Merge pull request #284503 from MicrosoftDocs/repo_sync_working_branch

Confirm merge from repo_sync_working_branch to main to sync with https://github.com/MicrosoftDocs/azure-docs (branch main)

Author: rmca14

articles/azure-cache-for-redis/cache-high-availability.md

@@ -20,7 +20,7 @@ Various high availability options are available in the Standard, Premium, and En
 | Option | Description | Availability | Standard | Premium | Enterprise |
 | ------------------- | ------- | ------- | :------: | :---: | :---: |
 | [Standard replication](#standard-replication-for-high-availability)| Dual-node replicated configuration in a single data center with automatic failover | 99.9% (see [details](https://azure.microsoft.com/support/legal/sla/cache/v1_1/)) |Yes|Yes|Yes|
-| [Zone redundancy](#zone-redundancy) | Multi-node replicated configuration across Availability Zones, with automatic failover | 99.9% in Premium; 99.99% in Enterprise (see [details](https://azure.microsoft.com/support/legal/sla/cache/v1_1/)) |No|Yes|Yes|
+| [Zone redundancy](#zone-redundancy) | Multi-node replicated configuration across Availability Zones, with automatic failover | 99.9% in Premium; 99.99% in Enterprise (see [details](https://azure.microsoft.com/support/legal/sla/cache/v1_1/)) |Yes (Preview)|Yes|Yes|
 | Geo-replication | Linked cache instances in two regions, with user-controlled failover | Premium; Enterprise (see [details](https://azure.microsoft.com/support/legal/sla/cache/v1_1/)) |No| [Passive](#passive-geo-replication) | [Active](#active-geo-replication) |
 | [Import/Export](#importexport) | Point-in-time snapshot of data in cache.  | 99.9% (see [details](https://azure.microsoft.com/support/legal/sla/cache/v1_1/)) |No|Yes|Yes|
 | [Persistence](#persistence) | Periodic data saving to storage account.  | 99.9% (see [details](https://azure.microsoft.com/support/legal/sla/cache/v1_1/)) |No|Yes|Preview|

articles/azure-monitor/logs/search-jobs.md

@@ -24,6 +24,9 @@ This video explains when and how to use search jobs:
 |:-------|:---------------------|
 | Run a search job | `Microsoft.OperationalInsights/workspaces/tables/write` and `Microsoft.OperationalInsights/workspaces/searchJobs/write` permissions to the Log Analytics workspace, for example, as provided by the [Log Analytics Contributor built-in role](../logs/manage-access.md#built-in-roles). |
 
+> [!NOTE]
+> Cross-tenant search jobs are not currently supported, even when Entra ID tenants are managed through Azure Lighthouse.
+
 ## When to use search jobs
 
 Use a search job when the log query timeout of 10 minutes isn't sufficient to search through large volumes of data or if you're running a slow query.

articles/connectors/built-in.md

@@ -640,7 +640,7 @@ Azure Logic Apps supports business-to-business (B2B) communication scenarios thr
 
   * For operations that require maps or schemas, you can either:
 
-    * Upload these artifacts to your logic app resource using the Azure portal or Visual Studio Code. You can then use these artifacts across all child workflows in the *same* logic app resource. For more information, review [Add schemas to use with workflows in Azure Logic Apps](../logic-apps/logic-apps-enterprise-integration-maps.md?tabs=standard) and [Add schemas to use with workflows in Azure Logic Apps](../logic-apps/logic-apps-enterprise-integration-schemas.md?tabs=standard).
+    * Upload these artifacts to your logic app resource using the Azure portal or Visual Studio Code. You can then use these artifacts across all child workflows in the *same* logic app resource. For more information, review [Add maps to use with workflows in Azure Logic Apps](../logic-apps/logic-apps-enterprise-integration-maps.md?tabs=standard) and [Add schemas to use with workflows in Azure Logic Apps](../logic-apps/logic-apps-enterprise-integration-schemas.md?tabs=standard).
 
     * [Link your logic app resource to your integration account](../logic-apps/logic-apps-enterprise-integration-create-integration-account.md).
 

articles/container-registry/tasks-agent-pools.md

@@ -93,19 +93,41 @@ az acr agentpool update \
 
 Task agent pools require access to the following Azure services. The following firewall rules must be added to any existing network security groups or user-defined routes.
 
-| Direction | Protocol | Source         | Source Port | Destination          | Dest Port | Used    |
-| --------- | -------- | -------------- | ----------- | -------------------- | --------- | ------- |
-| Outbound  | TCP      | VirtualNetwork | Any         | AzureKeyVault        | 443       | Default |
-| Outbound  | TCP      | VirtualNetwork | Any         | Storage              | 443       | Default |
-| Outbound  | TCP      | VirtualNetwork | Any         | EventHub             | 443       | Default |
-| Outbound  | TCP      | VirtualNetwork | Any         | AzureActiveDirectory | 443       | Default |
-| Outbound  | TCP      | VirtualNetwork | Any         | AzureMonitor         | 443,12000 | Default |
+| Direction | Protocol | Source         | Source Port | Destination          | Dest Port | Used    | Remarks                                           |
+| --------- | -------- | -------------- | ----------- | -------------------- | --------- | ------- | ------------------------------------------------- |
+| Outbound  | TCP      | VirtualNetwork | Any         | AzureKeyVault        | 443       | Default |                                                   |
+| Outbound  | TCP      | VirtualNetwork | Any         | Storage              | 443       | Default |                                                   |
+| Outbound  | TCP      | VirtualNetwork | Any         | EventHub             | 443       | Default |                                                   |
+| Outbound  | TCP      | VirtualNetwork | Any         | AzureActiveDirectory | 443       | Default |                                                   |
+| Outbound  | TCP      | VirtualNetwork | Any         | AzureMonitor         | 443,12000 | Default | Port 12000 is a unique port used for diagnostics  |
 
 > [!NOTE]
 > If your tasks require additional resources from the public internet, add the corresponding rules. For example, additional rules are needed to run a docker build task that pulls the base images from Docker Hub, or restores a NuGet package.
 
