Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into quality-and-diagnostics

Author: ShawnJackson

CODEOWNERS

@@ -29,11 +29,3 @@
 /articles/advisor @jasonwhowell @thomps23
 /articles/chaos-studio @jasonwhowell @thomps23
 /articles/service-health @jasonwhowell @thomps23
-/articles/azure-arc @jasonwhowell @thomps23
-/articles/azure-linux @jasonwhowell @thomps23
-/articles/azure-portal @jasonwhowell @thomps23
-/articles/copilot @jasonwhowell @thomps23
-/articles/lighthouse @jasonwhowell @thomps23
-/articles/quotas @jasonwhowell @thomps23
-/articles/kubernetes-fleet @jasonwhowell @thomps23
-

articles/api-management/authentication-basic-policy.md

@@ -16,6 +16,8 @@ ms.author: danlep
 
 Use the `authentication-basic` policy to authenticate with a backend service using Basic authentication. This policy effectively sets the HTTP Authorization header to the value corresponding to the credentials provided in the policy.
 
+[!INCLUDE [api-management-credentials-caution](../../includes/api-management-credentials-caution.md)]
+
 [!INCLUDE [api-management-policy-generic-alert](../../includes/api-management-policy-generic-alert.md)]
 
 

articles/api-management/authentication-certificate-policy.md

@@ -14,7 +14,9 @@ ms.author: danlep
 
 [!INCLUDE [api-management-availability-all-tiers](../../includes/api-management-availability-all-tiers.md)]
 
- Use the `authentication-certificate` policy to authenticate with a backend service using a client certificate. When the certificate is [installed into API Management](./api-management-howto-mutual-certificates.md) first, identify it first by its thumbprint or certificate ID (resource name). 
+ Use the `authentication-certificate` policy to authenticate with a backend service using a client certificate. When the certificate is [installed into API Management](./api-management-howto-mutual-certificates.md) first, identify it first by its thumbprint or certificate ID (resourcename). 
+
+[!INCLUDE [api-management-credentials-caution](../../includes/api-management-credentials-caution.md)]
 
 > [!CAUTION]
 > If the certificate references a certificate stored in Azure Key Vault, identify it using the certificate ID. When a key vault certificate is rotated, its thumbprint in API Management will change, and the policy will not resolve the new certificate if it is identified by thumbprint.
@@ -43,6 +45,12 @@ ms.author: danlep
 - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation
 - [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted, workspace
 
+### Usage notes
+
+- We recommend configuring [key vault certificates](api-management-howto-mutual-certificates.md) to manage certificates used to secure access to backend services.
+- If you configure a certificate password in this policy, we recommend using a [named value](api-management-howto-properties.md).
+
+
 ## Examples
 
 ### Client certificate identified by the certificate ID

articles/api-management/proxy-policy.md

@@ -16,6 +16,8 @@ ms.author: danlep
 
 The `proxy` policy allows you to route requests forwarded to backends via an HTTP proxy. Only HTTP (not HTTPS) is supported between the gateway and the proxy. Basic and NTLM authentication only. 
 
+[!INCLUDE [api-management-credentials-caution](../../includes/api-management-credentials-caution.md)]
+
 [!INCLUDE [api-management-policy-generic-alert](../../includes/api-management-policy-generic-alert.md)]
 
 
@@ -39,6 +41,11 @@ The `proxy` policy allows you to route requests forwarded to backends via an HTT
 - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation
 -  [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted, workspace
 
+### Usage notes
+
+- We recommend using [named values](api-management-howto-properties.md) to provide credentials, with secrets protected in a key vault.
+
+
 ## Example
 
 In this example, [named values](api-management-howto-properties.md) are used for the username and password to avoid storing sensitive information in the policy document.

articles/api-management/virtual-network-workspaces-resources.md

@@ -31,6 +31,11 @@ For information about networking options in API Management, see [Use a virtual n
 
 * The subnet can't be shared with another Azure resource, including another workspace gateway.
 
+## Subnet size 
+
+* Minimum: /27 (32 addresses)
+* Maximum: /24 (256 addresses) - recommended
+
 ## Subnet delegation
 
 The subnet must be delegated as follows to enable the desired inbound and outbound access. 

articles/app-service/app-service-web-tutorial-custom-domain.md

@@ -161,7 +161,7 @@ Browse to the DNS names that you configured.
 If you receive an HTTP 404 (Not Found) error when you browse to the URL of your custom domain, the two most likely causes are:
 
 - The browser client has cached the old IP address of your domain. Clear the cache and test the DNS resolution again. On a Windows machine, you can clear the cache with `ipconfig /flushdns`.
-- You configured an IP-based certificate binding, and the app's IP address has changed because of it. [Remap the A record](configure-ssl-bindings.md#2-remap-records-for-ip-based-ssl) in your DNS entries to the new IP address.
+- You configured an IP-based certificate binding, and the app's IP address has changed because of it. [Remap the A record](configure-ssl-bindings.md#remap-records-for-ip-based-ssl) in your DNS entries to the new IP address.
 
