MicrosoftDocs
diff --git a/‎.openpublishing.redirection.json
Lines changed: 30 additions & 0 deletions b/‎.openpublishing.redirection.json
Lines changed: 30 additions & 0 deletions
diff --git a/‎articles/application-gateway/application-gateway-tls-version-retirement.md
Lines changed: 37 additions & 4 deletions b/‎articles/application-gateway/application-gateway-tls-version-retirement.md
Lines changed: 37 additions & 4 deletions
diff --git a/‎articles/cdn/classic-cdn-retirement-faq.md
Lines changed: 5 additions & 1 deletion b/‎articles/cdn/classic-cdn-retirement-faq.md
Lines changed: 5 additions & 1 deletion
diff --git a/‎articles/expressroute/TOC.yml
Lines changed: 5 additions & 23 deletions b/‎articles/expressroute/TOC.yml
Lines changed: 5 additions & 23 deletions
diff --git a/‎articles/expressroute/expressroute-howto-circuit-resource-manager-template.md
Lines changed: 6 additions & 14 deletions b/‎articles/expressroute/expressroute-howto-circuit-resource-manager-template.md
Lines changed: 6 additions & 14 deletions
@@ -4034,6 +4034,36 @@
       "redirect_url": "/azure/expressroute/expressroute-howto-linkvnet-cli",
       "redirect_document_id": false
     },
+    {
+      "source_path_from_root": "/articles/expressroute/quickstart-create-expressroute-vnet-template.md",
+      "redirect_url": "/azure/expressroute/expressroute-howto-circuit-resource-manager-template",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/expressroute/expressroute-howto-expressroute-direct-cli.md",
+      "redirect_url": "/azure/expressroute/how-to-expressroute-direct-portal",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/expressroute/expressroute-howto-erdirect.md",
+      "redirect_url": "/azure/expressroute/how-to-expressroute-direct-portal",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/expressroute/how-to-routefilter-cli.md",
+      "redirect_url": "/azure/expressroute/how-to-routefilter-portal",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/expressroute/how-to-routefilter-powershell.md",
+      "redirect_url": "/azure/expressroute/how-to-routefilter-portal",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/expressroute/work-remotely-support.md",
+      "redirect_url": "/azure/networking/working-remotely-support",
+      "redirect_document_id": false
+    },
     {
       "source_path_from_root": "/articles/expressroute/working-remotely-support.md",
       "redirect_url": "/azure/expressroute/work-remotely-support",
 
@@ -5,7 +5,7 @@ services: application gateway
 author: jaesoni
 ms.service: azure-application-gateway
 ms.topic: concept-article
-ms.date: 07/29/2025
+ms.date: 07/31/2025
 ms.author: mbender
 ms.custom:
   - build-2025
@@ -14,7 +14,7 @@ ms.custom:
 
 # Managing your Application Gateway with TLS 1.0 and 1.1 retirement
 
-Starting **31st August 2025**, Azure Application Gateway will no longer support **TLS (Transport Layer Security) versions 1.0 and 1.1**. This change aligns with the [Azure-wide retirement](https://azure.microsoft.com/updates?id=update-retirement-tls1-0-tls1-1-versions-azure-services) of these TLS versions to enhance the security. As the owner of an Application Gateway resource, you should review both the Frontend clients and Backend servers TLS connections that may be using these older versions.
+On **31st August 2025**, Azure Application Gateway will no longer support **TLS (Transport Layer Security) versions 1.0 and 1.1**. This change aligns with the [Azure-wide retirement](https://azure.microsoft.com/updates?id=update-retirement-tls1-0-tls1-1-versions-azure-services) of these TLS versions to enhance the security. As the owner of an Application Gateway resource, you should review both the Frontend clients and Backend servers TLS connections that can be using these older versions.
 
 ## Frontend TLS connections
 
@@ -29,7 +29,7 @@ With deprecation of TLS versions 1.0 and 1.1, the **older Predefined TLS policie
 
 ### Predefined policies for V2 SKUs
 
-The predefined policies 20150501 and 20170401 that support TLS v1.0 and 1.1 will be discontinued and can no longer be associated with an Application Gateway resource after August 2025. It's advised to transition to one of the recommended TLS policies, 20220101 or 20220101S. Alternatively, the 20170401S policy may be used if specific cipher suites are required. 
+The predefined policies 20150501 and 20170401 that support TLS v1.0 and 1.1 will be discontinued and can no longer be associated with an Application Gateway resource after August 2025. Transition to one of the recommended TLS policies, 20220101 or 20220101S is advised. Alternatively, the 20170401S policy can be used if specific cipher suites are required. 
 