 Customers basing their deployments with MCR can refer to [MCR/MAR firewall rules.](https://github.com/microsoft/containerregistry/blob/main/docs/client-firewall-rules.md)
 
+#### Advanced network configuration
+
+If the standard Firewall/NSG (Network Security Group) rules are deemed too permissive, and more fine-grained control is required for outbound connections, consider the following approach:
+
+- Enable service endpoints on the agent pool subnet. This grants the agent pool access to its service dependencies while maintaining a secure network posture.
+- It's important to note that outbound Firewall/NSG rules are still necessary. These rules facilitate the Virtual Network's ability to switch the source IP from public to private, which is an additional step beyond enabling service endpoints.
+ 
+More information on service endpoints is documented [here][az-vnet-svc-ep].
+ 
+At minimum, the following service endpoints will be required
+ 
+- Microsoft.AzureActiveDirectory
+- Microsoft.ContainerRegistry
+- Microsoft.EventHub
+- Microsoft.KeyVault
+- Microsoft.Storage (or the corresponding storage regions taking geo-replication into account)
+ 
+> [!NOTE] 
+> Currently a service endpoint for Azure Monitor does not exist. If outbound traffic for Azure Monitor is not configured, the agent pool will be unable to emit diagnostic logs but may appear to still operate normally. In this case ACR will be unable to help fully troubleshoot any issues encountered so it is important that the network administrator take this into account when planning the network configuration.
+ 
+Also, it is important to note that all of ACR Tasks have pre-cached images for some of the more common use cases. Tasks will only cache a single version at a time, meaning that if the full tagged image reference is used, then the build agent will attempt to pull the image. For example, a common use case is `cmd: mcr.microsoft.com/acr/acr-cli:<tag>`. However, the pre-cached version is frequently updated, which means the actual version on the machine will likely be higher. In this case, the network configuration must configure a route for outbound traffic to the target registry host which in the example above would be mcr.microsoft.com. The same rules would apply to any other external public registry (docker.io, quay.io, ghcr.io, etc.).
+
 ### Create pool in VNet
 
 The following example creates an agent pool in the *mysubnet* subnet of network *myvnet*:
@@ -200,3 +222,4 @@ For more examples of container image builds and maintenance in the cloud, check
 [az-acr-task-create]: /cli/azure/acr/task#az_acr_task_create
 [az-acr-task-run]: /cli/azure/acr/task#az_acr_task_run
 [create-reg-cli]: container-registry-get-started-azure-cli.md
+[az-vnet-svc-ep]: ../virtual-network/virtual-network-service-endpoints-overview.md#secure-azure-services-to-virtual-networks

articles/operator-service-manager/best-practices-onboard-deploy.md

@@ -28,7 +28,7 @@ We recommend that you first onboard and deploy your simplest NFs (one or two cha
 - After the desired set of Azure Operator Service Manager publisher resources and artifacts is tested and approved for production use, we recommend marking the entire set as immutable to prevent accidental changes and ensure a consistent deployment experience. Consider relying on immutability capabilities to distinguish between resources and artifacts used in production versus the ones used for testing and development purposes. You can query the state of the publisher resources and the artifact manifests to determine which ones are marked as immutable. For more information, see [Publisher tenants, subscriptions, regions, and preview management](publisher-resource-preview-management.md).
 
    Keep in mind the following logic:
-    - If Network Service Design Function (NSDV) is marked as immutable, CGS has to be marked as immutable too. Otherwise, the deployment call fails.
+    - If Network Service Design Version (NSDV) is marked as immutable, CGS has to be marked as immutable too. Otherwise, the deployment call fails.
     - If Network Function Design Version (NFDV) is marked as immutable, the artifact manifest must be marked as immutable too. Otherwise, the deployment call fails.
     - If only artifact manifest or CGS is marked immutable, the deployment call succeeds regardless of whether NFDV and NSDV are marked as immutable.
     - Marking an artifact manifest as immutable ensures that all artifacts listed in that manifest (typically, charts, images, and Azure Resource Manager templates [ARM templates]) are marked immutable too by enforcing necessary permissions on the artifact store.

articles/reliability/availability-zones-service-support.md

@@ -197,7 +197,7 @@ Azure offerings are grouped into three categories that reflect their _regional_
 | [Azure SignalR](../azure-signalr/availability-zones.md) | ![An icon that signifies this service is zone redundant.](media/icon-zone-redundant.svg) |
 | [Azure Spring Apps](reliability-spring-apps.md#availability-zone-support) | ![An icon that signifies this service is zone redundant.](media/icon-zone-redundant.svg) |
 | Azure Storage: Ultra Disk | ![An icon that signifies this service is zonal.](media/icon-zonal.svg) |
-| [Azure VMware Services](../azure-vmware/architecture-private-clouds.md) | | ![An icon that signifies this service is zonal.](media/icon-zonal.svg) |
+| [Azure VMware Services](../azure-vmware/architecture-private-clouds.md) | ![An icon that signifies this service is zonal.](media/icon-zonal.svg) |
 | [Azure Web PubSub](../azure-web-pubsub/concept-availability-zones.md) | ![An icon that signifies this service is zone redundant.](media/icon-zone-redundant.svg) |
 | [Microsoft Fabric](reliability-fabric.md#availability-zone-support) |  ![An icon that signifies this service is zone redundant.](media/icon-zone-redundant.svg)  |