 If you receive a `Page not secure` warning or error, it's because your domain doesn't have a certificate binding yet. [Add a private certificate for the domain](configure-ssl-certificate.md) and [configure the binding](configure-ssl-bindings.md).
 

articles/app-service/configure-ssl-bindings.md

@@ -1,87 +1,87 @@
 ---
 title: Secure a custom DNS with a TLS/SSL binding
-description: Secure HTTPS access to your custom domain by creating a TLS/SSL binding with a certificate. Improve your website's security by enforcing HTTPS or TLS 1.2.
+description: Help secure HTTPS access to your custom domain by creating a TLS/SSL binding with a certificate. Improve your website's security by enforcing HTTPS or TLS 1.2.
 tags: buy-ssl-certificates
 ms.custom: devx-track-azurepowershell
 
-ms.topic: article
-ms.date: 04/20/2023
+ms.topic: how-to
+ms.date: 09/16/2024
 ms.reviewer: yutlin
 ms.author: msangapu
 author: msangapu-msft
 ---
-# Secure a custom DNS name with a TLS/SSL binding in Azure App Service
+# Provide security for a custom DNS name with a TLS/SSL binding in App Service
 
-This article shows you how to secure the [custom domain](app-service-web-tutorial-custom-domain.md) in your [App Service app](./index.yml) or [function app](../azure-functions/index.yml) by creating a certificate binding. When you're finished, you can access your App Service app at the `https://` endpoint for your custom DNS name (for example, `https://www.contoso.com`). 
+This article shows you how to provide security for the [custom domain](app-service-web-tutorial-custom-domain.md) in your [App Service app](./index.yml) or [function app](../azure-functions/index.yml) by creating a certificate binding. When you're finished, you can access your App Service app at the `https://` endpoint for your custom DNS name (for example, `https://www.contoso.com`). 
 
-![Web app with custom TLS/SSL certificate](./media/configure-ssl-bindings/app-with-custom-ssl.png)
+![Web app with custom TLS/SSL certificate.](./media/configure-ssl-bindings/app-with-custom-ssl.png)
 
 ## Prerequisites
 
-- [Scale up your App Service app](manage-scale-up.md) to one of the supported pricing tiers: **Basic**, **Standard**, **Premium**.
+- [Scale up your App Service app](manage-scale-up.md) to one of the supported pricing tiers: Basic, Standard, Premium.
 - [Map a domain name to your app](app-service-web-tutorial-custom-domain.md) or [buy and configure it in Azure](manage-custom-dns-buy-domain.md).
 
 <a name="upload"></a>
 
-## 1. Add the binding
+## Add the binding
 
 In the <a href="https://portal.azure.com" target="_blank">Azure portal</a>:
 
 1. From the left menu, select **App Services** > **\<app-name>**.
 
-1. From the left navigation of your app, select **Custom domains**
+1. From the left navigation of your app, select **Custom domains**.
 
-1. Next to the custom domain, select **Add binding**
+1. Next to the custom domain, select **Add binding**.
 
-    :::image type="content" source="media/configure-ssl-bindings/secure-domain-launch.png" alt-text="A screenshot showing how to launch the Add TLS/SSL Binding dialog.":::
+    :::image type="content" source="media/configure-ssl-bindings/secure-domain-launch.png" alt-text="A screenshot showing how to launch the Add TLS/SSL Binding dialog." lightbox="media/configure-ssl-bindings/secure-domain-launch.png":::
 
 1. If your app already has a certificate for the selected custom domain, you can select it in **Certificate**. If not, you must add a certificate using one of the selections in **Source**.
 
-    - **Create App Service Managed Certificate** - Let App Service create a managed certificate for your selected domain. This option is the simplest. For more information, see [Create a free managed certificate](configure-ssl-certificate.md#create-a-free-managed-certificate).
-    - **Import App Service Certificate** - In **App Service Certificate**, choose an [App Service certificate](configure-ssl-app-service-certificate.md) you've purchased for your selected domain.
+    - **Create App Service Managed Certificate** - Let App Service create a managed certificate for your selected domain. This option is the easiest. For more information, see [Create a free managed certificate](configure-ssl-certificate.md#create-a-free-managed-certificate).
+    - **Import App Service Certificate** - In **App Service Certificate**, select an [App Service certificate](configure-ssl-app-service-certificate.md) you've purchased for your selected domain.
     - **Upload certificate (.pfx)** - Follow the workflow at [Upload a private certificate](configure-ssl-certificate.md#upload-a-private-certificate) to upload a PFX certificate from your local machine and specify the certificate password.
     - **Import from Key Vault** - Select **Select key vault certificate** and select the certificate in the dialog.
 
