Merge pull request #216822 from MicrosoftDocs/repo_sync_working_branch

Confirm merge from repo_sync_working_branch to main to sync with https://github.com/MicrosoftDocs/azure-docs (branch main)

Author: huypub

articles/aks/private-clusters.md

@@ -151,7 +151,7 @@ As mentioned, virtual network peering is one way to access your private cluster.
 
 2. The private DNS zone is linked only to the VNet that the cluster nodes are attached to (3). This means that the private endpoint can only be resolved by hosts in that linked VNet. In scenarios where no custom DNS is configured on the VNet (default), this works without issue as hosts point at 168.63.129.16 for DNS that can resolve records in the private DNS zone because of the link.
 
-3. In scenarios where the VNet containing your cluster has custom DNS settings (4), cluster deployment fails unless the private DNS zone is linked to the VNet that contains the custom DNS resolvers (5). This link can be created manually after the private zone is created during cluster provisioning or via automation upon detection of creation of the zone using event-based deployment mechanisms (for example, Azure Event Grid and Azure Functions).
+3. In scenarios where the VNet containing your cluster has custom DNS settings (4), cluster deployment fails unless the private DNS zone is linked to the VNet that contains the custom DNS resolvers (5). This link can be created manually after the private zone is created during cluster provisioning or via automation upon detection of creation of the zone using event-based deployment mechanisms (for example, Azure Event Grid and Azure Functions). To avoid cluster failure during initial deployment, the cluster can be deployed with the private DNS zone resource ID. This only works with resource type Microsoft.ContainerService/managedCluster and API version 2022-07-01. Using an older version with an ARM template or Bicep resource definition is not supported.
 
 > [!NOTE]
 > Conditional Forwarding doesn't support subdomains.
@@ -257,4 +257,4 @@ Once the A record is created, link the private DNS zone to the virtual network t
 [container-registry-private-link]: ../container-registry/container-registry-private-link.md
 [virtual-networks-name-resolution]: ../virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances.md#name-resolution-that-uses-your-own-dns-server
 [virtual-networks-168.63.129.16]: ../virtual-network/what-is-ip-address-168-63-129-16.md
-[use-custom-domains]: coredns-custom.md#use-custom-domains
+[use-custom-domains]: coredns-custom.md#use-custom-domains

articles/api-management/devops-api-development-templates.md

@@ -27,7 +27,7 @@ An API developer writes an API definition by providing a specification, settings
 There are several tools to assist producing the API definition:
 
 * The [Azure API Management DevOps Resource Toolkit][4] includes two tools that provide an Azure Resource Manager (ARM) template.  The _extractor_ creates an ARM template by extracting an API definition from an API Management service. The _creator_ produces the ARM template from a YAML specification.  The DevOps Resource Toolkit supports SOAP, REST, and GraphQL APIs.
-* The [Azure APIOps Toolkit][5] provides a workflow built on top of a [git][21] source code control system (such as [GitHub][22] or [Azure Repos][23]).  It uses an _extractor_ similar to the DevOps Resource Toolkit to produce an API definition that is then applied to a target API Management service.  APIOps supports REST only at this time.
+* The [Azure APIOps Toolkit][5] provides a workflow built on top of a [git][21] source code control system (such as [GitHub][22] or [Azure Repos][23]).  It uses an _extractor_ similar to the DevOps Resource Toolkit to produce an API definition that is then applied to a target API Management service.  APIOps supports REST and GraphQL APIs at this time.
 * The [dotnet-apim][6] tool converts a well-formed YAML definition into an ARM template for later deployment.  The tool is focused on REST APIs.
 * [Terraform][7] is an alternative to Azure Resource Manager to configure resources in Azure.  You can create a Terraform configuration (together with policies) to implement the API in the same way that an ARM template is created.
 
@@ -116,4 +116,4 @@ Review [Automated API deployments with APIOps][28] in the Azure Architecture Cen
 [25]: https://azure.microsoft.com/services/devops/
 [26]: https://github.com/microsoft/api-guidelines/blob/vNext/azure/Guidelines.md
 [27]: https://github.com/Azure/azure-api-style-guide
-[28]: /azure/architecture/example-scenario/devops/automated-api-deployments-apiops
+[28]: /azure/architecture/example-scenario/devops/automated-api-deployments-apiops

articles/defender-for-cloud/quickstart-onboard-gcp.md

@@ -124,9 +124,9 @@ To have full visibility to Microsoft Defender for Servers security content, ensu
 - Additional extensions should be enabled on the Arc-connected machines.
     - Microsoft Defender for Endpoint
     - VA solution (TVM/ Qualys)
-    - Log Analytics (LA) agent on Arc machines. Ensure the selected workspace has security solution installed.
+    - Log Analytics (LA) agent on Arc machines or Azure Monitor agent (AMA). Ensure the selected workspace has security solution installed.
 
-        The LA agent is currently configured in the subscription level, such that all the multicloud accounts and projects (from both AWS and GCP) under the same subscription will inherit the subscription settings with regard to the LA agent.
+        The LA agent and AMA are currently configured in the subscription level, such that all the multicloud accounts and projects (from both AWS and GCP) under the same subscription will inherit the subscription settings with regard to the LA agent and AMA.
 
         Learn more about [monitoring components](monitoring-components.md) for Defender for Cloud.
 

articles/search/search-howto-index-mysql.md

@@ -65,7 +65,7 @@ The data source definition specifies the data to index, credentials, and policie
     api-key: [admin key]
     
     {   
-        "name" : "hotel-mysql-ds"
+        "name" : "hotel-mysql-ds",
         "description" : "[Description of MySQL data source]",
         "type" : "mysql",
         "credentials" : { 

articles/storage/files/storage-files-planning.md

@@ -76,7 +76,7 @@ To access an Azure file share, the user of the file share must be authenticated
 
 For customers migrating from on-premises file servers, or creating new file shares in Azure Files intended to behave like Windows file servers or NAS appliances, domain joining your storage account to **Customer-owned Active Directory** is the recommended option. To learn more about domain joining your storage account to a customer-owned Active Directory, see [Azure Files Active Directory overview](storage-files-active-directory-overview.md).
 
-If you intend to use the storage account key to access your Azure file shares, we recommend using service endpoints as described in the [Networking](#networking) section.
+If you intend to use the storage account key to access your Azure file shares, we recommend using private endpoints or service endpoints as described in the [Networking](#networking) section.
 
 ## Networking
 Directly mounting your Azure file share often requires some thought about networking configuration because:

articles/synapse-analytics/overview-terminology.md

@@ -40,7 +40,7 @@ To use Spark analytics, create and use **serverless Apache Spark pools** in your
 
 There are two ways within Synapse to use Spark:
 
-* **Spark Notebooks** for doing data Data Science and Engineering use Scala, PySpark, C#, and SparkSQL
+* **Spark Notebooks** for doing Data Science and Engineering use Scala, PySpark, C#, and SparkSQL
 * **Spark job definitions** for running batch Spark jobs using jar files.
 
 ## SynapseML

articles/web-application-firewall/shared/waf-azure-policy.md

@@ -25,6 +25,10 @@ There are several built-in Azure Policy definitions to manage WAF resources. A b
 
 4. **Web Application Firewall (WAF) should use the specified mode for Application Gateway**: Mandates the use of 'Detection' or 'Prevention' mode to be active on all Web Application Firewall policies for Application Gateway. The policy definition has three effects: Audit, Deny, and Disable. Audit tracks when a WAF does not fit the specified mode. Deny prevents any WAF from being created if it is not in the correct mode. Disabled turns off the policy assignment.
 
+5. **Azure Application Gateway should have Resource logs enabled**: Mandates the enabling of Resource logs and Metrics on all Application Gateways, including WAF. The policy definition has two effects: AuditIfNotExists and Disable. AuditIfNotExists tracks when an Application Gateway does not have resource logs, metrics enabled and notifies the user that the Application Gateway does not comply. Disabled turns off the policy assignment.
+
+6. **Azure Front Door should have Resource logs enabled**: Mandates the enabling of Resource logs and Metrics on Azure Front Door Service, including WAF. The policy definition has two effects: AuditIfNotExists and Disable. AuditIfNotExists tracks when a Front Door service does not have resource logs, metrics enabled and notifies the user that the service does not comply. Disabled turns off the policy assignment.
+
 ## Launch an Azure Policy
 
 1.	On the Azure home page, type Policy in the search bar and click the Azure Policy icon