Merge pull request #287944 from MicrosoftDocs/main

Publish to live, Monday 4 AM PST, 10/7

Author: ttorble

articles/backup/backup-azure-private-endpoints-concept.md

@@ -3,7 +3,7 @@ title: Private endpoints for Azure Backup - Overview
 description: This article explains about the concept of private endpoints for Azure Backup that helps to perform backups while maintaining the security of your resources.
 ms.topic: overview
 ms.service: azure-backup
-ms.date: 07/30/2024
+ms.date: 10/01/2024
 author: AbhishekMallick-MS
 ms.author: v-abhmallick
 ---
@@ -56,6 +56,7 @@ The following table lists the scenarios and recommendations:
 | Backup of workloads in Azure VM (SQL, SAP HANA), Backup using MARS Agent, DPM server. | Use of private endpoints is recommended to allow backup and restore without needing to add to an allowlist any IPs/FQDNs for Azure Backup or Azure Storage from your virtual networks. In that scenario, ensure that VMs that host SQL databases can reach Microsoft Entra IPs or FQDNs. |
 | Azure VM backup | VM backup doesn't require you to allow access to any IPs or FQDNs. So, it doesn't require private endpoints for backup and restore of disks. <br><br> However, file recovery from a vault containing private endpoints would be restricted to virtual networks that contain a private endpoint for the vault. <br><br> When using ACL’ed unmanaged disks, ensure the storage account containing the disks allows access to trusted Microsoft services if it's ACL'ed.  |
 | Azure Files backup | Azure Files backups are stored in the local storage account. So it doesn't require private endpoints for backup and restore. |
+| **Changed Vnet for Private endpoint in the Vault and Virtual Machine** | Stop backup protection and configure backup protection in a new vault with Private Endpoints enabled. |
 
 >[!Note]
 >Private endpoints are supported with only DPM server 2022, MABS v4, and later.

articles/backup/backup-azure-sap-hana-database-troubleshoot.md

@@ -2,7 +2,7 @@
 title: Troubleshoot SAP HANA databases back up errors
 description: Describes how to troubleshoot common errors that might occur when you use Azure Backup to back up SAP HANA databases.
 ms.topic: troubleshooting
-ms.date: 09/30/2024
+ms.date: 10/01/2024
 ms.service: azure-backup
 author: AbhishekMallick-MS
 ms.author: v-abhmallick
@@ -219,6 +219,13 @@ See the [prerequisites](tutorial-backup-sap-hana-db.md#prerequisites) and [What
 | **Possible Causes** | Restore as files is failing due to *directory* that is selected for restore doesn't exist on the Target server or isn't accessible.
 | **Recommended action** | Verify the directory that you selected is available on the target server and ensure you have selected the correct target server at the time of restore. |
 
+### JobCancelledOnExtensionUpgrade
+
+| Error message | The Backup job was canceled because the workload backup extension service restarted for an upgrade. |
+| --- | --- |
+| **Possible cause** | The backup and restore job fails due to automatic Extension upgrade when the backup/restore operation is in progress. |
+| **Recommended action** | Wait for the extension upgrade to complete. HANA then re-triggers the failed log backups, if any. <br><br> However, the failed Full/ Differential/ Incremental backups won't be re-triggered by Azure Backup and you need to manually retrigger this operation. |
+
 ## Restore checks
 
 ### Single Container Database (SDC) restore

articles/backup/private-endpoints-overview.md

@@ -2,7 +2,7 @@
 title: Private endpoints overview
 description: Understand the use of private endpoints for Azure Backup and the scenarios where using private endpoints helps maintain the security of your resources.
 ms.topic: overview
-ms.date: 07/30/2024
+ms.date: 10/01/2024
 ms.custom:
 ms.service: azure-backup
 author: AbhishekMallick-MS
@@ -39,6 +39,7 @@ While private endpoints are enabled for the vault, they're used for backup and r
 | Backup of workloads in Azure VM (SQL, SAP HANA), Backup using MARS Agent, DPM server. | Use of private endpoints is recommended to allow backup and restore without needing to add to an allowlist any IPs/FQDNs for Azure Backup or Azure Storage from your virtual networks. In that scenario, ensure that VMs that host SQL databases can reach Microsoft Entra IPs or FQDNs. |
 | **Azure  VM backup**                                         | VM backup doesn't require you to allow access to any IPs or FQDNs. So, it doesn't require private endpoints for backup and restore  of disks.  <br><br>   However, file recovery from a vault containing private endpoints would be restricted to virtual networks that contain a private endpoint for the vault. <br><br>    When using ACL’ed unmanaged disks, ensure the  storage account containing the disks allows access to **trusted Microsoft services** if it's ACL’ed. |
 | **Azure  Files backup**                                      | Azure Files backups are stored in the local  storage account. So it doesn't require private endpoints for backup and  restore. |
+| **Changed Vnet for Private endpoint in the Vault and Virtual Machine** | Stop backup protection and configure backup protection in a new vault with Private Endpoints enabled. |
 
