Merge branch 'main' into release-asr-edge-zone

Author: v-alje

.openpublishing.redirection.azure-monitor.json

@@ -5541,6 +5541,36 @@
             "source_path_from_root": "/articles/azure-monitor/logs/api/authentication-authorization.md",
             "redirect_url": "/azure/azure-monitor/logs/api/access-api",
             "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/azure-monitor/app/java-2x-get-started.md",
+            "redirect_url": "/azure/azure-monitor/app/deprecated-java-2x",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/azure-monitor/app/java-2x-trace-logs.md",
+            "redirect_url": "/azure/azure-monitor/app/deprecated-java-2x",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/azure-monitor/app/java-2x-agent.md",
+            "redirect_url": "/azure/azure-monitor/app/deprecated-java-2x",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/azure-monitor/app/java-2x-filter-telemetry.md",
+            "redirect_url": "/azure/azure-monitor/app/deprecated-java-2x",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/azure-monitor/app/java-2x-collectd.md",
+            "redirect_url": "/azure/azure-monitor/app/deprecated-java-2x",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/azure-monitor/app/java-2x-micrometer.md",
+            "redirect_url": "/azure/azure-monitor/app/deprecated-java-2x",
+            "redirect_document_id": false
         }
     ]
 }

.openpublishing.redirection.healthcare-apis.json

@@ -193,9 +193,9 @@
         "redirect_document_id": true
     },
     {
-        "source_path_from_root": "/articles/healthcare-apis/use-smart-on-fhir-proxy.md",
-        "redirect_url": "/azure/healthcare-apis/fhir/use-smart-on-fhir-proxy",
-        "redirect_document_id": true
+        "source_path_from_root": "/articles/healthcare-apis/azure-api-for-fhir/use-smart-on-fhir-proxy.md",
+        "redirect_url": "/azure/healthcare-apis/azure-api-for-fhir/smart-on-fhir",
+        "redirect_document_id": false
     },
     {
         "source_path_from_root": "/articles/healthcare-apis/fhir/use-custom-headers.md",
@@ -357,11 +357,6 @@
         "redirect_url": "/azure/healthcare-apis/azure-api-for-fhir/tutorial-web-app-write-web-app",
         "redirect_document_id": true
     },
-    {
-        "source_path_from_root": "/articles/healthcare-apis/fhir/use-smart-on-fhir-proxy.md",
-        "redirect_url": "/azure/healthcare-apis/azure-api-for-fhir/use-smart-on-fhir-proxy",
-        "redirect_document_id": true
-    },
     {
         "source_path_from_root": "/articles/healthcare-apis/data-transformation/de-identified-export.md",
         "redirect_url": "/azure/healthcare-apis/fhir/de-identified-export",

articles/active-directory-b2c/configure-authentication-sample-web-app.md

@@ -75,6 +75,7 @@ To create the web app registration, use the following steps:
 1. Under **Name**, enter a name for the application (for example, *webapp1*).
 1. Under **Supported account types**, select **Accounts in any identity provider or organizational directory (for authenticating users with user flows)**. 
 1. Under **Redirect URI**, select **Web** and then, in the URL box, enter `https://localhost:44316/signin-oidc`.
+1. Under **Implicit grant and hybrid flows**, select the **ID tokens (used for implicit and hybrid flows)** checkbox.
 1. Under **Permissions**, select the **Grant admin consent to openid and offline access permissions** checkbox.
 1. Select **Register**.
 1. Select **Overview**.

articles/active-directory/authentication/how-to-mfa-number-match.md

@@ -16,7 +16,7 @@ ms.collection: M365-identity-device-management
 This topic covers how to enable number matching in Microsoft Authenticator push notifications to improve user sign-in security.  
 
 >[!NOTE]
->Number matching is a key security upgrade to traditional second factor notifications in Microsoft Authenticator that will begin to be enabled by default for all users starting February 27, 2023.<br> 
+>Number matching is a key security upgrade to traditional second factor notifications in Microsoft Authenticator. We will remove the admin controls and enforce the number match experience tenant-wide for all users starting February 27, 2023.<br> 
 >We highly recommend enabling number matching in the near term for improved sign-in security.
 
