Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into sanAKS

Author: roygara

articles/active-directory-b2c/partner-azure-web-application-firewall.md

@@ -1,102 +1,104 @@
 ---
 title: Tutorial to configure Azure Active Directory B2C with Azure Web Application Firewall
 titleSuffix: Azure AD B2C
-description: Tutorial to configure Azure Active Directory B2C with Azure Web application firewall to protect your applications from malicious attacks 
+description: Learn to configure Azure AD B2C with Azure Web Application Firewall to protect applications from malicious attacks 
 services: active-directory-b2c
 author: gargi-sinha
-manager: CelesteDG
+manager: martinco
 ms.reviewer: kengaderdus
-
 ms.service: active-directory
 ms.workload: identity
 ms.topic: how-to
-ms.date: 08/17/2021
+ms.date: 03/08/2023
 ms.author: gasinh
 ms.subservice: B2C
 ---
 
-# Tutorial: Configure Azure Web Application Firewall with Azure Active Directory B2C
+# Tutorial: Configure Azure Active Directory B2C with Azure Web Application Firewall
 
-In this sample tutorial, learn how to enable [Azure Web Application Firewall (WAF)](https://azure.microsoft.com/services/web-application-firewall/#overview) solution for Azure Active Directory (AD) B2C tenant with custom domain. Azure WAF provides centralized protection of your web applications from common exploits and vulnerabilities.
+Learn how to enable the Azure Web Application Firewall (WAF) service for an Azure Active Directory B2C (Azure AD B2C) tenant, with a custom domain. WAF protects web applications from common exploits and vulnerabilities.
 
->[!NOTE]
->This feature is in public preview.
+See, [What is Azure Web Application Firewall?](../web-application-firewall/overview.md)
 
 ## Prerequisites
 
-To get started, you'll need:
-
-- An Azure subscription – If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
-
-- [An Azure AD B2C tenant](tutorial-create-tenant.md) – The authorization server, responsible for verifying the user’s credentials using the custom policies defined in the tenant.  It's also known as the identity provider.
+To get started, you need:
 
-- [Azure Front Door (AFD)](../frontdoor/index.yml) – Responsible for enabling custom domains for Azure AD B2C tenant.  
+* An Azure subscription
+* If you don't have one, get an [Azure free account](https://azure.microsoft.com/free/)
+* **An Azure AD B2C tenant** – authorization server that verifies user credentials using custom policies defined in the tenant
+  * Also known as the identity provider (IdP)
+  * See, [Tutorial: Create an Azure Active Directory B2C tenant](tutorial-create-tenant.md) 
+* **Azure Front Door (AFD)** – enables custom domains for the Azure AD B2C tenant
+  * See, [Azure Front Door and CDN documentation](../frontdoor/index.yml)
+* **WAF** – manages traffic sent to the authorization server
+  * [Azure Web Application Firewall](https://azure.microsoft.com/services/web-application-firewall/#overview)
 
-- [Azure WAF](https://azure.microsoft.com/services/web-application-firewall/#overview) – Manages all traffic that is sent to the authorization server.
+## Custom domains in Azure AD B2C
 
-## Azure AD B2C setup
+To use custom domains in Azure AD B2C, use the custom domain features in AFD. See, [Enable custom domains for Azure AD B2C](./custom-domain.md?pivots=b2c-user-flow).  
 
-To use custom domains in Azure AD B2C, it's required to use custom domain feature provided by AFD. Learn how to [enable Azure AD B2C custom domains](./custom-domain.md?pivots=b2c-user-flow).  
+   > [!IMPORTANT]
+   > After you configure the custom domain, see [Test your custom domain](./custom-domain.md?pivots=b2c-custom-policy#test-your-custom-domain).  
 
-After custom domain for Azure AD B2C is successfully configured using AFD, [test the custom domain](./custom-domain.md?pivots=b2c-custom-policy#test-your-custom-domain) before proceeding further.  
+## Enable WAF
 
-## Onboard with Azure WAF
-
-To enable Azure WAF, configure a WAF policy and associate that policy to the AFD for protection.
+To enable WAF, configure a WAF policy and associate it with the AFD for protection.
 