-1. In **TLS/SSL type**, choose between **SNI SSL** and **IP based SSL**.
+1. In **TLS/SSL type**, select either **SNI SSL** or **IP based SSL**.
 
-    - **[SNI SSL](https://en.wikipedia.org/wiki/Server_Name_Indication)**: Multiple SNI SSL bindings may be added. This option allows multiple TLS/SSL certificates to secure multiple domains on the same IP address. Most modern browsers (including Internet Explorer, Chrome, Firefox, and Opera) support SNI (for more information, see [Server Name Indication](https://wikipedia.org/wiki/Server_Name_Indication)).
-    - **IP based SSL**: Only one IP SSL binding may be added. This option allows only one TLS/SSL certificate to secure a dedicated public IP address. After you configure the binding, follow the steps in [2. Remap records for IP based SSL](#2-remap-records-for-ip-based-ssl).<br/>IP SSL is supported only in **Basic** tier or higher.
+    - **[SNI SSL](https://en.wikipedia.org/wiki/Server_Name_Indication)**: Multiple SNI SSL bindings can be added. This option allows multiple TLS/SSL certificates to help secure multiple domains on the same IP address. Most modern browsers (including Microsoft Edge, Chrome, Firefox, and Opera) support SNI. (For more information, see [Server Name Indication](https://wikipedia.org/wiki/Server_Name_Indication).)
+    - **IP based SSL**: Only one IP SSL binding can be added. This option allows only one TLS/SSL certificate to help secure a dedicated public IP address. After you configure the binding, follow the steps in [Remap records for IP-based SSL](#remap-records-for-ip-based-ssl).<br/>IP-based SSL is supported only in Standard tier or higher.
 
 1. When adding a new certificate, validate the new certificate by selecting **Validate**.
 
 1. Select **Add**.
 
-    Once the operation is complete, the custom domain's TLS/SSL state is changed to **Secure**.
+    Once the operation is complete, the custom domain's TLS/SSL state is changed to **Secured**.
 
     :::image type="content" source="media/configure-ssl-bindings/secure-domain-finished.png" alt-text="A screenshot showing the custom domain secured by a certificate binding.":::
 
 > [!NOTE]
-> A **Secure** state in the **Custom domains** means that it is secured with a certificate, but App Service doesn't check if the certificate is self-signed or expired, for example, which can also cause browsers to show an error or warning.
+> A **Secured** state in **Custom domains** means that a certificate is providing security, but App Service doesn't check if the certificate is self-signed or expired, for example, which can also cause browsers to show an error or warning.
 
-## 2. Remap records for IP based SSL
+## Remap records for IP-based SSL
 
-This step is needed only for IP based SSL. For an SNI SSL binding, skip to [Test HTTPS for your custom domain](#3-test-https).
+This step is needed only for IP-based SSL. For an SNI SSL binding, skip to [Test HTTPS](#test-https).
 
-There are two changes you need to make, potentially:
+There are potentially two changes you need to make:
 
 - By default, your app uses a shared public IP address. When you bind a certificate with IP SSL, App Service creates a new, dedicated IP address for your app. If you mapped an A record to your app, update your domain registry with this new, dedicated IP address.
 
     Your app's **Custom domain** page is updated with the new, dedicated IP address. Copy this IP address, then [remap the A record](app-service-web-tutorial-custom-domain.md#create-the-dns-records) to this new IP address.
 
-- If you have an SNI SSL binding to `<app-name>.azurewebsites.net`, [remap any CNAME mapping](app-service-web-tutorial-custom-domain.md#create-the-dns-records) to point to `sni.<app-name>.azurewebsites.net` instead (add the `sni` prefix).
+- If you have an SNI SSL binding to `<app-name>.azurewebsites.net`, [remap any CNAME mapping](app-service-web-tutorial-custom-domain.md#create-the-dns-records) to point to `sni.<app-name>.azurewebsites.net` instead. (Add the `sni` prefix.)
 
-## 3. Test HTTPS
+## Test HTTPS
 
-In various browsers, browse to `https://<your.custom.domain>` to verify that it serves up your app.
+Browse to `https://<your.custom.domain>` in various browsers to verify that your app appears.
 
-:::image type="content" source="./media/configure-ssl-bindings/app-with-custom-ssl.png" alt-text="Screenshot showing an example of browsing to your custom domain with the contoso.com URL highlighted.":::
+:::image type="content" source="./media/configure-ssl-bindings/app-with-custom-ssl.png" alt-text="Screenshot showing an example of browsing to your custom domain. The contoso.com URL is highlighted.":::
 
-Your application code can inspect the protocol via the "x-appservice-proto" header. The header has a value of `http` or `https`. 
+Your application code can inspect the protocol via the `x-appservice-proto` header. The header has a value of `http` or `https`. 
 
