MicrosoftDocs
diff --git a/‎CODEOWNERS
Lines changed: 1 addition & 1 deletion b/‎CODEOWNERS
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/api-management/authentication-basic-policy.md
Lines changed: 2 additions & 0 deletions b/‎articles/api-management/authentication-basic-policy.md
Lines changed: 2 additions & 0 deletions
diff --git a/‎articles/api-management/authentication-certificate-policy.md
Lines changed: 9 additions & 1 deletion b/‎articles/api-management/authentication-certificate-policy.md
Lines changed: 9 additions & 1 deletion
diff --git a/‎articles/api-management/proxy-policy.md
Lines changed: 7 additions & 0 deletions b/‎articles/api-management/proxy-policy.md
Lines changed: 7 additions & 0 deletions
diff --git a/‎articles/api-management/virtual-network-workspaces-resources.md
Lines changed: 5 additions & 0 deletions b/‎articles/api-management/virtual-network-workspaces-resources.md
Lines changed: 5 additions & 0 deletions
diff --git a/‎articles/application-gateway/for-containers/alb-controller-release-notes.md
Lines changed: 2 additions & 1 deletion b/‎articles/application-gateway/for-containers/alb-controller-release-notes.md
Lines changed: 2 additions & 1 deletion
@@ -35,5 +35,5 @@
 /articles/copilot @jasonwhowell @thomps23
 /articles/lighthouse @jasonwhowell @thomps23
 /articles/quotas @jasonwhowell @thomps23
+/articles/container-registry @jasonwhowell @thomps23
 /articles/kubernetes-fleet @jasonwhowell @thomps23
-
@@ -16,6 +16,8 @@ ms.author: danlep
 
 Use the `authentication-basic` policy to authenticate with a backend service using Basic authentication. This policy effectively sets the HTTP Authorization header to the value corresponding to the credentials provided in the policy.
 
+[!INCLUDE [api-management-credentials-caution](../../includes/api-management-credentials-caution.md)]
+
 [!INCLUDE [api-management-policy-generic-alert](../../includes/api-management-policy-generic-alert.md)]
 
 
 
@@ -14,7 +14,9 @@ ms.author: danlep
 
 [!INCLUDE [api-management-availability-all-tiers](../../includes/api-management-availability-all-tiers.md)]
 
- Use the `authentication-certificate` policy to authenticate with a backend service using a client certificate. When the certificate is [installed into API Management](./api-management-howto-mutual-certificates.md) first, identify it first by its thumbprint or certificate ID (resource name). 
+ Use the `authentication-certificate` policy to authenticate with a backend service using a client certificate. When the certificate is [installed into API Management](./api-management-howto-mutual-certificates.md) first, identify it first by its thumbprint or certificate ID (resourcename). 
+
+[!INCLUDE [api-management-credentials-caution](../../includes/api-management-credentials-caution.md)]
 
 > [!CAUTION]
 > If the certificate references a certificate stored in Azure Key Vault, identify it using the certificate ID. When a key vault certificate is rotated, its thumbprint in API Management will change, and the policy will not resolve the new certificate if it is identified by thumbprint.
@@ -43,6 +45,12 @@ ms.author: danlep
 - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation
 - [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted, workspace
 
+### Usage notes
+
+- We recommend configuring [key vault certificates](api-management-howto-mutual-certificates.md) to manage certificates used to secure access to backend services.
+- If you configure a certificate password in this policy, we recommend using a [named value](api-management-howto-properties.md).
+
+
 ## Examples
 
 ### Client certificate identified by the certificate ID
 
@@ -16,6 +16,8 @@ ms.author: danlep
 
 The `proxy` policy allows you to route requests forwarded to backends via an HTTP proxy. Only HTTP (not HTTPS) is supported between the gateway and the proxy. Basic and NTLM authentication only. 
 
+[!INCLUDE [api-management-credentials-caution](../../includes/api-management-credentials-caution.md)]
+
 [!INCLUDE [api-management-policy-generic-alert](../../includes/api-management-policy-generic-alert.md)]
 
 
@@ -39,6 +41,11 @@ The `proxy` policy allows you to route requests forwarded to backends via an HTT
 - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation
 -  [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted, workspace
 
+### Usage notes
+
+- We recommend using [named values](api-management-howto-properties.md) to provide credentials, with secrets protected in a key vault.
+
+
 ## Example
 
 In this example, [named values](api-management-howto-properties.md) are used for the username and password to avoid storing sensitive information in the policy document.
 
@@ -31,6 +31,11 @@ For information about networking options in API Management, see [Use a virtual n
 
 * The subnet can't be shared with another Azure resource, including another workspace gateway.
 
+## Subnet size 
+
+* Minimum: /27 (32 addresses)
+* Maximum: /24 (256 addresses) - recommended
+
 ## Subnet delegation
 
 The subnet must be delegated as follows to enable the desired inbound and outbound access. 
 
@@ -27,12 +27,13 @@ Instructions for new or existing deployments of ALB Controller are found in the
 
 | ALB Controller Version | Gateway API Version | Kubernetes Version | Release Notes |
 | ---------------------- | ------------------- | ------------------ | ------------- |
-| 1.0.2| v1 | v1.26, v1.27, v1.28, v1.29 | ECDSA + RSA certificate support for both Ingress and Gateway API, Ingress fixes, Server-sent events support |
+| 1.2.3| v1.1 | v1.26, v1.27, v1.28, v1.29, v1.30 | Gateway API v1.1, gRPC support, frontend mutual authentication, readiness probe fixes, custom health probe port and TLS mode  |
 
 ## Release history
 
 | ALB Controller Version | Gateway API Version | Kubernetes Version | Release Notes |
 | ---------------------- | ------------------- | ------------------ | ------------- |
+| 1.0.2| v1 | v1.26, v1.27, v1.28, v1.29 | ECDSA + RSA certificate support for both Ingress and Gateway API, Ingress fixes, Server-sent events support |
 | 1.0.0| v1 | v1.26, v1.27, v1.28 | General Availability! URL redirect for both Gateway and Ingress API, v1beta1 -> v1 of Gateway API, quality improvements<br/>Breaking Changes: TLS Policy for Gateway API [PolicyTargetReference](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io%2fv1alpha2.PolicyTargetReferenceWithSectionName)<br/>Listener is now referred to as [SectionName](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.SectionName)<br/>Fixes: Request timeout of 3 seconds, [HealthCheckPolicy interval](https://github.com/Azure/AKS/issues/4086), [pod crash for missing API fields](https://github.com/Azure/AKS/issues/4087) |
 | 0.6.3 | v1beta1 | v1.25 | Hotfix to address handling of Application Gateway for Containers frontends during controller restart in managed scenario |
 | 0.6.2 | - | - | Skipped release |