 ### Create a WAF policy
 
-Create a basic WAF policy with managed Default Rule Set (DRS) in the [Azure portal](https://portal.azure.com).
-
-1. Go to the [Azure portal](https://portal.azure.com). Select **Create a resource** and then search for Azure WAF. Select **Azure Web Application Firewall (WAF)** > **Create**.
+Create a WAF policy with Azure-managed default rule set (DRS). See, [Web Application Firewall DRS rule groups and rules](../web-application-firewall/afds/waf-front-door-drs.md).
 
-2. Go to the **Create a WAF policy** page, select the **Basics** tab. Enter the following information, accept the defaults for the remaining settings.
+1. Go to the [Azure portal](https://portal.azure.com). 
+2. Select **Create a resource**.
+3. Search for Azure WAF. 
+4. Select **Azure Web Application Firewall (WAF)**.
+5. Select **Create**.
+6. Go to the **Create a WAF policy** page.
+7. Select the **Basics** tab. 
+8. For **Policy for**, select **Global WAF (Front Door)**.
+9. For **Front Door SKU**, select between **Basic**, **Standard**, or **Premium** SKU.
+10. For **Subscription**, select your Front Door subscription name.
+11. For **Resource group**, select your Front Door resource group name.
+12. For **Policy name**, enter a unique name for your WAF policy.
+13. For **Policy state**, select **Enabled**.
+14. For **Policy mode**, select **Detection**.
+15. Select **Review + create**.
+16. Go to the **Association** tab of the Create a WAF policy page.
+17. Select **+ Associate a Front Door profile**.
+18. For **Front Door**, select your Front Door name associated with Azure AD B2C custom domain.
+19. For **Domains**, select the Azure AD B2C custom domains to associate the WAF policy to.
+20. Select **Add**.
+21. Select **Review + create**.
+22. Select **Create**.
 
-| Value | Description |
-|:--------|:-------|
-| Policy for | Global WAF (Front Door)|
-| Front Door SKU | Select between Basic, Standard, or Premium SKU |
-|Subscription | Select your Front Door subscription name |
-| Resource group | Select your Front Door resource group name |
-| Policy name | Enter a unique name for your WAF policy |
-| Policy state | Set as Enabled |
-| Policy mode | Set as Detection |
+### Detection and Prevention modes
 
-3. Select **Review + create**
+When you create WAF policy, the policy is in Detection mode. We recommend you don't disable Detection mode. In this mode, WAF doesn't block requests. Instead, requests that match the WAF rules are logged in the WAF logs. 
 
-4. Go to the **Association** tab of the Create a WAF policy page, select + **Associate a Front Door profile**, enter the following settings
+Learn more: [Azure Web Application Firewall monitoring and logging](../web-application-firewall/afds/waf-front-door-monitor.md)
 
-| Value | Description |
-|:----|:------|
-| Front Door | Select your Front Door name associated with Azure AD B2C custom domain |
-| Domains | Select the Azure AD B2C custom domains you want to associate the WAF policy to|
+The following query shows the requests blocked by the WAF policy in the past 24 hours. The details include, rule name, request data, action taken by the policy, and the policy mode.
+   
+   ![Screenshot of blocked requests.](./media/partner-azure-web-application-firewall/blocked-requests-query.png)
 
-5. Select **Add**.
+   ![Screenshot of blocked requests details, such as Rule ID, Action, Mode, etc.](./media/partner-azure-web-application-firewall/blocked-requests-details.png)
 
-6. Select **Review + create**, then select **Create**.
+Review the WAF logs to determine if policy rules cause false positives. Then, exclude the WAF rules based on the WAF logs.
 
-### Change policy mode from detection to prevention
+Learn more: [Define exclusion rules based on Web Application Firewall logs](../web-application-firewall/afds/waf-front-door-exclusion.md#define-exclusion-based-on-web-application-firewall-logs)
 
-When a WAF policy is created, by default the policy is in Detection mode. In Detection mode, WAF doesn't block any requests, instead, requests matching the WAF rules are logged in the WAF logs. For more information about WAF logging, see [Azure WAF monitoring and logging](../web-application-firewall/afds/waf-front-door-monitor.md).
+#### Switching modes
 
-The sample query shows all the requests that were blocked by the WAF policy in the past 24 hours. The details include, rule name, request data, action taken by the policy, and the policy mode.
+To see WAF operating, select **Switch to prevention mode**, which changes the mode from Detection to Prevention. Requests that match the rules in the DRS are blocked and logged in the WAF logs.
 
