Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into us436816-vnet-security-horizontal

Author: asudbring

.openpublishing.redirection.json

@@ -6978,6 +6978,26 @@
       "source_path": "articles/defender-for-iot/organizations/eiot-sensor.md",
       "redirect_url": "/azure/defender-for-iot/organizations/concept-enterprise",
       "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/cyclecloud/release-notes/ccws/2024.09.18.md",
+      "redirect_url": "/azure/cyclecloud/release-notes/ccws/2024-09-18",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/cyclecloud/release-notes/ccws/2024.11.08.md",
+      "redirect_url": "/azure/cyclecloud/release-notes/ccws/2024-11-08",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/cyclecloud/release-notes/ccws/2024.12.18.md",
+      "redirect_url": "/azure/cyclecloud/release-notes/ccws/2024-12-18",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/cyclecloud/release-notes/ccws/2025.02.06.md",
+      "redirect_url": "/azure/cyclecloud/release-notes/ccws/2025-02-06",
+      "redirect_document_id": false
     }
   ]
 }

articles/api-management/configure-custom-domain.md

@@ -7,7 +7,7 @@ author: dlepow
 
 ms.service: azure-api-management
 ms.topic: how-to
-ms.date: 05/09/2025
+ms.date: 05/30/2025
 ms.author: danlep
 ms.custom:
   - engagement-fy23
@@ -50,10 +50,10 @@ There are several API Management endpoints to which you can assign a custom doma
 | Endpoint | Default |
 | -------- | ----------- |
 | **Gateway** | Default is: `<apim-service-name>.azure-api.net`. Gateway is the only endpoint available for configuration in the Consumption tier.<br/><br/>The default Gateway endpoint configuration remains available after a custom Gateway domain is added. |
-| **Developer portal** | Default is: `<apim-service-name>.developer.azure-api.net` |
-| **Management** | Default is: `<apim-service-name>.management.azure-api.net` |
-| **Configuration API (v2)** | Default is: `<apim-service-name>.configuration.azure-api.net` |
-| **SCM** | Default is: `<apim-service-name>.scm.azure-api.net` |
+| **Developer portal** (all tiers except Consumption) | Default is: `<apim-service-name>.developer.azure-api.net` |
+| **Management** (classic tiers only) | Default is: `<apim-service-name>.management.azure-api.net` |
+| **Self-hosted gateway configuration API (v2)** | Default is: `<apim-service-name>.configuration.azure-api.net` |
+| **SCM** (classic tiers only) | Default is: `<apim-service-name>.scm.azure-api.net` |
 
 ### Considerations
 
@@ -62,6 +62,7 @@ There are several API Management endpoints to which you can assign a custom doma
 * Only API Management instance owners can use **Management** and **SCM** endpoints internally. These endpoints are less frequently assigned a custom domain name.
 * The **Premium** and **Developer** tiers support setting multiple hostnames for the **Gateway** endpoint.
 * Wildcard domain names, like `*.contoso.com`, are supported in all tiers except the Consumption tier. A specific subdomain certificate (for example, api.contoso.com) would take precedence over a wildcard certificate (*.contoso.com) for requests to api.contoso.com.
+* When configuing a custom domain for the **Developer portal**, you can [enable CORS](enable-cors-developer-portal.md) for the new domain name. This is needed for developer portal visitors to use the interactive console in the API reference pages.
 
 ## Domain certificate options
 

articles/api-management/configure-service-update-settings.md

@@ -15,15 +15,15 @@ ms.author: danlep
 
 This article shows you how to configure *service update* settings (preview) in your API Management instance. Azure periodically applies service updates automatically to API Management instances, using a phased rollout approach. These updates include new features, security enhancements, and reliability improvements. 
 
-You can't control exactly when Azure updates each API Management instance, but in select service tiers you can choose an *update group* for your instance so that it receives updates earlier or later than it usually would during an update rollout. You can also configure a *maintenance window* during the day when you want your instance to receive updates. 
+You can't control exactly when Azure updates each API Management instance, but in select service tiers you can choose an *update group* (also called a *release channel*) for your instance so that it receives updates earlier or later than it usually would during an update rollout. You can also configure a *maintenance window* during the day when you want your instance to receive updates. 
 
 * **Update group** - A set of instances that receive API Management service updates during a production rollout, which can take from several days to several weeks to complete. 
 
     Choose from:
     * **Early** - Receive updates early in the rollout, for testing and early access to new features. This option is not recommended for production deployments.
     * **Default** - Receive updates as part of the regular release rollout. This option is recommended for most services, including production deployments.
     * **Late** - Receive updates later than the previous groups, typically weeks after the initial rollout. This option is recommended for mission-critical deployments only.
-    * **AI Gateway Early** (GenAI release) - Get early access to the latest [AI gateway features and updates](genai-gateway-capabilities.md) before they reach other update groups. Receive other service updates as part of the **Late** rollout group.
+    * **AI Gateway Early** (GenAI release channel) - Get early access to the latest [AI gateway features and updates](genai-gateway-capabilities.md) before they reach other update groups. Receive other service updates as part of the **Late** rollout group.
 
     > [!NOTE]
     > Azure deploys all updates using a [safe deployment practices (SDP) framework](https://azure.microsoft.com/blog/advancing-safe-deployment-practices/). Updates released early in a rollout might be less stable and replaced later by stable releases. All instances are eventually updated to the most stable release builds.

articles/api-management/enable-cors-developer-portal.md

@@ -6,19 +6,20 @@ author: dlepow
 
 ms.service: azure-api-management
 ms.topic: how-to
-ms.date: 12/22/2023
+ms.date: 05/30/2025
 ms.author: danlep
 ---
 
 # Enable CORS for interactive console in the API Management developer portal 
+
+[!INCLUDE [premium-dev-standard-basic-premiumv2-standarv2-basicv2.md](../../includes/api-management-availability-premium-dev-standard-basic-premiumv2-standardv2-basicv2.md)]
+
 Cross-origin resource sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any origins (domain, scheme, or port) other than its own from which a browser should permit loading resources. 
 
 To let visitors to the API Management [developer portal](developer-portal-overview.md) use the interactive test console in the API reference pages, enable a [CORS policy](cors-policy.md) for APIs in your API Management instance. If the developer portal's domain name isn't an allowed origin for cross-domain API requests, test console users will see a CORS error.  
 
 For certain scenarios, you can configure the developer portal as a CORS proxy instead of enabling a CORS policy for APIs.
 
-[!INCLUDE [premium-dev-standard-basic.md](../../includes/api-management-availability-premium-dev-standard-basic.md)]
-
 ## Prerequisites 
 
 + Complete the following quickstart: [Create an Azure API Management instance](get-started-create-service-instance.md)
@@ -41,7 +42,6 @@ You can enable a setting to configure a CORS policy automatically for all APIs i
 
 ![Screenshot that shows where to check status of your CORS policy in the developer portal.](media/enable-cors-developer-portal/cors-azure-portal.png)
 
-
 ### Enable CORS policy manually
 
 1. Select the **Manually apply it on the global level** link to see the generated policy code.
@@ -57,6 +57,12 @@ You can enable a setting to configure a CORS policy automatically for all APIs i
 >
 > As a workaround, you can pass the subscription key in a query parameter.
 
+## CORS configuration for custom domain name
+
+If you configure a [custom domain](configure-custom-domain.md) for the developer portal and want visitors to use the test console on API reference pages, ensure that you enable CORS for the custom developer portal domain name.
+
+When configuring the custom domain, you can enable a setting to add an origin for your custom developer portal domain in the CORS policy. If CORS was already enabled for the default domain, both origins will be included in the CORS policy. You can change the CORS policy settings anytime.
+
 ## CORS proxy option
 
 For some scenarios (for example, if the API Management gateway is network isolated), you can choose to configure the developer portal as a CORS proxy itself, instead of enabling a CORS policy for your APIs. The CORS proxy routes the interactive console's API calls through the portal's backend in your API Management instance.
@@ -84,4 +90,4 @@ If you [self-host](developer-portal-self-host.md) the developer portal, the foll
 ## Related content
 
 * For more information about configuring a policy, see [Set or edit policies](set-edit-policies.md).
-* For details about the CORS policy, see the [cors](cors-policy.md) policy reference.
+* For details about the CORS policy, see the [cors](cors-policy.md) policy reference.

articles/api-management/genai-gateway-capabilities.md

@@ -126,6 +126,7 @@ To help safeguard users from harmful, offensive, or misleading content, you can
 ## Labs and samples
 
 * [Labs for the AI gateway capabilities of Azure API Management](https://github.com/Azure-Samples/ai-gateway)
+* [AI gateway workshop](https://aka.ms/ai-gateway/workshop)
 * [Azure API Management (APIM) - Azure OpenAI Sample (Node.js)](https://github.com/Azure-Samples/genai-gateway-apim)
 * [Python sample code for using Azure OpenAI with API Management](https://github.com/Azure-Samples/openai-apim-lb/blob/main/docs/sample-code.md)
 

articles/app-service/app-service-hybrid-connections.md

@@ -1,11 +1,11 @@
 ---
 title: Hybrid connections in Azure App Service
 description: Learn how to create and use hybrid connections in Azure App Service to access resources in disparate networks. 
-author: madsd
+author: seligj95
 ms.assetid: 66774bde-13f5-45d0-9a70-4e9536a4f619
 ms.topic: article
-ms.date: 05/06/2025
-ms.author: madsd
+ms.date: 06/04/2025
+ms.author: jordanselig
 ms.custom:
   - "UpdateFrequency3, fasttrack-edit"
   - build-2025
@@ -56,7 +56,7 @@ Things you can't do with Hybrid Connections include:
 
 ## Add and Create Hybrid Connections in your app
 
-To create a Hybrid Connection:
+To create a Hybrid Connection in the Azure portal:
 
 1. In the [Azure portal], select your app. Select **Settings** > **Networking**.
 1. Next to **Hybrid connections**, select the **Not configured** link. Here you can see the Hybrid Connections that are configured for your app.
@@ -84,6 +84,23 @@ When a Hybrid Connection is added to your app, you can see details on it simply
 
 :::image type="content" source="media/app-service-hybrid-connections/hybrid-connections-properties.png" alt-text="Screenshot of Hybrid connections details.":::
 
+### Create a Hybrid Connection in ARM/Bicep
+
+To create a Hybrid Connection using an ARM/Bicep template, add the following resource to your existing template. You must include the `userMetadata` to have a valid Hybrid Connection. If you don't include the `userMetadata`, the Hybrid Connection doesn't work. If you create the Hybrid Connection in the Azure portal, this property is automatically filled in for you.
+
+The `userMetadata` property should be a string representation of a JSON array in the format `[{"key": "endpoint", "value : "host:port"}]`. The following Bicep template has a sample for this property. For more information, see [Microsoft.Relay namespaces/hybridConnections](/azure/templates/microsoft.relay/namespaces/hybridconnections).
+
+```bicep
+resource hybridConnection 'Microsoft.Relay/namespaces/hybridConnections@2024-01-01' = {
+  parent: relayNamespace
+  name: hybridConnectionName
+  properties: {
+    requiresClientAuthorization: true
+    userMetadata: '[{"key": "endpoint", "value : "<HOST>:<PORT>"}]'
+  }
+}
+```
+
 ### Create a Hybrid Connection in the Azure Relay portal
 
 In addition to the portal experience from within your app, you can create Hybrid Connections from within the Azure Relay portal. For a Hybrid Connection to be used by App Service, it must:

articles/app-service/app-service-ip-restrictions.md

@@ -13,8 +13,6 @@ ms.assetid: 3be1f4bd-8a81-4565-8a56-528c037b24bd
 ---
 # Set up Azure App Service access restrictions
 
-[!INCLUDE [regionalization-note](./includes/regionalization-note.md)]
-
 When you set up access restrictions, you can define a priority-ordered allow/deny list that controls network access to your app. The list can include IP addresses or Azure Virtual Network subnets. When there are one or more entries, an implicit *deny all* exists at the end of the list. For more information, see [Azure App Service access restrictions](./overview-access-restrictions.md).
 
 The access restriction capability works with all Azure App Service-hosted workloads. The workloads can include web apps, API apps, Linux apps, Linux custom containers, and Azure Functions apps.

articles/app-service/app-service-key-vault-references.md

@@ -14,8 +14,6 @@ ms.custom: AppServiceConnectivity
 
 This article shows you how to use secrets from Azure Key Vault as values of [app settings](configure-common.md#configure-app-settings) or [connection strings](configure-common.md#configure-connection-strings) in your Azure App Service or Azure Functions apps.
 
-[!INCLUDE [regionalization-note](./includes/regionalization-note.md)]
-
 [Key Vault](/azure/key-vault/general/overview) is a service that provides centralized secrets management, with full control over access policies and audit history. When an app setting or connection string is a Key Vault reference, your application code can use it like any other app setting or connection string. This way, you can maintain secrets apart from your app's configuration. App settings are securely encrypted at rest, but if you need capabilities for managing secrets, they should go into a key vault.
 
 ## Grant your app access to a key vault

articles/app-service/app-service-plan-manage.md

@@ -12,8 +12,6 @@ ms.custom: "UpdateFrequency3"
 ---
 # Manage an App Service plan in Azure
 
-[!INCLUDE [regionalization-note](./includes/regionalization-note.md)]
-
 An [Azure App Service plan](overview-hosting-plans.md) provides the resources that an App Service app needs to run. This guide shows how to manage an App Service plan.
 
 ## Create an App Service plan
@@ -38,7 +36,7 @@ You can create an empty App Service plan, or you can create a plan as part of ap
 6. Select **Review + create** to create the App Service plan.
 
 > [!IMPORTANT]
-> When you create an new App Service plan in an existing resource group, certain conditions with existing apps can trigger these errors:
+> When you create a new App Service plan in an existing resource group, certain conditions with existing apps can trigger these errors:
 > - `The pricing tier is not allowed in this resource group`
 > - `<SKU_NAME> workers are not available in resource group <RESOURCE_GROUP_NAME>`
 > 

articles/app-service/app-service-web-tutorial-custom-domain.md

@@ -13,8 +13,6 @@ author: msangapu-msft
 
 # Set up an existing custom domain in Azure App Service
 
-[!INCLUDE [regionalization-note](./includes/regionalization-note.md)]
-
 [Azure App Service](overview.md) provides a highly scalable, self-patching web hosting service. This guide shows you how to map an existing custom Domain Name System (DNS) name to App Service. To migrate a live site and its DNS domain name to App Service with no downtime, see [Migrate an active DNS name to Azure App Service](manage-custom-dns-migrate-domain.md).
 
 The DNS record type you need to add with your domain provider depends on the domain you want to add to App Service.
@@ -110,7 +108,7 @@ Create two records, as described in the following table:
 
 | Record type | Host | Value | Comments |
 | - | - | - |-|
-| CNAME | `<subdomain>` (for example, `www`) | `<app-name>.azurewebsites.net`. (See [the note at the start of this article](#dnl-note).) | The domain mapping itself. |
+| CNAME | `<subdomain>` (for example, `www`) | (See the value in the Azure portal **Overview** page for your app.) | The domain mapping itself. |
 | TXT | `asuid.<subdomain>` (for example, `asuid.www`) | The domain verification ID shown in the **Add custom domain** dialog. | App Service accesses the `asuid.<subdomain>` TXT record to verify your ownership of the custom domain. |
 
 ![Screenshot that shows the portal navigation to an Azure app.](./media/app-service-web-tutorial-custom-domain/cname-record.png)
@@ -121,7 +119,7 @@ For a wildcard name, like `*` in `*.contoso.com`, create two records, as describ
 
 | Record type | Host | Value | Comments |
 | - | - | - | - |
-| CNAME | `*` | `<app-name>.azurewebsites.net`. (See [the note at the start of this article](#dnl-note).) | The domain mapping itself. |
+| CNAME | `*` | (See the value in the Azure portal **Overview** page for your app.) | The domain mapping itself. |
 | TXT | `asuid` | The domain verification ID shown in the **Add custom domain** dialog. | App Service accesses the `asuid` TXT record to verify your ownership of the custom domain. |
 
 ![Screenshot that shows the navigation to an Azure app.](./media/app-service-web-tutorial-custom-domain/cname-record-wildcard.png)