 ![A diagram showing predefined policies for V2 SKUs.](media/application-gateway-tls-version-retirement/v2-retiring-tls-policies.png)
 
@@ -102,11 +102,44 @@ To determine whether clients connecting to your Application Gateway resource are
 You can also check the [Application Gateway Access logs](monitor-application-gateway-reference.md#access-log-category) to view this information in log format.
 
 > [!NOTE]
-> The metrics and logs for the V1 SKUs do not provide client TLS protocol information.
+> The metrics and logs for the V1 SKUs don't provide client TLS protocol information.
 
 ### Error information
 Once support for TLS versions 1.0 and 1.1 is discontinued, clients may encounter errors such as `curl: (35) error:0A000410:SSL routines::sslv3 alert handshake failure`. Depending on the browser being used, various messages indicating TLS handshake failures may be displayed.
 
+## FAQs
+
+### What does a default TLS policy mean?
+A default TLS policy for Application Gateway is a packaged set of supported TLS versions and cipher suites. This allows customers to begin using secured traffic by only configuring HTTPS or TLS listeners and backend settings, without any extra configuration for TLS version or ciphers. Application Gateway uses one of its predefined policies as the default.
+
+### How will the default TLS policies be impacted after legacy TLS versions 1.0 and 1.1 retirement?
+Until September 2025, V2 SKUs utilize two [default TLS policies](application-gateway-ssl-policy-overview.md#default-tls-policy) based on the API version specified during resource deployment. Deployments using API version **2023-02-01 or later** apply `AppGwSslPolicy20220101` by default, while earlier API versions use `AppGwSslPolicy20150501`. With the deprecation of TLS 1.0 and 1.1, the older `AppGwSslPolicy20150501` policy, will be discontinued. So, `AppGwSslPolicy20220101` will become the default policy for all V2 gateways.
+
+The default policy for the V1 SKU will remain unchanged since `AppGwSslPolicy20220101` won't be introduced for this retiring SKU.
+
+> [!NOTE]
+> A default TLS policy is applied only when the "Default" option is selected in the Portal or when no TLS policy is specified within the resource configuration by means such as REST, PowerShell, or AzCLI.
+> 
+> Accordingly, using a default policy in configuration isn't same as explicitly selecting `AppGwSslPolicy20150501` policy, even if `AppGwSslPolicy20150501` is the default policy for your API version.
+
+### Which TLS policies in Application Gateway are getting deprecated?
+The predefined policies `AppGwSslPolicy20150501` and `AppGwSslPolicy20170401` that support TLS versions 1.0 and 1.1 will be removed from the Azure Resource Manager configuration. Similarly, the Custom policy will stop supporting TLS versions 1.0 and 1.1 along with their associated cipher suites. This applies to both V1 and V2 SKUs.
+
+### Will Application Gateway product team automatically update the configuration to a supported TLS policy? 
+Application Gateway won't modify any resource having customer-defined TLS configurations. Only the default TLS policy for gateways that have not explicitly set a TLS policy or lack any TLS-related settings (such as HTTPS or TLS listeners) will be automatically updated to use `AppGwSslPolicy20220101`.
+
+### Will my gateway go in a Failed state?
+If you have chosen any deprecating TLS policy in the configuration of your gateway and don’t update it to a supported policy by August 2025, your gateway will enter a Failed state when performing a configuration update.
+
+A nonfunctional TLS configuration, such a SSLProfile not linked to any listener, won't have any impact on the control plane of the gateway.
+
+### How is the release for this change planned?
+Given the scale of our fleet, after 30 August 2025, the deprecation of TLS versions will be implemented separately for the Data and Control Planes (in that order). Any region-specific details won't be available; therefore, we strongly advise you to take all necessary actions before this retirement date.
+
+### Is there any potential impact if I haven’t selected any TLS policy and my gateway uses only HTTP/TCP configurations?
+If your gateway doesn't use any TLS configuration—either through SSLPolicy, SSLProfile, HTTPS, or TLS Listeners—there will be no impact after August 2025.
+
+
 
 ## Next steps
 
 
@@ -19,6 +19,10 @@ Azure Front Door introduced two new tiers named Standard and Premium on March 29
 
 In our ongoing efforts to provide the best product experience and streamline our portfolio of products and tiers, we're announcing the retirement of the Azure CDN Standard from Microsoft (classic) tier. This retirement will affect the public cloud and the Azure Government regions of Arizona and Texas, effective September 30, 2027. We strongly recommend all users of Azure CDN Standard from Microsoft (classic) to transition to Azure Front Door Standard and Premium.  
 