 ## Prerequisites

articles/aks/nat-gateway.md

@@ -9,26 +9,25 @@ ms.author: juda
 
 # Managed NAT Gateway
 
-Whilst AKS customers are able to route egress traffic through an Azure Load Balancer, there are limitations on the amount of outbound flows of traffic that is possible. 
-
-Azure NAT Gateway allows up to 64,512 outbound UDP and TCP traffic flows per IP address with a maximum of 16 IP addresses.
-
-This article will show you how to create an AKS cluster with a Managed NAT Gateway for egress traffic.
+While you can route egress traffic through an Azure Load Balancer, there are limitations on the amount of outbound flows of traffic you can have. Azure NAT Gateway allows up to 64,512 outbound UDP and TCP traffic flows per IP address with a maximum of 16 IP addresses.
 
+This article shows you how to create an AKS cluster with a Managed NAT Gateway for egress traffic and how to disable OutboundNAT on Windows.
 
 ## Before you begin
 
-To use Managed NAT gateway, you must have the following:
+To use Managed NAT gateway, you must have the following prerequisites:
 
-* The latest version of the Azure CLI
+* The latest version of [Azure CLI][az-cli]
 * Kubernetes version 1.20.x or above
 
 ## Create an AKS cluster with a Managed NAT Gateway
-To create an AKS cluster with a new Managed NAT Gateway, use `--outbound-type managedNATGateway` as well as `--nat-gateway-managed-outbound-ip-count` and `--nat-gateway-idle-timeout` when running `az aks create`. The following example creates a *myresourcegroup* resource group, then creates a *natcluster* AKS cluster in *myresourcegroup* with a Managed NAT Gateway, two outbound IPs, and an idle timeout of 4 minutes.
 
+To create an AKS cluster with a new Managed NAT Gateway, use `--outbound-type managedNATGateway`, `--nat-gateway-managed-outbound-ip-count`, and `--nat-gateway-idle-timeout` when running `az aks create`. The following example creates a *myresourcegroup* resource group, then creates a *natcluster* AKS cluster in *myresourcegroup* with a Managed NAT Gateway, two outbound IPs, and an idle timeout of 4 minutes.
+
+To create an AKS cluster with a new Managed NAT Gateway, use `--outbound-type managedNATGateway`, `--nat-gateway-managed-outbound-ip-count`, and `--nat-gateway-idle-timeout` when running `az aks create`. The following example creates a *myResourceGroup* resource group, then creates a *natCluster* AKS cluster in *myResourceGroup* with a Managed NAT Gateway, two outbound IPs, and an idle timeout of 30 seconds.
 
 ```azurecli-interactive
-az group create --name myresourcegroup --location southcentralus
+az group create --name myResourceGroup --location southcentralus
 ```
 
 ```azurecli-interactive
@@ -45,7 +44,8 @@ az aks create \
 > If no value the outbound IP address is specified, the default value is one.
 
 ### Update the number of outbound IP addresses
-To update the outbound IP address or idle timeout, use `--nat-gateway-managed-outbound-ip-count` or `--nat-gateway-idle-timeout` when running `az aks update`. For example:
+
+To update the outbound IP address or idle timeout, use `--nat-gateway-managed-outbound-ip-count` or `--nat-gateway-idle-timeout` when running `az aks update`.
 
 ```azurecli-interactive
 az aks update \ 
@@ -55,68 +55,76 @@ az aks update \
 ```
 
 ## Create an AKS cluster with a user-assigned NAT Gateway
+
 To create an AKS cluster with a user-assigned NAT Gateway, use `--outbound-type userAssignedNATGateway` when running `az aks create`. This configuration requires bring-your-own networking (via [Kubenet][byo-vnet-kubenet] or [Azure CNI][byo-vnet-azure-cni]) and that the NAT Gateway is preconfigured on the subnet. The following commands create the required resources for this scenario. Make sure to run them all in the same session so that the values stored to variables are still available for the `az aks create` command.
 
-1. Create the resource group:
+1. Create the resource group.
+
     ```azurecli-interactive
-    az group create --name myresourcegroup \
+    az group create --name myResourceGroup \
         --location southcentralus
     ```
 