 >[!NOTE]
 >Private endpoints are supported with only DPM server 2022, MABS v4, and later.

articles/backup/sap-hana-database-with-hana-system-replication-backup.md

@@ -2,7 +2,7 @@
 title: Back up SAP HANA System Replication databases on Azure VMs using Azure Backup
 description: In this article, discover how to back up SAP HANA databases with HANA System Replication enabled.
 ms.topic: how-to
-ms.date: 09/30/2024
+ms.date: 10/01/2024
 ms.service: azure-backup
 author: AbhishekMallick-MS
 ms.author: v-abhmallick
@@ -47,8 +47,25 @@ When a failover occurs, the users are replicated to the new primary, but *hdbuse
    | SDC | Backup Admin | Reads the backup catalog. |
    | SAP_INTERNAL_HANA_SUPPORT |      | Accesses a few private tables. <br><br> Required only for single container database (SDC) and multiple container database (MDC) versions earlier than HANA 2.0 SPS04 Rev 46. It isn't required for HANA 2.0 SPS04 Rev 46 versions and later, because we receive the required information from public tables now after the fix from HANA team. |
 
+   **Example**:
+
+   ```HDBSQL
+   - hdbsql -t -U SYSTEMKEY CREATE USER USRBKP PASSWORD AzureBackup01 NO FORCE_FIRST_PASSWORD_CHANGE
+   - hdbsql -t -U SYSTEMKEY 'ALTER USER USRBKP DISABLE PASSWORD LIFETIME'
+   - hdbsql -t -U SYSTEMKEY 'ALTER USER USRBKP RESET CONNECT ATTEMPTS'
+   - hdbsql -t -U SYSTEMKEY 'ALTER USER USRBKP ACTIVATE USER NOW'
+   - hdbsql -t -U SYSTEMKEY 'GRANT DATABASE ADMIN TO USRBKP'
+   - hdbsql -t -U SYSTEMKEY 'GRANT CATALOG READ TO USRBKP'
+   ```
+
 1. Add the key to *hdbuserstore* for your custom backup user that enables the HANA backup plug-in to manage all operations (database queries, restore operations, configuring, and running backup). 
 
+   **Example**:
+
+   ```HDBSQL
+   - hdbuserstore set BKPKEY localhost:39013 USRBKP AzureBackup01
+   ```
+
 1. Pass the custom backup user key to the script as a parameter: 
 
    ```HDBSQL
@@ -83,13 +100,26 @@ When a failover occurs, the users are replicated to the new primary, but *hdbuse
 
    You must provide the same HSR ID on both VMs/nodes. This ID must be unique within a vault. It should be an alphanumeric value containing at least one digit, one lowercase letter, and one uppercase character, and it should contain from 6 to 35 characters.
 
+   **Example**:
+
+   ```HDBSQL
+   - ./script.sh -sk SYSTEMKEY -bk USRBKP -hn HSRlab001 -p 39013
+   ```
+
 1. While you're running the preregistration script on the secondary node, you must specify the SDC/MDC port as input. This is because SQL commands to identify the SDC/MDC setup can't be run on the secondary node. You must provide the port number as a parameter, as shown here: 
 
    `-p PORT_NUMBER` or `–port_number PORT_NUMBER`.
 
    - For MDC, use the format `3<instancenumber>13`.
    - For SDC, use the format `3<instancenumber>15`.
 
+   **Example**:
+
+   ```HDBSQL
+   - MDC: ./script.sh -sk SYSTEMKEY -bk USRBKP -hn HSRlab001 -p 39013
+   - SDC: ./script.sh -sk SYSTEMKEY -bk USRBKP -hn HSRlab001 -p 39015
+   ```
+
 1. If your HANA setup uses private endpoints, run the preregistration script with the `-sn` or `--skip-network-checks` parameter. Ater the preregistration script has run successfully, proceed to the next steps.
 
 1. Run the SAP HANA backup configuration script (preregistration script) in the VMs where HANA is installed as the root user. This script sets up the HANA system for backup. For more information about the script actions, see the [What the preregistration script does](tutorial-backup-sap-hana-db.md#what-the-pre-registration-script-does) section.

articles/backup/sap-hana-faq-backup-azure-vm.yml

@@ -171,6 +171,20 @@ sections:
         answer: |
           During the backup operation, the *backup job* connects to three Service Endpoints - `AzureBackup`, `AzureStorage`, and `Microsoft Entra ID. In this scenario, we recommend you to configure the Service Endpoint to `AzureStorage`, which helps to send the traffic from the Virtual Network to the Storage directly. For Azure Backup and Microsoft Entra ID, you can configure UDR over service tags so that the traffic travels to backbone network instead of on-premises.    
 