+> [!IMPORTANT]
+> - Starting August 15, 2025, Azure CDN from Microsoft (classic) will no longer support new domain onboarding or profile creation. Migrate to [AFD Standard and Premium](/azure/cdn/migrate-tier?toc=%2Fazure%2Ffrontdoor%2Ftoc.json) to create new domains or profiles and avoid service disruption. [Learn more](https://azure.microsoft.com/updates?id=498522)
+> - Starting August 15, 2025, Azure CDN from Microsoft (classic) will no longer support Managed certificates. To avoid service disruption, either [switch to Bring Your Own Certificate (BYOC)](/azure/cdn/cdn-custom-ssl?toc=%2Fazure%2Ffrontdoor%2Ftoc.json&tabs=option-1-default-enable-https-with-a-cdn-managed-certificate) or migrate to [AFD Standard and Premium](/azure/cdn/migrate-tier?toc=%2Fazure%2Ffrontdoor%2Ftoc.json) by this date. Existing managed certificates will be auto renewed before August 15, 2025, and remain valid until April 14, 2026. [Learn more](https://azure.microsoft.com/updates?id=498522)
+
 ## Frequently asked questions
 
 ### When is the retirement for Azure CDN Standard from Microsoft (classic)?
@@ -76,7 +80,7 @@ Currently, Azure CDN Standard from Microsoft (classic) retirement affects the pu
 
 ### Can I make updates to Azure CDN Standard from Microsoft (classic) resources?
 
-You can still update your existing Azure CDN Standard from Microsoft (classic) resources using the Azure portal, Terraform, and all command line tools until September 30, 2027. However, you won't be able to create new Azure CDN Standard from Microsoft (classic) resources starting October 1, 2025. We strongly recommend you migrate to Azure Front Door Standard or Premium tier as soon as possible. 
+You can still update your existing Azure CDN Standard from Microsoft (classic) resources using the Azure portal, Terraform, and all command line tools until September 30, 2027. Starting August 15, 2025, Azure CDN from Microsoft (classic) will no longer support new resource creation or new domain onboarding or Managed certificates. We strongly recommend you migrate to Azure Front Door Standard or Premium tier as soon as possible. 
 
 ### Can I roll back to Azure CDN Standard from Microsoft (classic) after migration?
 
 
@@ -40,10 +40,8 @@
           href: howto-circuit-cli.md
         - name: Create an ExpressRoute circuit - Bicep
           href: quickstart-create-expressroute-vnet-bicep.md
-          displayName: ARM, Resource Manager, Template
         - name: Create an ExpressRoute circuit - ARM template
-          href: quickstart-create-expressroute-vnet-template.md
-          displayName: Resource Manager
+          href: expressroute-howto-circuit-resource-manager-template.md 
         - name: Create an ExpressRoute circuit - Terraform
           href: quickstart-create-expressroute-vnet-terraform.md
 - name: Configure
@@ -93,13 +91,7 @@
             - name: Routing Microsoft 365 traffic over ExpressRoute
               href: /microsoft-365/enterprise/azure-expressroute?toc=/azure/expressroute/TOC.json
             - name: Configure route filters for Microsoft peering
-              items:
-                - name: Azure portal
-                  href: how-to-routefilter-portal.md
-                - name: Azure PowerShell
-                  href: how-to-routefilter-powershell.md
-                - name: Azure CLI
-                  href: how-to-routefilter-cli.md
+              href: how-to-routefilter-portal.md
             - name: QoS requirements
               href: expressroute-qos.md
             - name: Routing Microsoft PSTN traffic over ExpressRoute
@@ -157,13 +149,7 @@
         - name: Overview
           href: expressroute-erdirect-about.md
         - name: Configure ExpressRoute Direct
-          items:
-            - name: Azure portal
-              href: how-to-expressroute-direct-portal.md
-            - name: Azure PowerShell
-              href: expressroute-howto-erdirect.md
-            - name: Azure CLI
-              href: expressroute-howto-expressroute-direct-cli.md
+          href: how-to-expressroute-direct-portal.md
         - name: Configure MACsec for ExpressRoute Direct ports
           href: expressroute-howto-macsec.md
         - name: Rate limit for ExpressRoute Direct circuit
@@ -284,12 +270,8 @@
           href: planned-maintenance.md
         - name: Configure controlled gateway maintenance
           href: customer-controlled-gateway-maintenance.md
-    - name: Work remotely
-      items:
-        - name: Support for working remotely
-          href: ../networking/working-remotely-support.md?toc=/azure/expressroute/toc.json
-        - name: Hybrid connectivity for remote users
-          href: work-remotely-support.md
+    - name: Support for working remotely
+      href: ../networking/working-remotely-support.md?toc=/azure/expressroute/toc.json
 - name: Troubleshoot
   items:
     - name: Troubleshoot gateway migration
 