-2. Create a managed identity for network permissions and store the ID to `$IDENTITY_ID` for later use:
+2. Create a managed identity for network permissions and store the ID to `$IDENTITY_ID` for later use.
+
     ```azurecli-interactive
     IDENTITY_ID=$(az identity create \
-        --resource-group myresourcegroup \
-        --name natclusterid \
+        --resource-group myResourceGroup \
+        --name natClusterId \
         --location southcentralus \
         --query id \
         --output tsv)
     ```
 
-3. Create a public IP for the NAT gateway:
+3. Create a public IP for the NAT gateway.
+
     ```azurecli-interactive
     az network public-ip create \
-        --resource-group myresourcegroup \
-        --name mynatgatewaypip \
+        --resource-group myResourceGroup \
+        --name myNatGatewayPip \
         --location southcentralus \
         --sku standard
     ```
 
-4. Create the NAT gateway:
+4. Create the NAT gateway.
+
     ```azurecli-interactive
     az network nat gateway create \
-        --resource-group myresourcegroup \
-        --name mynatgateway \
+        --resource-group myResourceGroup \
+        --name myNatGateway \
         --location southcentralus \
-        --public-ip-addresses mynatgatewaypip
+        --public-ip-addresses myNatGatewayPip
     ```
 
-5. Create a virtual network:
+5. Create a virtual network.
+
     ```azurecli-interactive
     az network vnet create \
-        --resource-group myresourcegroup \
-        --name myvnet \
+        --resource-group myResourceGroup \
+        --name myVnet \
         --location southcentralus \
         --address-prefixes 172.16.0.0/20 
     ```
 
-6. Create a subnet in the virtual network using the NAT gateway and store the ID to `$SUBNET_ID` for later use:
+6. Create a subnet in the virtual network using the NAT gateway and store the ID to `$SUBNET_ID` for later use.
+
     ```azurecli-interactive
     SUBNET_ID=$(az network vnet subnet create \
-        --resource-group myresourcegroup \
-        --vnet-name myvnet \
-        --name natcluster \
+        --resource-group myResourceGroup \
+        --vnet-name myVnet \
+        --name natCluster \
         --address-prefixes 172.16.0.0/22 \
-        --nat-gateway mynatgateway \
+        --nat-gateway myNatGateway \
         --query id \
         --output tsv)
     ```
 
-7. Create an AKS cluster using the subnet with the NAT gateway and the managed identity:
+7. Create an AKS cluster using the subnet with the NAT gateway and the managed identity.
+
     ```azurecli-interactive
     az aks create \
-        --resource-group myresourcegroup \
-        --name natcluster \
+        --resource-group myResourceGroup \
+        --name natCluster \
         --location southcentralus \
         --network-plugin azure \
         --vnet-subnet-id $SUBNET_ID \
@@ -125,11 +133,76 @@ To create an AKS cluster with a user-assigned NAT Gateway, use `--outbound-type
         --assign-identity $IDENTITY_ID
     ```
 
-## Next Steps
-- For more information on Azure NAT Gateway, see [Azure NAT Gateway][nat-docs].
+## Disable OutboundNAT for Windows
 
-<!-- LINKS - internal -->
+Windows OutboundNAT can cause certain connection and communication issues with your AKS pods. Some of these issues include:
+
+* **Unhealthy backend status**: When you deploy an AKS cluster with [Application Gateway Ingress Control (AGIC)][agic] and [Application Gateway][app-gw] in different VNets, the backend health status becomes "Unhealthy." The outbound connectivity fails because the peered networked IP isn't present in the CNI config of the Windows nodes.
+* **Node port reuse**: Windows OutboundNAT uses port to translate your pod IP to your Windows node host IP, which can cause an unstable connection to the external service due to a port exhaustion issue.
+* **Invalid traffic routing to internal service endpoints**: When you create a load balancer service with `externalTrafficPolicy` set to *Local*, kube-proxy on Windows doesn't create the proper rules in the IPTables to route traffic to the internal service endpoints.
+
+Windows enables OutboundNAT by default. You can now manually disable OutboundNAT when creating new Windows agent pools.
+
+### Prerequisites
+
+* You need to use `aks-preview` and register the feature flag.
+
+  1. Install or update `aks-preview`.
+
+    ```azurecli
+    # Install aks-preview
+
+    az extension add --name aks-preview
+
+    # Update aks-preview
 
+    az extension update --name aks-preview
+    ```
+
+  2. Register the feature flag.
+
+    ```azurecli
+    az feature register --namespace Microsoft.ContainerService --name DisableWindowsOutboundNATPreview
+    ```
+
+  3. Check the registration status.
+
+    ```azurecli
+    az feature list -o table --query "[?contains(name, 'Microsoft.ContainerService/DisableWindowsOutboundNATPreview')].{Name:name,State:properties.state}"
+    ```
+
+  4. Refresh the registration of the `Microsoft.ContainerService` resource provider.
+
+    ```azurecli
+    az provider register --namespace Microsoft.ContainerService
+    ```
+
+* Your clusters must have a Managed NAT Gateway (which may increase the overall cost).
+* If you're using Kubernetes version 1.25 or older, you need to [update your deployment configuration][upgrade-kubernetes].
+* If you need to switch from a load balancer to NAT Gateway, you can either add a NAT Gateway into the VNet or run [`az aks upgrade`][aks-upgrade] to update the outbound type.
+
+### Manually disable OutboundNAT for Windows
+
+You can manually disable OutboundNAT for Windows when creating new Windows agent pools using `--disable-windows-outbound-nat`.
+
+> [!NOTE]
+> You can use an existing AKS cluster, but you may need to update the outbound type and add a node pool to enable `--disable-windows-outbound-nat`.
+
+```azurecli
+az aks nodepool add \
+    --resource-group myResourceGroup
+    --cluster-name natCluster
+    --name mynodepool
+    --node-count 3
+    --os-type Windows
+    --disable-windows-outbound-nat
+```
+
+## Next steps
+
+For more information on Azure NAT Gateway, see [Azure NAT Gateway][nat-docs].
+
+<!-- LINKS - internal -->
 