-![Image shows the blocked requests](./media/partner-azure-web-application-firewall/blocked-requests-query.png)
+  ![Screenshot of options and selections for DefaultRuleSet under Web Application Firewall policies.](./media/partner-azure-web-application-firewall/switch-to-prevention-mode.png)
 
-![Image shows the blocked requests details](./media/partner-azure-web-application-firewall/blocked-requests-details.png)
+To revert to Detection mode, select **Switch to detection mode**.
 
-It's recommended that you let the WAF capture requests in Detection mode. Review the WAF logs to determine if there are any rules in the policy that are causing false positive results. Then after [exclude the WAF rules based on the WAF logs](../web-application-firewall/afds/waf-front-door-exclusion.md#define-exclusion-based-on-web-application-firewall-logs).
-
-To see WAF in action, use Switch to prevention mode to change from Detection to Prevention mode. All requests that match the rules defined in the Default Rule Set (DRS) are blocked and logged in the WAF logs.
-
-![Image shows the switch to prevention mode](./media/partner-azure-web-application-firewall/switch-to-prevention-mode.png)
-
-In case you want to switch back to the detection mode, you can do so by using Switch to detection mode option.
-
-![Image shows the switch to detection mode](./media/partner-azure-web-application-firewall/switch-to-detection-mode.png)
+  ![Screenshot of DefaultRuleSet with Switch to detection mode.](./media/partner-azure-web-application-firewall/switch-to-detection-mode.png)
 
 ## Next steps
 
-- [Azure WAF monitoring and logging](../web-application-firewall/afds/waf-front-door-monitor.md)
-
-- [WAF with Front Door service exclusion lists](../web-application-firewall/afds/waf-front-door-exclusion.md)
+* [Azure Web Application Firewall monitoring and logging](../web-application-firewall/afds/waf-front-door-monitor.md)
+* [Web Application Firewall (WAF) with Front Door exclusion lists](../web-application-firewall/afds/waf-front-door-exclusion.md)

articles/azure-monitor/autoscale/autoscale-multiprofile.md

@@ -41,7 +41,7 @@ The example below shows an autoscale setting with a default profile and recurrin
 
 :::image type="content" source="./media/autoscale-multiple-profiles/autoscale-default-recurring-profiles.png" alt-text="A screenshot showing an autoscale setting with default and recurring profile or scale condition":::
 
-In the above example, on Monday after 6 AM, the recurring profile will be used. If the instance count is less than 3, autoscale scales to the new minimum of three. Autoscale continues to use this profile and scales based on CPU% until Monday at 6 PM. At all other times scaling will be done according to the default profile, based on the number of requests. After 6 PM on Monday, autoscale switches to the default profile. If for example, the number of instances at the time is 12, autoscale scales in to 10, which the maximum allowed for the default profile.
+In the above example, on Monday after 3 AM, the recurring profile will cease to be used. If the instance count is less than 3, autoscale scales to the new minimum of three. Autoscale continues to use this profile and scales based on CPU% until Monday at 8 PM. At all other times scaling will be done according to the default profile, based on the number of requests. After 8 PM on Monday, autoscale switches to the default profile. If for example, the number of instances at the time is 12, autoscale scales in to 10, which the maximum allowed for the default profile.
 
