Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into release-preview-update-purview-share

Author: whhender

articles/api-management/redirect-content-urls-policy.md

@@ -11,7 +11,7 @@ ms.author: danlep
 ---
 
 # Mask URLs in content
-The `redirect-content-urls` policy rewrites (masks) links in the response body so that they point to the equivalent link via the gateway. Use in the outbound section to rewrite response body links to make them point to the gateway. Use in the inbound section for an opposite effect.
+The `redirect-content-urls` policy rewrites (masks) links in the response body so that they point to the equivalent link via the gateway. Use in the outbound section to rewrite response body links to the backend service to make them point to the gateway. Use in the inbound section for an opposite effect.
 
 > [!NOTE]
 >  This policy does not change any header values such as `Location` headers. To change header values, use the [set-header](set-header-policy.md) policy.
@@ -40,4 +40,4 @@ The `redirect-content-urls` policy rewrites (masks) links in the response body s
 
 * [API Management transformation policies](api-management-transformation-policies.md)
 
-[!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)]
+[!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)]

articles/azure-arc/kubernetes/tutorial-akv-secrets-provider.md

@@ -2,7 +2,7 @@
 title: Use Azure Key Vault Secrets Provider extension to fetch secrets into Azure Arc-enabled Kubernetes clusters
 description: Learn how to set up the Azure Key Vault Provider for Secrets Store CSI Driver interface as an extension on Azure Arc enabled Kubernetes cluster
 ms.custom: ignite-2022
-ms.date: 10/12/2022
+ms.date: 03/06/2023
 ms.topic: tutorial
 author: mayurigupta13
 ms.author: mayg
@@ -12,7 +12,7 @@ ms.author: mayg
 
 The Azure Key Vault Provider for Secrets Store CSI Driver allows for the integration of Azure Key Vault as a secrets store with a Kubernetes cluster via a [CSI volume](https://kubernetes-csi.github.io/docs/). For Azure Arc-enabled Kubernetes clusters, you can install the Azure Key Vault Secrets Provider extension to fetch secrets.
 
-Benefits of the Azure Key Vault Secrets Provider extension include the following:
+Capabilities of the Azure Key Vault Secrets Provider extension include:
 
 - Mounts secrets/keys/certs to pod using a CSI Inline volume
 - Supports pod portability with the SecretProviderClass CRD
@@ -33,7 +33,7 @@ Benefits of the Azure Key Vault Secrets Provider extension include the following
   - Elastic Kubernetes Service
   - Tanzu Kubernetes Grid
   - Azure Red Hat OpenShift
-- Ensure you have met the [general prerequisites for cluster extensions](extensions.md#prerequisites). You must use version 0.4.0 or newer of the `k8s-extension` Azure CLI extension.
+- Ensure you've met the [general prerequisites for cluster extensions](extensions.md#prerequisites). You must use version 0.4.0 or newer of the `k8s-extension` Azure CLI extension.
 
 > [!TIP]
 > When using this extension with [AKS hybrid clusters provisioned from Azure](extensions.md#aks-hybrid-clusters-provisioned-from-azure-preview) you must set `--cluster-type` to use `provisionedClusters` and also add `--cluster-resource-provider microsoft.hybridcontainerservice` to the command. Installing Azure Arc extensions on AKS hybrid clusters provisioned from Azure is currently in preview.
@@ -56,7 +56,7 @@ You can install the Azure Key Vault Secrets Provider extension on your connected
 
    [![Screenshot of the Azure Key Vault Secrets Provider extension in the Azure portal.](media/tutorial-akv-secrets-provider/extension-install-new-resource.jpg)](media/tutorial-akv-secrets-provider/extension-install-new-resource.jpg)
 
-1. Follow the prompts to deploy the extension. If needed, you can customize the installation by changing the default options on the **Configuration** tab.
+1. Follow the prompts to deploy the extension. If needed, customize the installation by changing the default options on the **Configuration** tab.
 
 ### Azure CLI
 
@@ -67,13 +67,13 @@ You can install the Azure Key Vault Secrets Provider extension on your connected
    export RESOURCE_GROUP=<resource-group-name>
    ```
 
-2. Install the Secrets Store CSI Driver and the Azure Key Vault Secrets Provider extension by running the following command: 
+2. Install the Secrets Store CSI Driver and the Azure Key Vault Secrets Provider extension by running the following command:
 
    ```azurecli-interactive
    az k8s-extension create --cluster-name $CLUSTER_NAME --resource-group $RESOURCE_GROUP --cluster-type connectedClusters --extension-type Microsoft.AzureKeyVaultSecretsProvider --name akvsecretsprovider
    ```
 
-You should see output similar to the example below. Note that it may take several minutes before the secrets provider Helm chart is deployed to the cluster.
+You should see output similar to this example. Note that it may take several minutes before the secrets provider Helm chart is deployed to the cluster.
 
 ```json
 {
@@ -204,7 +204,7 @@ To confirm successful installation of the Azure Key Vault Secrets Provider exten
 az k8s-extension show --cluster-type connectedClusters --cluster-name $CLUSTER_NAME --resource-group $RESOURCE_GROUP --name akvsecretsprovider
 ```
 
-You should see output similar to the example below.
+You should see output similar to this example.
 
 ```json
 {
@@ -251,14 +251,14 @@ You should see output similar to the example below.
 
 Next, specify the Azure Key Vault to use with your connected cluster. If you don't already have one, create a new Key Vault by using the following commands. Keep in mind that the name of your Key Vault must be globally unique.
 
-
 Set the following environment variables:
 
 ```azurecli-interactive
 export AKV_RESOURCE_GROUP=<resource-group-name>
 export AZUREKEYVAULT_NAME=<AKV-name>
 export AZUREKEYVAULT_LOCATION=<AKV-location>
 ```
+
 Next, run the following command
 
 ```azurecli
@@ -280,11 +280,11 @@ Before you move on to the next section, take note of the following properties:
 
 ## Provide identity to access Azure Key Vault
 
-Currently, the Secrets Store CSI Driver on Arc-enabled clusters can be accessed through a service principal. Follow the steps below to provide an identity that can access your Key Vault.
+Currently, the Secrets Store CSI Driver on Arc-enabled clusters can be accessed through a service principal. Follow these steps to provide an identity that can access your Key Vault.
 
-1. Follow the steps [here](../../active-directory/develop/howto-create-service-principal-portal.md#register-an-application-with-azure-ad-and-create-a-service-principal) to create a service principal in Azure. Take note of the Client ID and Client Secret generated in this step.
-1. Provide Azure Key Vault GET permission to the created service principal by following the steps [here](../../key-vault/general/assign-access-policy.md).
-1. Use the client ID and Client Secret from step 1 to create a Kubernetes secret on the Arc connected cluster:
+1. Follow the steps [to create a service principal in Azure](../../active-directory/develop/howto-create-service-principal-portal.md#register-an-application-with-azure-ad-and-create-a-service-principal). Take note of the Client ID and Client Secret generated in this step.
+1. Provide Azure Key Vault GET permission to the created service principal by [following these steps](../../key-vault/general/assign-access-policy.md).
+1. Use the client ID and Client Secret from the first step to create a Kubernetes secret on the connected cluster:
 
    ```bash
    kubectl create secret generic secrets-store-creds --from-literal clientid="<client-id>" --from-literal clientsecret="<client-secret>"
@@ -374,12 +374,14 @@ kubectl exec busybox-secrets-store-inline -- cat /mnt/secrets-store/DemoSecret
 
 ## Additional configuration options
 
-The following configuration settings are available for the Azure Key Vault Secrets Provider extension:
+The Azure Key Vault Secrets Provider extension supports [Helm chart configurations](https://github.com/Azure/secrets-store-csi-driver-provider-azure/blob/master/charts/csi-secrets-store-provider-azure/README.md#configuration).
+
+The following configuration settings are frequently used with the Azure Key Vault Secrets Provider extension:
 
 | Configuration Setting | Default | Description |
 | --------- | ----------- | ----------- |
 | enableSecretRotation | false | Boolean type. If `true`, periodically updates the pod mount and Kubernetes Secret with the latest content from external secrets store |
-| rotationPollInterval | 2m | Specifies the secret rotation poll interval duration if `enableSecretRotation` is `true`. This duration can be adjusted based on how frequently the mounted contents for all pods and Kubernetes secrets need to be resynced to the latest. |
+| rotationPollInterval | 2m | If `enableSecretRotation` is `true`, specifies the secret rotation poll interval duration. This duration can be adjusted based on how frequently the mounted contents for all pods and Kubernetes secrets need to be resynced to the latest. |
 | syncSecret.enabled | false | Boolean input. In some cases, you may want to create a Kubernetes Secret to mirror the mounted content. If `true`, `SecretProviderClass` allows the `secretObjects` field to define the desired state of the synced Kubernetes Secret objects. |
 
 These settings can be specified when the extension is installed by using the `az k8s-extension create` command:
@@ -388,12 +390,19 @@ These settings can be specified when the extension is installed by using the `az
 az k8s-extension create --cluster-name $CLUSTER_NAME --resource-group $RESOURCE_GROUP --cluster-type connectedClusters --extension-type Microsoft.AzureKeyVaultSecretsProvider --name akvsecretsprovider --configuration-settings secrets-store-csi-driver.enableSecretRotation=true secrets-store-csi-driver.rotationPollInterval=3m secrets-store-csi-driver.syncSecret.enabled=true
 ```
 
-You can also change the settings after installation by using the `az k8s-extension update` command:
+You can also change these settings after installation by using the `az k8s-extension update` command:
 
 ```azurecli-interactive
 az k8s-extension update --cluster-name $CLUSTER_NAME --resource-group $RESOURCE_GROUP --cluster-type connectedClusters --name akvsecretsprovider --configuration-settings secrets-store-csi-driver.enableSecretRotation=true secrets-store-csi-driver.rotationPollInterval=3m secrets-store-csi-driver.syncSecret.enabled=true
 ```
 
+You can use other configuration settings as needed for your deployment. For example, to change the kubelet root directory while creating a cluster, modify the az k8s-extension create command:
+
+```azurecli-interactive
+az k8s-extension create --cluster-name $CLUSTER_NAME --resource-group $RESOURCE_GROUP --cluster-type connectedClusters --extension-type Microsoft.AzureKeyVaultSecretsProvider --name akvsecretsprovider --configuration-settings linux.kubeletRootDir=/path/to/kubelet secrets-store-csi-driver.enable secrets-store-csi-driver.linux.kubeletRootDir=/path/to/kubelet
+```
+
+
 ## Uninstall the Azure Key Vault Secrets Provider extension
 
 To uninstall the extension, run the following command:
@@ -411,11 +420,11 @@ To confirm that the extension instance has been deleted, run the following comma
 az k8s-extension list --cluster-type connectedClusters --cluster-name $CLUSTER_NAME --resource-group $RESOURCE_GROUP
 ```
 
-If the extension was successfully removed, you won't see the the Azure Key Vault Secrets Provider extension listed in the output. If you don't have any other extensions installed on your cluster, you'll see an empty array.
+If the extension was successfully removed, you won't see the Azure Key Vault Secrets Provider extension listed in the output. If you don't have any other extensions installed on your cluster, you'll see an empty array.
 
 ## Reconciliation and troubleshooting
 
-The Azure Key Vault Secrets Provider extension is self-healing. If somebody tries to change or delete an extension component that was deployed when the extension was installed, that component will be reconciled to its original state. The only exceptions are for Custom Resource Definitions (CRDs). If CRDs are deleted, they won't be reconciled. To restore deleted CRDs, use the `az k8s-exstension create` command again with the existing extension instance name.
+The Azure Key Vault Secrets Provider extension is self-healing. If somebody tries to change or delete an extension component that was deployed when the extension was installed, that component will be reconciled to its original state. The only exceptions are for Custom Resource Definitions (CRDs). If CRDs are deleted, they won't be reconciled. To restore deleted CRDs, use the `az k8s-extension create` command again with the existing extension instance name.
 
 For more information about resolving common issues, see the open source troubleshooting guides for [Azure Key Vault provider for Secrets Store CSI driver](https://azure.github.io/secrets-store-csi-driver-provider-azure/docs/troubleshooting/) and [Secrets Store CSI Driver](https://secrets-store-csi-driver.sigs.k8s.io/troubleshooting.html).
 

articles/azure-resource-manager/management/move-limitations/networking-move-limitations.md

@@ -18,7 +18,10 @@ If you want to move networking resources to a new region, see [Tutorial: Move Az
 > [!NOTE]
 > Any resource, including a VPN Gateway, that is associated with a public IP Standard SKU address can't be moved across subscriptions. For virtual machines, you can [disassociate the public IP address](../../../virtual-network/ip-services/remove-public-ip-address-vm.md) before moving across subscriptions.
 
-When moving a resource, you must also move its dependent resources (for example - public IP addresses, virtual network gateways, all associated connection resources). Local network gateways can be in a different resource group.
+When moving a resource, you must also move its dependent resources (for example - public IP addresses, virtual network gateways, all associated connection resources). The virtual network assigned to the AKS instance can also be moved, and local network gateways can be in a different resource group.
+
+> [!WARNING]
+> Please refrain from moving the virtual network for an AKS cluster. The AKS cluster will stop working if its virtual network is moved.
 
 To move a virtual machine with a network interface card to a new subscription, you must move all dependent resources. Move the virtual network for the network interface card, all other network interface cards for the virtual network, and the VPN gateways.
 

articles/azure-vmware/attach-azure-netapp-files-to-azure-vmware-solution-hosts.md

@@ -166,16 +166,18 @@ To attach an Azure NetApp Files volume to your private cloud using Azure CLI, fo
 
 ## Service level change for Azure NetApp Files datastore
 
-Based on the performance requirements of the datastore, you can change the service level of the Azure NetApp Files volume used for the datastore by following the instructions to [dynamically change the service level of a volume for Azure NetApp Files](../azure-netapp-files/dynamic-change-volume-service-level.md)
-This has no impact to the Datastore or private cloud as there is no downtime involved and the IP address/mount path remain unchanged. However, the volume Resource ID will be changed due to the capacity pool change. Therefore to avoid any metadata mismatch re-issue the datastore create command via Azure CLI as follows: `az vmware datastore netapp-volume create`.
+Based on the performance requirements of the datastore, you can change the service level of the Azure NetApp Files volume used for the datastore by following the instructions to [dynamically change the service level of a volume for Azure NetApp Files](../azure-netapp-files/dynamic-change-volume-service-level.md).
+Changing the service level has no impact on the datastore or private cloud. There is no downtime and the volume's IP address/mount path remain unchanged. However, the volume's resource ID will change as a result of the capacity pool change. To correct any metadata mismatch, re-run the datastore creation in Azure CLI for the existing datastore with the new Resource ID for the Azure NetApp Files volume:
+```azurecli
+az vmware datastore netapp-volume create \
+    --name <name of existing datastore> \
+    --resource-group <resource group containing AVS private cloud> \
+    --cluster <cluster name in AVS private cloud> \
+    --private-cloud <name of AVS private cloud> \
+    --volume-id /subscriptions/<subscription ID>/resourceGroups/<resource group>/providers/Microsoft.NetApp/netAppAccounts/<NetApp account>/capacityPools/<changed capacity pool>/volumes/<volume name>
+```
 >[!IMPORTANT]  
-> The input values for **cluster** name, datastore **name**, **private-cloud** (SDDC) name, and **resource-group** must be **exactly the same as the current one**, and the **volume-id** is the new Resource ID of the volume.
-
-   -**cluster**  
-   -**name**  
-   -**private-cloud**   
-   -**resource-group**   
-   -**volume-id**   
+> The parameters for datastore **name**, **resource-group**, **cluster**, and **private-cloud** (SDDC) must be **exactly the same as those on the existing datastore in the private cloud**. The **volume-id** is the updated Resource ID of the Azure NetApp Files volume after the service level change.
 
 ## Disconnect an Azure NetApp Files-based datastore from your private cloud
 

articles/cosmos-db/configure-periodic-backup-restore.md

@@ -172,6 +172,8 @@ If you have accidentally deleted or corrupted your data, you should contact [Azu
 > * VNET access control lists
 > * Stored procedures, triggers and user-defined functions
 > * Multi-region settings  
+> * Managed identity settings
+
 
 If you provision throughput at the database level, the backup and restore process in this case happen at the entire database level, and not at the individual containers level. In such cases, you can't select a subset of containers to restore.
 

articles/cosmos-db/configure-synapse-link.md

@@ -35,6 +35,9 @@ The first step to use Synapse Link is to enable it for your Azure Cosmos DB data
 > [!NOTE]
 > If you want to use Full Fidelity Schema for API for NoSQL accounts, you can't use the Azure portal to enable Synapse Link. This option can't be changed after Synapse Link is enabled in your account and to set it you must use Azure CLI or PowerShell. For more information, check [analytical store schema representation documentation](analytical-store-introduction.md#schema-representation). 
 
+> [!NOTE]
+> You need [Contributor role](role-based-access-control.md) to enable Synapse Link at account level. And you need at least [Operator role](role-based-access-control.md) to enable Synapse Link in your containers or collections.
+
 ### Azure portal
 
 1. Sign into the [Azure portal](https://portal.azure.com/).

articles/cosmos-db/how-to-setup-customer-managed-keys.md

@@ -516,7 +516,7 @@ Not available
 
 ## Restore a continuous account that is configured with managed identity
 
-System identity is tied to one specific account and can't be reused in another account.  So, a new user-assigned identity is required during the restore process.
+A user-assigned identity is required in the restore request because the source account managed identity (User-assigned and System-assigned identities) cannot be carried over automatically to the target database account.
 
 ### [Azure CLI](#tab/azure-cli)
 
@@ -525,7 +525,6 @@ Use the Azure CLI to restore a continuous account that is already configured usi
 > [!NOTE]
 > This feature is currently under Public Preview and requires Cosmos DB CLI Extension version 0.20.0 or higher.
 
-The newly created user assigned identity is only needed during the restore and can be cleaned up once the restore has completed. First, to restore a source account with system-assigned identity.
 
 1. Create a new user-assigned identity (or use an existing one) for the restore process.
 
@@ -563,9 +562,7 @@ The newly created user assigned identity is only needed during the restore and c
 
 1. Once the restore has completed, the target (restored) account will have the user-assigned identity.  If desired, user can update the account to use System-Assigned managed identity.
 
-By default, when you trigger a restore for an account with user-assigned managed identity, the user-assigned identity will be passed to the target account automatically.
 
-If desired, the user can also trigger a restore using a different user-assigned identity than the source account by specifying it in the restore parameters.
 
 ### [PowerShell / Azure Resource Manager template / Azure portal](#tab/azure-powershell+arm-template+azure-portal)