 <!-- LINKS - external-->
 [nat-docs]: ../virtual-network/nat-gateway/nat-overview.md
@@ -139,3 +212,8 @@ To create an AKS cluster with a user-assigned NAT Gateway, use `--outbound-type
 [byo-vnet-kubenet]: configure-kubenet.md
 [az-extension-add]: /cli/azure/extension#az_extension_add
 [az-extension-update]: /cli/azure/extension#az_extension_update
+[az-cli]: /cli/azure/install-azure-cli
+[agic]: ../application-gateway/ingress-controller-overview.md
+[app-gw]: ../application-gateway/overview.md
+[upgrade-kubernetes]:tutorial-kubernetes-upgrade-cluster.md
+[aks-upgrade]: /cli/azure/aks#az-aks-update

articles/aks/use-mariner.md

@@ -5,7 +5,7 @@ description: Learn how to use the Mariner container host on Azure Kubernetes Ser
 services: container-service
 ms.topic: article
 ms.custom: ignite-2022
-ms.date: 11/17/2022
+ms.date: 12/08/2022
 ---
 
 # Use the Mariner container host on Azure Kubernetes Service (AKS)
@@ -49,16 +49,15 @@ Mariner is available for use in the same regions as AKS.
 
 Mariner currently has the following limitations:
 
-* Mariner does not yet have image SKUs for GPU, ARM64, SGX, or FIPS.
-* Mariner does not yet have FedRAMP, FIPS, or CIS certification.
-* Mariner cannot yet be deployed through Azure portal or Terraform.
+* Mariner doesn't yet have image SKUs for GPU, ARM64, SGX, or FIPS.
+* Mariner doesn't yet have FedRAMP, FIPS, or CIS certification.
+* Mariner can't yet be deployed through the Azure portal.
 * Qualys, Trivy, and Microsoft Defender for Containers are the only vulnerability scanning tools that support Mariner today.
-* The Mariner container host is a Gen 2 image. Mariner does not plan to offer a Gen 1 SKU.
-* Node configurations are not yet supported.
-* Mariner is not yet supported in GitHub actions.
-* Mariner does not support AppArmor. Support for SELinux can be manually configured.
-* Some addons, extensions, and open-source integrations may not be supported yet on Mariner. Azure Monitor, Grafana, Helm, Key Vault, and Container Insights are confirmed to be supported.
-* AKS diagnostics does not yet support Mariner.
+* The Mariner container host is a Gen 2 image. Mariner doesn't plan to offer a Gen 1 SKU.
+* Node configurations aren't yet supported.
+* Mariner isn't yet supported in GitHub actions.
+* Mariner doesn't support AppArmor. Support for SELinux can be manually configured.
+* Some addons, extensions, and open-source integrations may not be supported yet on Mariner. Azure Monitor, Grafana, Helm, Key Vault, and Container Insights are supported.
 
 <!-- LINKS - Internal -->
 [mariner-doc]: https://microsoft.github.io/CBL-Mariner/docs/#cbl-mariner-linux