@@ -6,27 +6,19 @@ author: duongau
 
 ms.service: azure-expressroute
 ms.topic: how-to
-ms.date: 11/13/2019
-ms.author: duau 
+ms.date: 07/10/2025
+ms.author: duau
 ms.custom: devx-track-azurepowershell, devx-track-arm-template
 ---
 
 # Create an ExpressRoute circuit by using Azure Resource Manager template
 
-> [!div class="op_single_selector"]
-> * [Azure portal](expressroute-howto-circuit-portal-resource-manager.md)
-> * [PowerShell](expressroute-howto-circuit-arm.md)
-> * [Azure CLI](howto-circuit-cli.md)
-> * [Azure Resource Manager template](expressroute-howto-circuit-resource-manager-template.md)
-> * [PowerShell (classic)](expressroute-howto-circuit-classic.md)
->
-
 Learn how to create an ExpressRoute circuit by deploying an Azure Resource Manager template by using Azure PowerShell. For more information on developing Resource Manager templates, see [Resource Manager documentation](../azure-resource-manager/index.yml) and the [template reference](/azure/templates/microsoft.network/expressroutecircuits).
 
 ## Before you begin
 
 * Review the [prerequisites](expressroute-prerequisites.md) and [workflows](expressroute-workflows.md) before you begin configuration.
-* Ensure that you have permissions to create new networking resources. Contact your account administrator if you do not have the right permissions.
+* Ensure that you have permissions to create new networking resources. Contact your account administrator if you don't have the right permissions.
 
 ## <a name="create"></a>Create and provision an ExpressRoute circuit
 
@@ -59,10 +51,10 @@ To create an ExpressRoute Circuit by deploying a template:
 
    * **SKU tier** determines whether an ExpressRoute circuit is [Local](expressroute-faqs.md#expressroute-local), Standard, or [Premium](expressroute-faqs.md#expressroute-premium). You can specify *Local*, *Standard, or *Premium*.
    * **SKU family** determines the billing type. You can specify *Metereddata* for a metered data plan and *Unlimiteddata* for an unlimited data plan. You can change the billing type from *Metereddata* to *Unlimiteddata*, but you can't change the type from *Unlimiteddata* to *Metereddata*. A *Local* circuit is *Unlimiteddata* only.
-   * **Peering Location** is the physical location where you are peering with Microsoft.
+   * **Peering Location** is the physical location where you're peering with Microsoft.
 
      > [!IMPORTANT]
-     > The Peering Location indicates the [physical location](expressroute-locations.md) where you are peering with Microsoft. This is **not** linked to "Location" property, which refers to the geography where the Azure Network Resource Provider is located. While they are not related, it is a good practice to choose a Network Resource Provider geographically close to the Peering Location of the circuit.
+     > The Peering Location indicates the [physical location](expressroute-locations.md) where you're peering with Microsoft. This Peering Location is **not** linked to "Location" property, which refers to the geography where the Azure Network Resource Provider is located. While they aren't related, it's a good practice to choose a Network Resource Provider geographically close to the Peering Location of the circuit.
 
     The resource group name is the service bus namespace name with **rg** appended.
 
@@ -83,7 +75,7 @@ You can delete your ExpressRoute circuit by selecting the **delete** icon. Note
 
 * You must unlink all virtual networks from the ExpressRoute circuit. If this operation fails, check whether any virtual networks are linked to the circuit.
 * If the ExpressRoute circuit service provider provisioning state is **Provisioning** or **Provisioned** you must work with your service provider to deprovision the circuit on their side. We continue to reserve resources and bill you until the service provider completes deprovisioning the circuit and notifies us.
-* If the service provider has deprovisioned the circuit (the service provider provisioning state is set to **Not provisioned**), you can delete the circuit. This stops billing for the circuit.
+* Once the service provider provisioning state is set to **Not provisioned**, you can delete the circuit. Once the circuit is deleted, its billing will also stop.
 
 You can delete your ExpressRoute circuit by running the following PowerShell command: