Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into vnet-encryption-patch

asudbring · asudbring · commit e3e6c12a1b1c · 2024-04-24T13:58:03.000-07:00
diff --git a/articles/api-management/credentials-how-to-azure-ad.md b/articles/api-management/credentials-how-to-azure-ad.md
@@ -127,7 +127,9 @@ On the **Connection** tab, complete the steps for your connection to the provide
     |**URL** for GET    |  /me/joinedTeams |
 
 1. Select **All operations**. In the **Inbound processing** section, select the (**</>**) (code editor) icon.
-1. Make sure the `provider-id` and `authorization-id` values in the `get-authorization-context` policy correspond to the names of the credential provider and connection, respectively, that you configured in the preceding steps. Select **Save**. 
+1. Copy and paste the following snippet. Update the `get-authorization-context` policy with the names of the credential provider and connection that you configured in the preceding steps, and select **Save**.
+    * Substitute your credential provider name as the value of `provider-id`
+    * Substitute your connection name as the value of `authorization-id`  
 
     ```xml
     <policies>
diff --git a/articles/azure-monitor/essentials/metrics-explorer.md b/articles/azure-monitor/essentials/metrics-explorer.md
@@ -5,7 +5,7 @@ author: EdB-MSFT
 ms.service: azure-monitor
 ms-author: edbaynash
 ms.topic: conceptual
-ms.date: 04/01/2024
+ms.date: 04/24/2024
 ms.reviewer: priyamishra
 
 # Customer intent: As an Azure Monitor user, I want to learn how to use Azure Monitor metrics explorer with PromQL.
@@ -30,9 +30,6 @@ The chart pane has two options for charting a metric:
 
 Adding a chart with the editor allows you to enter a PromQL query to retrieve metrics data. The editor provides syntax highlighting and intellisense for PromQL queries. Currently, queries are limited to the metrics stored in an Azure Monitor workspace. For more information on PromQL, see [Querying Prometheus](https://prometheus.io/docs/prometheus/latest/querying/basics/).
 
-> [!NOTE]
-> To write queries in the editor, the workspace must have at least one Azure Kubernetes Service (AKS) cluster or Azure Arc-enabled Kubernetes cluster connected to it.
-
 Adding a chart with the builder allows you to select metrics from any of your Azure resources. The builder provides a list of metrics available in the selected scope. Select the metric, aggregation type, and chart type from the builder. The builder can't be used to chart metrics stored in an Azure Monitor workspace.
 
 
diff --git a/articles/expressroute/expressroute-howto-routing-arm.md b/articles/expressroute/expressroute-howto-routing-arm.md
@@ -72,11 +72,11 @@ This section helps you create, get, update, and delete the Microsoft peering con
    ```azurepowershell-interactive
    Select-AzSubscription -SubscriptionId "<subscription ID>"
    ```
-1. Create an ExpressRoute circuit.
+2. Create an ExpressRoute circuit.
 
    Follow the instructions to create an [ExpressRoute circuit](expressroute-howto-circuit-arm.md) and have it provisioned by the connectivity provider. If your connectivity provider offers managed Layer 3 services, you can ask your connectivity provider to enable Microsoft peering for you. You won't need to follow instructions listed in the next sections. However, if your connectivity provider doesn't manage routing for you, after creating your circuit, continue your configuration using the next steps. 
 
-1. Check the ExpressRoute circuit to make sure it's provisioned and also enabled. Use the following example:
+3. Check the ExpressRoute circuit to make sure it's provisioned and also enabled. Use the following example:
 
    ```azurepowershell-interactive
    Get-AzExpressRouteCircuit -Name "ExpressRouteARMCircuit" -ResourceGroupName "ExpressRouteResourceGroup"
@@ -107,17 +107,21 @@ This section helps you create, get, update, and delete the Microsoft peering con
    ServiceKey                       : **************************************
    Peerings                         : []
    ```
-1. Configure Microsoft peering for the circuit. Make sure that you have the following information before you continue.
+4. Configure Microsoft peering for the circuit. Make sure that you have the following information before you continue.
 
-   * A /30 or /126 subnet for the primary link. The address block must be a valid public IPv4 or IPv6 prefix owned by you and registered in an RIR / IRR.
-   * A /30 or /126 subnet for the secondary link. The address block must be a valid public IPv4 or IPv6 prefix owned by you and registered in an RIR / IRR.
-   * A valid VLAN ID to establish this peering on. Ensure that no other peering in the circuit uses the same VLAN ID.
+    * A pair of subnets owned by you and registered in an RIR/IRR. One subnet is used for the primary link, while the other will be used for the secondary link. From each of these subnets, you assign the first usable IP address to your router as Microsoft uses the second usable IP for its router. You have three options for this pair of subnets:
+       * IPv4: Two /30 subnets. These must be valid public IPv4 prefixes.
+       * IPv6: Two /126 subnets. These must be valid public IPv6 prefixes.
+       * Both: Two /30 subnets and two /126 subnets.
+   * Microsoft peering enables you to communicate with the public IP addresses on Microsoft network. So, your traffic endpoints on your on-premises network should be public too. This is often done using SNAT. 
+   > [!NOTE]
+   > When using SNAT, we advise against a public IP address from the range assigned to primary or secondary link. Instead, you should use a different range of public IP addresses that has been assigned to you and registered in a Regional Internet Registry (RIR) or Internet Routing Registry (IRR). Depending on your call volume, this range can be as small as a single IP address (represented as '/32' for IPv4 or '/128' for IPv6).
+   * A valid VLAN ID to establish this peering on. Ensure that no other peering in the circuit uses the same VLAN ID. For both Primary and Secondary links you must use the same VLAN ID.
    * AS number for peering. You can use both 2-byte and 4-byte AS numbers.
-   * Advertised prefixes: You provide a list of all prefixes you plan to advertise over the BGP session. Only public IP address prefixes are accepted. If you plan to send a set of prefixes, you can send a comma-separated list. These prefixes must be registered to you in an RIR / IRR. IPv4 BGP sessions require IPv4 advertised prefixes and IPv6 BGP sessions require IPv6 advertised prefixes. 
+   * Advertised prefixes: You provide a list of all prefixes you plan to advertise over the BGP session. Only public IP address prefixes are accepted. If you plan to send a set of prefixes, you can send a comma-separated list. These prefixes must be registered to you in an RIR / IRR.
+   * **Optional -** Customer ASN: If you're advertising prefixes not registered to the peering AS number, you can specify the AS number to which they're registered with.
    * Routing Registry Name: You can specify the RIR / IRR against which the AS number and prefixes are registered.
-   * Optional:
-     * Customer ASN: If you're advertising prefixes not registered to the peering AS number, you can specify the AS number to which they're registered with.
-     * An MD5 hash if you choose to use one.
+   * **Optional -** An MD5 hash if you choose to use one.
 
 > [!IMPORTANT]
 > Microsoft verifies if the specified 'Advertised public prefixes' and 'Peer ASN' (or 'Customer ASN') are assigned to you in the Internet Routing Registry. If you are getting the public prefixes from another entity and if the assignment is not recorded with the routing registry, the automatic validation will not complete and will require manual validation. If the automatic validation fails, you will see 'AdvertisedPublicPrefixesState' as 'Validation needed' on the output of "Get-AzExpressRouteCircuitPeeringConfig" (see "To get Microsoft peering details" in the following section). 
@@ -194,11 +198,11 @@ This section helps you create, get, update, and delete the Azure private peering
    ```azurepowershell-interactive
    Select-AzSubscription -SubscriptionId "<subscription ID>"
    ```
-1. Create an ExpressRoute circuit.
+2. Create an ExpressRoute circuit.
 
    Follow the instructions to create an [ExpressRoute circuit](expressroute-howto-circuit-arm.md) and have it provisioned by the connectivity provider. If your connectivity provider offers managed Layer 3 services, you can ask your connectivity provider to enable Azure private peering for you. You won't need to follow instructions listed in the next sections. However, if your connectivity provider doesn't manage routing for you, after creating your circuit, continue your configuration using the next steps.
 
-1. Check the ExpressRoute circuit to make sure it's provisioned and also enabled. Use the following example:
+3. Check the ExpressRoute circuit to make sure it's provisioned and also enabled. Use the following example:
 
    ```azurepowershell-interactive
    Get-AzExpressRouteCircuit -Name "ExpressRouteARMCircuit" -ResourceGroupName "ExpressRouteResourceGroup"
@@ -229,21 +233,16 @@ This section helps you create, get, update, and delete the Azure private peering
    ServiceKey                       : **************************************
    Peerings                         : []
    ```
-1. Configure Microsoft peering for the circuit. Make sure that you have the following information before you continue.
+4. Configure Azure private peering for the circuit. Make sure that you have the following items before you continue with the next steps:
 
-   * A pair of subnets owned by you and registered in an RIR/IRR. One subnet is used for the primary link, while the other will be used for the secondary link. From each of these subnets, you assign the first usable IP address to your router as Microsoft uses the second usable IP for its router. You have three options for this pair of subnets:
-       * IPv4: Two /30 subnets. These must be valid public IPv4 prefixes.
-       * IPv6: Two /126 subnets. These must be valid public IPv6 prefixes.
+   * A pair of subnets that aren't part of any address space reserved for virtual networks. One subnet is used for the primary link, while the other is used for the secondary link. From each of these subnets, you assign the first usable IP address to your router as Microsoft uses the second usable IP for its router. You have three options for this pair of subnets:
+       * IPv4: Two /30 subnets.
+       * IPv6: Two /126 subnets.
        * Both: Two /30 subnets and two /126 subnets.
-   * Microsoft peering enables you to communicate with the public IP addresses on Microsoft network. So, your traffic endpoints on your on-premises network should be public too. This is often done using SNAT. 
-   > [!NOTE]
-   > When using SNAT, we advise against a public IP address from the range assigned to primary or secondary link. Instead, you should use a different range of public IP addresses that has been assigned to you and registered in a Regional Internet Registry (RIR) or Internet Routing Registry (IRR). Depending on your call volume, this range can be as small as a single IP address (represented as '/32' for IPv4 or '/128' for IPv6).
-   * A valid VLAN ID to establish this peering on. Ensure that no other peering in the circuit uses the same VLAN ID. For both Primary and Secondary links you must use the same VLAN ID.
-   * AS number for peering. You can use both 2-byte and 4-byte AS numbers.
-   * Advertised prefixes: You provide a list of all prefixes you plan to advertise over the BGP session. Only public IP address prefixes are accepted. If you plan to send a set of prefixes, you can send a comma-separated list. These prefixes must be registered to you in an RIR / IRR.
-   * **Optional -** Customer ASN: If you're advertising prefixes not registered to the peering AS number, you can specify the AS number to which they're registered with.
-   * Routing Registry Name: You can specify the RIR / IRR against which the AS number and prefixes are registered.
-   * **Optional -** An MD5 hash if you choose to use one.
+   * A valid VLAN ID to establish this peering on. Ensure that no other peering in the circuit uses the same VLAN ID.
+   * AS number for peering. You can use both 2-byte and 4-byte AS numbers. You can use a private AS number for this peering. Ensure that you aren't using 65515.
+   * Optional:
+     * An MD5 hash if you choose to use one.
 
    Use the following example to configure Azure private peering for your circuit:
 
diff --git a/articles/expressroute/howto-routing-cli.md b/articles/expressroute/howto-routing-cli.md
@@ -5,7 +5,7 @@ services: expressroute
 author: duongau
 ms.service: expressroute
 ms.topic: how-to
-ms.date: 09/15/2023
+ms.date: 04/22/2024
 ms.author: duau
 ms.custom: devx-track-azurecli
 ---
@@ -98,12 +98,17 @@ This section helps you create, get, update, and delete the Microsoft peering con
 
 4. Configure Microsoft peering for the circuit. Make sure that you have the following information before you continue.
 
-   * A /30 subnet for the primary link. The address block must be a valid public IPv4 prefix owned by you and registered in an RIR / IRR.
-   * A /30 subnet for the secondary link. The address block must be a valid public IPv4 prefix owned by you and registered in an RIR / IRR.
-   * A valid VLAN ID to establish this peering on. Ensure that no other peering in the circuit uses the same VLAN ID.
+   * A pair of subnets owned by you and registered in an RIR/IRR. One subnet is used for the primary link, while the other will be used for the secondary link. From each of these subnets, you assign the first usable IP address to your router as Microsoft uses the second usable IP for its router. You have three options for this pair of subnets:
+       * IPv4: Two /30 subnets. These must be valid public IPv4 prefixes.
+       * IPv6: Two /126 subnets. These must be valid public IPv6 prefixes.
+       * Both: Two /30 subnets and two /126 subnets.
+   * Microsoft peering enables you to communicate with the public IP addresses on Microsoft network. So, your traffic endpoints on your on-premises network should be public too. This is often done using SNAT. 
+   > [!NOTE]
+   > When using SNAT, we advise against a public IP address from the range assigned to primary or secondary link. Instead, you should use a different range of public IP addresses that has been assigned to you and registered in a Regional Internet Registry (RIR) or Internet Routing Registry (IRR). Depending on your call volume, this range can be as small as a single IP address (represented as '/32' for IPv4 or '/128' for IPv6).
+   * A valid VLAN ID to establish this peering on. Ensure that no other peering in the circuit uses the same VLAN ID. For both Primary and Secondary links you must use the same VLAN ID.
    * AS number for peering. You can use both 2-byte and 4-byte AS numbers.
-   * Advertised prefixes: Provide a list of all prefixes you plan to advertise over the BGP session. Only public IP address prefixes are accepted. If you plan to send a set of prefixes, you can send a comma-separated list. These prefixes must be registered to you in an RIR / IRR.
-   * **Optional -** Customer ASN: If you're advertising prefixes that are not registered to the peering AS number, you can specify the AS number to which they're registered with.
+   * Advertised prefixes: You provide a list of all prefixes you plan to advertise over the BGP session. Only public IP address prefixes are accepted. If you plan to send a set of prefixes, you can send a comma-separated list. These prefixes must be registered to you in an RIR / IRR.
+   * **Optional -** Customer ASN: If you're advertising prefixes not registered to the peering AS number, you can specify the AS number to which they're registered with.
    * Routing Registry Name: You can specify the RIR / IRR against which the AS number and prefixes are registered.
    * **Optional -** An MD5 hash if you choose to use one.
 
diff --git a/articles/iot-edge/how-to-provision-devices-at-scale-linux-tpm.md b/articles/iot-edge/how-to-provision-devices-at-scale-linux-tpm.md
@@ -257,7 +257,7 @@ nano ~/config.toml
    [provisioning]
    source = "dps"
    global_endpoint = "https://global.azure-devices-provisioning.net"
-   id_scope = "SCOPE_ID_HERE"
+   id_scope = "DPS_ID_SCOPE_HERE"
 
    # Uncomment to send a custom payload during DPS registration
    # payload = { uri = "PATH_TO_JSON_FILE" }
diff --git a/articles/logic-apps/connectors/sap.md b/articles/logic-apps/connectors/sap.md
@@ -1170,6 +1170,57 @@ You can control this tracing capability at the application level by adding the f
    > If you download a log or trace file that your logic app workflow opened 
    > and is currently in use, your download might result in an empty file.
 
+## Enable SAP Common Crypto Library (CCL) tracing (built-in connector only)
+
+If you have to investigate any problems with the crypto library while using SNC authentication, you can set up custom text file-based CCL tracing. You can use these CCL logs to troubleshoot SNC authentication issues, or share them with Microsoft or SAP support, if requested. By default, this capability is disabled because enabling this trace might negatively affect performance and quickly consume the application host's storage space.
+
+You can control this tracing capability at the application level by adding the following settings:
+
+1. In the [Azure portal](https://portal.azure.com), open your Standard logic app resource.
+
+1. On Standard logic app resource menu, under **Development Tools**, select **Advanced Tools** > **Go**.
+
+1. On the **Kudu** toolbar, select **Debug Console** > **CMD**.
+
+1. Browse to a location under **C:\home\site\wwwroot**, and create a text file, for example: **CCLPROFILE.txt**.
+
+   For more information about logging parameters, see [**Tracing** > SAP NOTE 2338952](https://me.sap.com/notes/2338952/E). The following sample provides an example tracing configuration:
+   
+   ```
+   ccl/trace/directory=C:\home\LogFiles\CCLLOGS
+   ccl/trace/level=4
+   ccl/trace/rotatefilesize=10000000
+   ccl/trace/rotatefilenumber=10
+   ```
+   
+1. On the logic app menu, under **Settings**, select **Environment variables** to review the application settings.
+
+1. On the **Environment variables** page, on the **App settings** tab, add the following application setting:
+
+   **CCL_PROFILE**: The directory where **CCLPROFILE.txt** was created, for example, **C:\home\site\wwwroot\CCLPROFILE.txt**.
+
+1. Save your changes. This step restarts the application.
+
+### View the trace
+
+1. On Standard logic app resource menu, under **Development Tools**, select **Advanced Tools** > **Go**.
+
+1. On the **Kudu** toolbar, select **Debug Console** > **CMD**.
+
+1. Browse to the folder for the parameter named **$ccl/trace/directory** from **CCLPROFILE.txt**. 
+
+    Usually, the trace files are named **sec-Microsoft.Azure.Work-$processId.trc** and **sec-sapgenpse.exe-$processId.trc**.
+
+   Your logic app workflow performs SNC authentication as a two-step process:
+
+   1. Your logic app workflow invokes **sapgenpse.exe** to generate a **cred_v2** file from the PSE file.
+   
+      You can find the traces related to this step in a file named **sec-sapgenpse.exe-$processId.trc**.
+
+   1. Your logic app workflow authenticates access to your SAP server by consuming the generated **cred_v2** file, with the SAP client library invoking the common crypto library.
+
+       You can find the traces related to this step in a file named **sec-Microsoft.Azure.Work-$processId.trc**.
+
 ## Send SAP telemetry for on-premises data gateway to Azure Application Insights
 
 With the August 2021 update for the on-premises data gateway, SAP connector operations can send telemetry data from the SAP NCo client library and traces from the Microsoft SAP Adapter to [Application Insights](../../azure-monitor/app/app-insights-overview.md), which is a capability in Azure Monitor. This telemetry primarily includes the following data:
