co/models?pipeline_tag=token-classification&sort=trending) which is part of the transformers library (such as microsoft/deberta-large-mnli). You may also find a curated list of models in [Azure Machine Learning model registry](concept-foundation-models.md?view=azureml-api-2&preserve-view=true) that have been validated with the pipeline components.
+With the new backend that runs on [Azure Machine Learning pipelines](concept-ml-pipelines.md), you can additionally use any text/token classification model from the HuggingFace Hub for [Text Classification](https://huggingface.co/models?pipeline_tag=text-classification&library=transformers), [Token Classification](https://huggingface.co/models?pipeline_tag=token-classification&sort=trending) which is part of the transformers library (such as microsoft/deberta-large-mnli). You may also find a curated list of models in [Azure Machine Learning model registry](concept-model-catalog.md?view=azureml-api-2&preserve-view=true) that have been validated with the pipeline components.
 
 Using any HuggingFace model will trigger runs using pipeline components. If both legacy and HuggingFace models are used, all runs/trials will be triggered using components.