 ## Multiple contiguous profiles
 Autoscale transitions between profiles based on their start times. The end time for a given profile is determined by the start time of the following profile.

articles/azure-monitor/autoscale/media/autoscale-multiple-profiles/autoscale-default-recurring-profiles.png

@@ -6,7 +6,7 @@ services: internet-peering
 author: halkazwini
 ms.service: internet-peering
 ms.topic: conceptual
-ms.date: 02/23/2023
+ms.date: 03/08/2023
 ms.author: halkazwini
 ms.custom: template-concept, engagement-fy23
 ---
@@ -22,7 +22,7 @@ Microsoft maintains a selective peering policy designed to ensure the best possi
 * MD5 isn't supported.
 * **ASN details:**
 
-    * Microsoft manages AS8075 along with the following ASNs: AS8068, AS8069, AS12076. For a complete list of ASNs with AS8075 peering, reference AS-SET MICROSOFT.
+    * Microsoft manages AS8075 and other ASNs as described in AS-SET RADb:AS-MICROSOFT.
     * All parties peering with Microsoft agree not to accept routes from AS12076 (ExpressRoute) under any circumstances and should filter out AS12076 on all peers.
 
 * **Routing policy:**
@@ -31,7 +31,8 @@ Microsoft maintains a selective peering policy designed to ensure the best possi
     * Microsoft prefers to receive BGP community tags from peers to indicate route origination.
     * We recommend peers set a max-prefix of 2000 (IPv4) and 500 (IPv6) routes on peering sessions with Microsoft.
     * Unless specifically agreed upon beforehand, peers are expected to announce consistent routes in all locations where they peer with Microsoft.
-    * In general, peering sessions with AS8075 will advertise all AS-MICROSOFT routes. Microsoft may announce some regional specifics.
+    * In general, Microsoft advertises all Microsoft routes, with some regional specifics as appropriate.  All prefixes are properly registered within the RADb.
+    * Microsoft also announces 3rd party address space under “Bring Your Own IP” and “Bring Your Own ASN” products. BYOIP prefixes are all properly registered as AS8075, and BYOASN ASNs will be included in AS-SET AS-MICROSOFT.
     * Neither party will establish a static route, a route of last resort, or otherwise send traffic to the other party for a route not announced via BGP.
     * Peers are required to register their routes in a public Internet Routing Registry (IRR) database, for the purposes of filtering, and keep this information up to date.      
     * Peers adhere to MANRS industry standards for route security.  At its sole discretion, Microsoft may choose:

articles/internet-peering/policy.md

@@ -42,12 +42,13 @@ The following table provides a summary of issues fixed in this release.
 
 The following table provides a summary of known issues carried over from the previous releases. 
 
-  |No.  |Feature  | Issue |
-  |-----|-----|-----|
-  | 1 | Policy configuration  | Azure Private 5G Core may ignore non-default QoS and Policy configuration when handling 4G subscribers.  | 
-  | 2 | Packet forwarding  | Azure Private 5G Core may not forward buffered packets if NAT is enabled.   | 
-  | 3 | Local dashboards  | In some scenarios, the local dashboards don't show session rejection under the **Device and Session Statistics** panel if Session Establishment requests are rejected due to invalid PDU type (e.g. IPv6 when only IPv4 supported).   | 
-  | 4 | Packet forwarding  | When Azure Private 5G Core has NAT enabled on a data network, approximately one in every 65,536 downlink packets sent to a UE will be emitted with an incorrect IP checksum, which will likely cause it to be dropped.  | 
+  |No.  |Feature  | Issue | Workaround/comments |
+  |-----|-----|-----|-----|
+  | 1 | Policy configuration  | Azure Private 5G Core may ignore non-default QoS and Policy configuration when handling 4G subscribers. | Not applicable. |
+  | 2 | Packet forwarding  | Azure Private 5G Core may not forward buffered packets if NAT is enabled. | Not applicable. |
+  | 3 | Local dashboards  | In some scenarios, the local dashboards don't show session rejection under the **Device and Session Statistics** panel if Session Establishment requests are rejected due to invalid PDU type (e.g. IPv6 when only IPv4 supported). | Not applicable. |
+  | 4 | Packet forwarding  | When Azure Private 5G Core has NAT enabled on a data network, approximately one in every 65,536 downlink packets sent to a UE will be emitted with an incorrect IP checksum, which will likely cause it to be dropped. | Not applicable. | 
+  | 5 | Install/upgrade | Changing the technology type of a deployment from 4G (EPC) to 5G using upgrade or site delete and add is not supported. | Please contact support for the required steps to change the technology type. |
 
 ## Next steps