 > [!NOTE]
 > If your app gives you certificate validation errors, you're probably using a self-signed certificate.
 >
-> If that's not the case, you may have left out intermediate certificates when you export your certificate to the PFX file.
+> If that's not the case, you might have left out intermediate certificates when you exported your certificate to the PFX file.
 
 ## Frequently asked questions
 
@@ -94,7 +94,7 @@ Your application code can inspect the protocol via the "x-appservice-proto" head
 
 #### How do I make sure that the app's IP address doesn't change when I make changes to the certificate binding?
 
-Your inbound IP address can change when you delete a binding, even if that binding is IP SSL. This is especially important when you renew a certificate that's already in an IP SSL binding. To avoid a change in your app's IP address, follow these steps in order:
+Your inbound IP address can change when you delete a binding, even if that binding is IP SSL. This is especially important when you renew a certificate that's already in an IP SSL binding. To avoid a change in your app's IP address, follow these steps, in order:
 
 1. Upload the new certificate.
 2. Bind the new certificate to the custom domain you want without deleting the old one. This action replaces the binding instead of removing the old one.
@@ -116,21 +116,21 @@ Your app allows [TLS](https://wikipedia.org/wiki/Transport_Layer_Security) 1.2 b
 
 #### How do I handle TLS termination in App Service?
 
-In App Service, [TLS termination](https://wikipedia.org/wiki/TLS_termination_proxy) happens at the network load balancers, so all HTTPS requests reach your app as unencrypted HTTP requests. If your app logic needs to check if the user requests are encrypted or not, inspect the `X-Forwarded-Proto` header.
+In App Service, [TLS termination](https://wikipedia.org/wiki/TLS_termination_proxy) happens at the network load balancers, so all HTTPS requests reach your app as unencrypted HTTP requests. If your app logic needs to check if the user requests are encrypted, inspect the `X-Forwarded-Proto` header.
 
-Language specific configuration guides, such as the [Linux Node.js configuration](configure-language-nodejs.md#detect-https-session) guide, shows you how to detect an HTTPS session in your application code.
+Language-specific configuration guides, such as the [Linux Node.js configuration](configure-language-nodejs.md#detect-https-session) guide, show how to detect an HTTPS session in your application code.
 
 ## Automate with scripts
 
-### Azure CLI
+#### Azure CLI
 
 [Bind a custom TLS/SSL certificate to a web app](scripts/cli-configure-ssl-certificate.md)
 
-### PowerShell
+#### PowerShell
 
 [!code-powershell[main](../../powershell_scripts/app-service/configure-ssl-certificate/configure-ssl-certificate.ps1?highlight=1-3 "Bind a custom TLS/SSL certificate to a web app")]
 
-## More resources
+## Related content
 
 * [Use a TLS/SSL certificate in your code in Azure App Service](configure-ssl-certificate-in-code.md)
-* [FAQ : App Service Certificates](./faq-configuration-and-management.yml)
+* [Frequently asked questions about creating or deleting resources in Azure App Service](./faq-configuration-and-management.yml)

articles/azure-arc/kubernetes/azure-rbac.md

@@ -86,10 +86,10 @@ For a conceptual overview of this feature, see [Azure RBAC on Azure Arc-enabled
     1. Add the following specification under `volumes`:
 
        ```yml
-       - name: azure-rbac
-           hostPath:
+       - hostPath
            path: /etc/guard
            type: Directory
+       name: azure-rbac
        ```
 
     1. Add the following specification under `volumeMounts`:

articles/azure-arc/kubernetes/extensions-release.md

@@ -215,10 +215,9 @@ For more information, see [What is Edge Storage Accelerator?](../edge-storage-ac
 
 ## Connected registry on Arc-enabled Kubernetes
 
-- **Supported distributions**: Connected registry for Arc-enabled Kubernetes clusters.
-- **Supported Azure regions**: All regions where Azure Arc-enabled Kubernetes is available.
+- **Supported distributions**: AKS enabled by Azure Arc, Kubernetes using kind.
 
-The connected registry extension for Azure Arc enables you to sync container images between your Azure Container Registry (ACR) and your local on-prem Azure Arc-enabled Kubernetes cluster. The extension is deployed to the local or remote cluster and uses a synchronization schedule and window to sync images between the on-prem connected registry and the cloud ACR registry.
+The connected registry extension for Azure Arc allows you to synchronize container images between your Azure Container Registry (ACR) and your on-premises Azure Arc-enabled Kubernetes cluster. This extension can be deployed to either a local or remote cluster and utilizes a synchronization schedule and window to ensure seamless syncing of images between the on-premises connected registry and the cloud-based ACR.
 
 For more information, see [Connected Registry for Arc-enabled Kubernetes clusters](../../container-registry/quickstart-connected-registry-arc-cli.md).