+      - question: |
+          Why West US region node is showing under East US region Recovery Services vault?
+        answer: |
+           The Recovery Services vault shows all the nodes that are part of the SAP HANA System Replication. All the nodes are listed here as per the `hdbnsutil` output. However as per the expected behavior, only configured node in this vault is registered.  
+
+      - question: |
+          When a file starting with "hdbbackint" under "/var/tmp generated" and how it's used? 
+        answer: |
+          When you trigger the backup job using the `hdbbackint` Backint agent, it writes information to the `/var/tmp` directory. For example, if an error occurs during the backup process, the error message is written to a file in the `/var/tmp` directory. The file name gets created in the format `hdbbackint_<SID>.<random_string>`, where `<SID>` is the System ID of the SAP HANA instance and `<random_string>` is a randomly generated string.
+
+      - question: |
+          What happens if I delete the hdbbackint file in the /var/tmp?
+        answer: |
+          The backup process is not affected if you delete the `hdbbackint` file in the `/var/tmp` directory. However, it might remove any error messages that were written to the file during the backup process.  
 
   - name: Restore
     questions:

articles/backup/tutorial-sap-hana-restore-cli.md

@@ -2,7 +2,7 @@
 title: Tutorial - SAP HANA DB restore on Azure using CLI 
 description: In this tutorial, learn how to restore SAP HANA databases running on an Azure VM from an Azure Backup Recovery Services vault using Azure CLI.
 ms.topic: tutorial
-ms.date: 07/30/2024
+ms.date: 10/01/2024
 ms.custom: devx-track-azurecli,engagement-fy24
 ms.service: azure-backup
 author: AbhishekMallick-MS
@@ -92,8 +92,8 @@ arvind@Azure:~$
 
 Ensure that the following prerequisites are met before restoring a database:
 
-* You can restore the database only to an SAP HANA instance that's in the same region
-* The target instance must be registered with the same vault as the source
+* You can restore the database only to an SAP HANA instance that's in the same region.
+* The target instance must be registered with the same vault as the source or another vault in the same region.
 * Azure Backup can't identify two different SAP HANA instances on the same VM. Therefore, restoring data from one instance to another on the same VM isn't possible.
 
 ## Restore a database

articles/hdinsight/TOC.yml

@@ -387,6 +387,8 @@ items:
       href: ./hdinsight-hadoop-collect-debug-heap-dump-linux.md
     - name: Get help on the Microsoft Q&A question page
       href: /answers/topics/azure-hdinsight.html
+    - name: Preview features
+      href: ./what-are-preview-features.md
     - name: Pricing calculator
       href: https://azure.microsoft.com/pricing/calculator/
     - name: Windows tools for HDInsight

articles/hdinsight/what-are-preview-features.md

@@ -0,0 +1,34 @@
+---
+title: What are preview features in Azure HDInsight?
+description: Learn what preview features are and how to identify them in Azure HDInsight.
+ms.service: azure-hdinsight
+ms.date: 07/10/2024
+ms.topic: conceptual
+---
+
+# What are preview features? 
+
+This article describes what preview features are, what limitations apply to them, and how to identify them. 
+
+Preview features are features that aren't complete but are made available on a **preview** basis so that customers can get early access and provide feedback. 
+
+Preview features come with some disclaimers. Preview features:
+
+* Are subject to separate [Supplemental Terms of Use](https://www.microsoft.com/business-applications/legal/supp-powerplatform-preview/).
+
+* Aren't meant for production use.
+
+* Aren't supported by Microsoft Support for production use. Microsoft Support is, however, eager to get your feedback on the preview functionality, and might provide best-effort support in certain cases. 
+
+* May have limited or restricted functionality.
+
+* May not be available in all geographic areas.
+
+## How to identify a preview feature
+
+These features have a **Preview** label in the documentation.
+
+## Next steps
+
+* [Azure HDInsight release notes](./hdinsight-release-notes.md)
+

articles/private-link/rbac-permissions.md

@@ -30,16 +30,16 @@ Microsoft.Network and the specific resource provider you are deploying, for exam
 
 ## Private endpoint
 
-This section lists the granular permissions required to deploy a private endpoint.
+This section lists the granular permissions required to deploy a private endpoint, manage [private endpoint subnet policies](../private-link/disable-private-endpoint-network-policy.md), and deploy dependent resources
 
 | Action                                                              | Description                                                                      |
 | ---------                                                           | -------------                                                                 |
 | Microsoft.Resources/deployments/*                                   | Create and manage a deployment                                                |
 | Microsoft.Resources/subscriptions/resourcegroups/resources/read     | Read the resources for the resource group                                     |
 | Microsoft.Network/virtualNetworks/read                              | Read the virtual network definition                                            |
 | Microsoft.Network/virtualNetworks/subnets/read                      | Read a virtual network subnet definition                                      |
-| Microsoft.Network/virtualNetworks/subnets/write                     | Creates a virtual network subnet or updates an existing virtual network subnet|
-| Microsoft.Network/virtualNetworks/subnets/join/action               | Joins a virtual network                                                       |
+| Microsoft.Network/virtualNetworks/subnets/write                     | Creates a virtual network subnet or updates an existing virtual network subnet. <br/> *Not explicitly needed to deploy a private endpoint, but necessary for managing private endpoint subnet policies* |
+| Microsoft.Network/virtualNetworks/subnets/join/action               | Allow a private endpoint to join a virtual network                              |
 | Microsoft.Network/privateEndpoints/read                             | Read a private endpoint resource                                             |
 | Microsoft.Network/privateEndpoints/write                            | Creates a new private endpoint, or updates an existing private endpoint       |
 | Microsoft.Network/locations/availablePrivateEndpointTypes/read      | Read available private endpoint resources                                     |
@@ -78,22 +78,22 @@ Here is the JSON format of the above permissions. Input your own roleName, descr
 
 ## Private link service
 
-This section lists the granular permissions required to deploy a private link service.
+This section lists the granular permissions required to deploy a private link service, manage [private link service subnet policies](../private-link/disable-private-link-service-network-policy.md), and deploy dependent resources
 
 | Action | Description   |
 | --------- | ------------- |
 | Microsoft.Resources/deployments/*                                   | Create and manage a deployment                                                |
 | Microsoft.Resources/subscriptions/resourcegroups/resources/read     | Read the resources for the resource group                                     |
 | Microsoft.Network/virtualNetworks/read                              | Read the virtual network definition                                            |
 | Microsoft.Network/virtualNetworks/subnets/read                      | Read a virtual network subnet definition                                      |
-| Microsoft.Network/virtualNetworks/subnets/write                     | Creates a virtual network subnet or updates an existing virtual network subnet|
-| Microsoft.Network/privateLinkServices/read | Read a private link service resource|
-| Microsoft.Network/privateLinkServices/write | Creates a new private link service, or updates an existing private link service|
+| Microsoft.Network/virtualNetworks/subnets/write                     | Creates a virtual network subnet or updates an existing virtual network subnet. <br/> *Not explicitly needed to deploy a private link service, but necessary for managing private link subnet policies* |
+| Microsoft.Network/privateLinkServices/read                          | Read a private link service resource|
+| Microsoft.Network/privateLinkServices/write                         | Creates a new private link service, or updates an existing private link service|
 | Microsoft.Network/privateLinkServices/privateEndpointConnections/read | Read a private endpoint connection definition |
 | Microsoft.Network/privateLinkServices/privateEndpointConnections/write | Creates a new private endpoint connection, or updates an existing private endpoint connection|
-| Microsoft.Network/networkSecurityGroups/join/action | Joins a network security group |
-| Microsoft.Network/loadBalancers/read | Read a load balancer definition |
-| Microsoft.Network/loadBalancers/write | Creates a load balancer or updates an existing load balancer |
+| Microsoft.Network/networkSecurityGroups/join/action                 | Joins a network security group |
+| Microsoft.Network/loadBalancers/read                                | Read a load balancer definition |
+| Microsoft.Network/loadBalancers/write                               | Creates a load balancer or updates an existing load balancer |
 
 ```JSON
 {
@@ -136,7 +136,7 @@ Typically, a network administrator creates a private endpoint. Depending on your
 
 |Approval method     |Minimum RBAC permissions  |
 |---------|---------|
-|Automatic     | `Microsoft.Network/virtualNetworks/**`<br/>`Microsoft.Network/virtualNetworks/subnets/**`<br/>`Microsoft.Network/privateEndpoints/**`<br/>`Microsoft.Network/networkinterfaces/**`<br/>`Microsoft.Network/locations/availablePrivateEndpointTypes/read`<br/>`Microsoft.ApiManagement/service/**`<br/>`Microsoft.ApiManagement/service/privateEndpointConnections/**`        |
+|Automatic     | `Microsoft.Network/virtualNetworks/**`<br/>`Microsoft.Network/virtualNetworks/subnets/**`<br/>`Microsoft.Network/privateEndpoints/**`<br/>`Microsoft.Network/networkinterfaces/**`<br/>`Microsoft.Network/locations/availablePrivateEndpointTypes/read`<br/>|
 |Manual     | `Microsoft.Network/virtualNetworks/**`<br/>`Microsoft.Network/virtualNetworks/subnets/**`<br/>`Microsoft.Network/privateEndpoints/**`<br/>`Microsoft.Network/networkinterfaces/**`<br/>`Microsoft.Network/locations/availablePrivateEndpointTypes/read`           |
 
 ## Next steps