Merge branch 'main' into md-arm-parameters

Author: ManikaDhiman

AKS-Arc/aks-hci-network-system-requirements.md

@@ -2,11 +2,11 @@
 title: AKS enabled by Azure Arc network requirements
 description: Learn about AKS network prerequisites.
 ms.topic: overview
-ms.date: 04/23/2025
+ms.date: 07/02/2025
 author: sethmanheim
 ms.author: sethm
-ms.reviewer: abha
-ms.lastreviewed: 04/02/2024
+ms.reviewer: srikantsarwa
+ms.lastreviewed: 07/10/2025
 ---
 
 # AKS enabled by Azure Arc network requirements
@@ -42,7 +42,7 @@ The following parameters are required in order to use a logical network for AKS
 
 ### Control plane IP
 
-Kubernetes uses a control plane to ensure every component in the Kubernetes cluster is kept in the desired state. The control plane also manages and maintains the worker nodes that hold the containerized applications. AKS enabled by Arc deploys the KubeVIP load balancer to ensure that the API server IP address of the Kubernetes control plane is available at all times. This KubeVIP instance requires a single immutable "control plane IP address" to function correctly. AKS Arc automatically chooses a control plane IP for you from the logical network passed during the Kubernetes cluster create operation.
+Kubernetes uses a control plane to ensure every component in the Kubernetes cluster is kept in the desired state. The control plane also manages and maintains the worker nodes that hold the containerized applications. AKS enabled by Arc deploys the KubeVIP load balancer to ensure that the API server IP address of the Kubernetes control plane is always available. This KubeVIP instance requires a single immutable "control plane IP address" to function correctly. AKS Arc automatically chooses a control plane IP for you from the logical network passed during the Kubernetes cluster create operation.
 
 You also have the option of passing a control plane IP. In such cases, the control plane IP must be within the scope of the address prefix of the logical network. You must ensure that the control plane IP address does not overlap with anything else, including Arc VM logical networks, infrastructure network IPs, load balancers, etc. Overlapping IP addresses can lead to unexpected failures for both the AKS cluster and any other place the IP address is being used. You must plan to reserve one IP address per Kubernetes cluster in your environment.
 
@@ -73,7 +73,7 @@ Firewall requirements for AKS have been consolidated with Azure Local firewall r
 
 ## DNS server settings
 
-You need to ensure that the DNS server of the logical network can resolve the FQDN of the Azure Local cluster. DNS name resolution is required for all Azure Local nodes to be able to communicate with the AKS VM nodes. 
+You need to ensure that the DNS server of the logical network can resolve the FQDN of the Azure Local cluster. DNS name resolution is required for all Azure Local nodes to be able to communicate with the AKS VM nodes.
 
 ## Network port and cross-VLAN requirements
 

AKS-Arc/ssh-connect-to-windows-and-linux-worker-nodes.md

@@ -1,7 +1,7 @@
 ---
 title: Connect to Windows or Linux worker nodes with SSH
 description: Learn how to use SSH to connect to Windows or Linux worker nodes in an AKS Arc cluster.
-ms.date: 07/02/2025
+ms.date: 07/10/2025
 ms.topic: how-to
 author: sethmanheim
 ms.author: sethm
@@ -39,6 +39,8 @@ You can use the Kubernetes CLI, [**kubectl**](https://kubernetes.io/docs/referen
   Install-AzAksCliTool
   ```
 
+---
+
 ## Use SSH to connect to worker nodes
 
 1. To access the Kubernetes cluster with the specified permissions, you must retrieve the certificate-based admin **kubeconfig** file using the [az aksarc get-credentials](/cli/azure/aksarc#az-aksarc-get-credentials) command. For more information, see [Retrieve certificate-based admin kubeconfig](retrieve-admin-kubeconfig.md):

azure-local/concepts/physical-network-requirements.md

@@ -192,19 +192,26 @@ If your switch isn't included, contact your switch vendor to ensure that your sw
 
 |Model |Firmware| Management | Storage | Compute (Standard)| Compute (SDN)|
 |-----  |---| :-:  | :-:  | :-:   | :-:   |
-| [QFX5120 series](https://www.juniper.net/content/dam/www/assets/datasheets/us/en/switches/qfx5120-ethernet-switch-datasheet.pdf) <br>(10, 25, 100 GbE) |Junos 23.4R2.13 or later|&check;| &check;| &check;| &check; |
+| [QFX5220 series](https://www.juniper.net/content/dam/www/assets/datasheets/us/en/switches/qfx5220-switch-datasheet.pdf)<br>(100, 400 GbE) |Junos 20.2R3-S2 or later|&check;| &check;| &check;| &check; |
+| [QFX5210 series](https://www.juniper.net/content/dam/www/assets/datasheets/us/en/switches/qfx5210-switch-datasheet.pdf) <br>(25, 100 GbE) |Junos 23.4R2-S4.11 or later|&check;| &check;| &check;| &check; |
+| [QFX5200 series](https://www.juniper.net/content/dam/www/assets/datasheets/us/en/switches/qfx5200-switch-datasheet.pdf) <br>(10, 25, 100 GbE) |Junos 23.4R2-S4.11 or later	|&check;| &check;| &check;| &check; |
+| [QFX5130 series](https://www.juniper.net/content/dam/www/assets/datasheets/us/en/switches/qfx5130-switch.pdf) <br>(400 GbE)|Junos 20.2R3-S2 or later|&check;| &check;| &check;| &check; |
+| [QFX5120 series](https://www.juniper.net/content/dam/www/assets/datasheets/us/en/switches/qfx5120-ethernet-switch-datasheet.pdf) <br>(10, 25, 100 GbE) |Junos 23.4R2-S4.11 or later	|&check;| &check;| &check;| &check; |
+| [QFX5110 series](https://www.juniper.net/content/dam/www/assets/datasheets/us/en/switches/qfx5110-ethernet-switch-datasheet.pdf) <br>(10 GbE) |Junos 23.4R2-S4.11 or later|&check;| &check;| &check;| &check; |
+
 > [!NOTE]
 > Guest RDMA requires both Compute (Standard) and Storage.
 ### 23H2
 
-|Model |Firmware|Management |Storage |Compute (Standard)|Compute (SDN)|
+|Model |Firmware| Management | Storage | Compute (Standard)| Compute (SDN)|
 |-----  |---| :-:  | :-:  | :-:   | :-:   |
-| [QFX5110 series](https://www.juniper.net/assets/es/es/local/pdf/datasheets/1000605-en.pdf) <br>(10 GbE) |Junos 20.2R3-S2 or later|&check;| &check;| &check;| &check; |
-| [QFX5120 series](https://www.juniper.net/content/dam/www/assets/datasheets/us/en/switches/qfx5120-ethernet-switch-datasheet.pdf) <br>(10, 25, 100 GbE) |Junos 20.2R3-S2 or later|&check;| &check;| &check;| &check; |
-| [QFX5130 series](https://www.juniper.net/content/dam/www/assets/datasheets/us/en/switches/qfx5130-switch.pdf) <br>(400 GbE)|Junos 20.2R3-S2 or later|&check;| &check;| &check;| &check; |
-| [QFX5200 series](https://www.juniper.net/content/dam/www/assets/datasheets/us/en/switches/qfx5200-switch-datasheet.pdf)<br>(10, 25, 100 GbE)|Junos 20.2R3-S2 or later |&check;| &check;| &check;| &check; |
-| [QFX5210 series](https://www.juniper.net/content/dam/www/assets/datasheets/us/en/switches/qfx5210-switch-datasheet.pdf)<br>(25, 100 GbE) |Junos 20.2R3-S2 or later|&check;| &check;| &check;| &check; |
 | [QFX5220 series](https://www.juniper.net/content/dam/www/assets/datasheets/us/en/switches/qfx5220-switch-datasheet.pdf)<br>(100, 400 GbE) |Junos 20.2R3-S2 or later|&check;| &check;| &check;| &check; |
+| [QFX5210 series](https://www.juniper.net/content/dam/www/assets/datasheets/us/en/switches/qfx5210-switch-datasheet.pdf) <br>(25, 100 GbE) |Junos 23.4R2-S4.11 or later|&check;| &check;| &check;| &check; |
+| [QFX5200 series](https://www.juniper.net/content/dam/www/assets/datasheets/us/en/switches/qfx5200-switch-datasheet.pdf) <br>(10, 25, 100 GbE) |Junos 23.4R2.13 or later|&check;| &check;| &check;| &check; |
+| [QFX5130 series](https://www.juniper.net/content/dam/www/assets/datasheets/us/en/switches/qfx5130-switch.pdf) <br>(400 GbE)|Junos 20.2R3-S2 or later|&check;| &check;| &check;| &check; |
+| [QFX5120 series](https://www.juniper.net/content/dam/www/assets/datasheets/us/en/switches/qfx5120-ethernet-switch-datasheet.pdf) <br>(10, 25, 100 GbE) |Junos 23.4R2.13 or later|&check;| &check;| &check;| &check; |
+| [QFX5110 series](https://www.juniper.net/content/dam/www/assets/datasheets/us/en/switches/qfx5110-ethernet-switch-datasheet.pdf) <br>(10 GbE) |Junos 23.4R2-S4.11 or later|&check;| &check;| &check;| &check; |
+
 > [!NOTE]
 > Guest RDMA requires both Compute (Standard) and Storage.
 

azure-local/concepts/sdn-overview.md

@@ -59,7 +59,7 @@ Here's a summary of unsupported scenarios for SDN enabled by Arc on Azure Local:
 |Multiple NICs     | Scenarios that require multiple NICs simultaneously aren't supported.        |
 |AKS workloads     | AKS workloads aren't supported.      |
 |Disaster recovery     | Disaster recovery support isn't available.      |
-
+|Multi-cast workloads     | Multi-cast workloads aren't supported.      |
 
 ## Supported networking patterns for SDN enabled by Arc
 

azure-local/deploy/deployment-arc-register-server-permissions.md

@@ -1,9 +1,9 @@
 --- 
 title: Register your Azure Local machines with Azure Arc and assign permissions for deployment 
-description: Learn how to Register your Azure Local machines with Azure Arc and assign permissions for deployment. 
+description: Learn how to register your Azure Local machines with Azure Arc and assign permissions for deployment. 
 author: alkohli
 ms.topic: how-to
-ms.date: 05/06/2025
+ms.date: 06/09/2025
 ms.author: alkohli
 ms.service: azure-local
 ms.custom: devx-track-azurepowershell

azure-local/includes/hci-download-vhdx-2.md

@@ -3,26 +3,16 @@ author: alkohli
 ms.author: alkohli
 ms.service: azure-local
 ms.topic: include
-ms.date: 05/29/2025
+ms.date: 07/08/2025
 ---
 
 SDN uses a VHDX file containing either the Azure Stack HCI or Windows Server operating system (OS) as a source for creating the SDN virtual machines (VMs).
 
 > [!NOTE]
 > The version of the OS in your VHDX must match the version used by the Azure Local Hyper-V machines. This VHDX file is used by all SDN infrastructure components.
 
-[Download an English-language version of the VHDX file](https://aka.ms/PVvxVBVCVVC).
+Depending on the OS version, download one of the following VHDX files::
 
-Currently, a non-English VHDX file isn't available for download. If you require a non-English version, [download the corresponding ISO file](../deploy/download-23h2-software.md) and convert it to VHDX using the `Convert-WindowsImage` cmdlet. You must run this script from a Windows client computer. You'll probably need to run this script as Administrator and modify the execution policy for scripts using the `Set-ExecutionPolicy` command.
+- OS version 25398.xxxx: [Download an English-language version of the VHDX file](https://aka.ms/PVvxVBVCVVC).
+- OS version 26100.xxxx: [Download an English-language version of the VHDX file](https://aka.ms/AAvqy3y).
 
-The following syntax shows an example of using `Convert-WindowsImage`:
-
-```powershell
-Install-Module -Name Convert-WindowsImage
-Import-Module Convert-WindowsImage
-
-$wimpath = "E:\sources\install.wim"
-$vhdpath = "D:\temp\AzureStackHCI.vhdx"
-$edition=1
-Convert-WindowsImage -SourcePath $wimpath -Edition $edition -VHDPath $vhdpath -SizeBytes 500GB -DiskLayout UEFI
-```

azure-local/includes/hci-registration-azure-prerequisites.md

@@ -3,7 +3,7 @@ author: alkohli
 ms.author: alkohli
 ms.service: azure-local
 ms.topic: include
-ms.date: 04/30/2025
+ms.date: 06/09/2025
 ms.reviewer: alkohli
 ms.lastreviewed: 03/20/2025
 ---
@@ -25,10 +25,12 @@ ms.lastreviewed: 03/20/2025
    Register-AzResourceProvider -ProviderNamespace "Microsoft.HybridContainerService"
    Register-AzResourceProvider -ProviderNamespace "Microsoft.Attestation"
    Register-AzResourceProvider -ProviderNamespace "Microsoft.Storage"
+   Register-AzResourceProvider -ProviderNamespace "Microsoft.Insights"
    ```
 
     > [!NOTE]
-    > The assumption is that the person registering the Azure subscription with the resource providers is a different person than the one who is registering the Azure Local machines with Arc.
+    > - The assumption is that the person registering the Azure subscription with the resource providers is a different person than the one who is registering the Azure Local machines with Arc.
+   > - `Microsoft.Insights` resource provider is required for monitoring and logging. If this RP is not registered, the diagnostic account and Key Vault audit logging fails during validation.
 
 - **Create a resource group**. Follow the steps to [Create a resource group](/azure/azure-resource-manager/management/manage-resource-groups-portal#create-resource-groups) where you want to register your machines. Make a note of the resource group name and the associated subscription ID.
 

azure-local/includes/hci-vm-image-prerequisites-storage-account.md

@@ -3,7 +3,7 @@ author: alkohli
 ms.author: alkohli
 ms.service: azure-local
 ms.topic: include
-ms.date: 07/18/2024
+ms.date: 07/08/2025
 ---
 
 
@@ -16,4 +16,4 @@ ms.date: 07/18/2024
     - Make sure that you're uploading your VHD or VHDX as a page blob image into the Storage account. Only page blob images are supported to create VM images via the Storage account.
     - If using a VHDX: 
         - The VHDX image must be Gen 2 type and secure boot enabled.
-        - The VHDX image must be prepared using `sysprep /generalize /shutdown /oobe`. For more information, see [Sysprep command-line options](/windows-hardware/manufacture/desktop/sysprep-command-line-options?view=windows-11#oobe&preserve-view=true).
+        - The VHDX image must be prepared using `sysprep /generalize /shutdown /oobe`. For more information, see [Sysprep command-line options](/windows-hardware/manufacture/desktop/sysprep-command-line-options?view=windows-11#oobe&preserve-view=true). This is true for both Windows and Linux VM images.

azure-local/manage/manage-data-disks.md

@@ -3,7 +3,7 @@ title: Download Azure managed disk to Azure Local
 description: Learn how to download Azure managed disk to Azure Local.
 author: alkohli
 ms.topic: how-to
-ms.date: 04/09/2025
+ms.date: 06/27/2025
 ms.author: alkohli
 ms.service: azure-local
 ---
@@ -44,7 +44,7 @@ Download an Azure managed disk as follows:
 1. Once the SAS URL is generated, use the following command to download it to your Azure Local:  
 
     ```azurecli
-    az stack-hci-vm disk create -resource-group $resource-group --disk-file-format vhd --custom-location $custom-location --download-url $download-url --name $name
+    az stack-hci-vm disk create -resource-group $resource-group --custom-location $custom-location --download-url $download-url --name $name
     ```
 
 The parameters are described in the following table:
@@ -55,7 +55,6 @@ The parameters are described in the following table:
 | `resource-group` | Resource group for Azure Local that you associate with this image. |
 | `name` | Name of the data disk for Azure Local. | 
 | `custom-location` | Resource ID of the custom location for Azure Local. |
-| `disk-file-format` | File format of the data disk. This can be `vhd` or `vhdx`. |
 | `download-url` | SAS URL of the Azure managed disk.| 
 
 Here is an example output:

azure-local/manage/manage-network-security-groups.md

@@ -43,7 +43,7 @@ This article describes how to manage network security groups (NSGs) on your Azur
 
 ---
 
-*## Manage network securi*ty groups and network security rules
+## Manage network security groups and network security rules
 
 # [Azure CLI](#tab/azurecli)
 
@@ -140,7 +140,7 @@ Follow these steps to show details of a network security group:
     az stack-hci-vm network nsg show -g $resource_group --name $nsgname 
     ```
 
-2. The command outputs the details of a specified network security group (NSG).
+1. The command outputs the details of a specified network security group (NSG).
 
     - In this example, the NSG has no network interface attached.
 
@@ -233,7 +233,7 @@ Follow these steps to delete a network security group:
     $nsgname = "examplensg"
     ```
 
-2. Run the following command to delete a network security group (NSG) on your Azure Local instance.
+1. Run the following command to delete a network security group (NSG) on your Azure Local instance.
 
     ```azurecli
     az stack-hci-vm network nsg delete -g $resource_group --name $nsgname --yes
@@ -257,7 +257,7 @@ In this example, we create a network interface with an existing network security
     $nicname="examplenic" 
     ```
 
-2. Run the following command to create a network interface (NIC) on your Azure Local instance.
+1. Run the following command to create a network interface (NIC) on your Azure Local instance.
 
     ```azurecli
     az stack-hci-vm network nic create --resource-group $resource_group --custom-location $customLocationId --location $location --subnet-id $lnetname --ip-address $ipaddress --name $nicname --network-security-group $nsgname 
@@ -469,6 +469,7 @@ In this example,  we associate a static logical network with an existing network
 You can dissociate a network security group from a logical network. This dissociation allows you to remove the network security rules applied to the logical network.
 
 Follow these steps to dissociate a network security group from logical network:
+
 1. Set the following parameters in your Azure CLI session. Make sure to pass the NSG name as an empty string encased in double quotes followed by single quotes ('""').
 
     ```azurecli
@@ -478,6 +479,7 @@ Follow these steps to dissociate a network security group from logical network:
     $nsgname = '""'
     $lnetname="static-lnet3" 
     ```
+
 2. To dissociate a network security group from a logical network, run the following command:
 
     ```azurecli
@@ -575,7 +577,8 @@ Follow these steps to dissociate a network security group from logical network:
       "tags": {},
       "type": "microsoft.azurestackhci/logicalnetworks"
     }
-    ``` 
+    ```
+
     </details>
 
 ## Dissociate network security group from network interface
@@ -594,7 +597,7 @@ Follow these steps to dissociate a network security group from a network interfa
     $nicname ="examplenic" 
     ```
 
-2. To dissociate a network security group from a network interface, run the following command:
+1. To dissociate a network security group from a network interface, run the following command:
 
     ```azurecli
     az stack-hci-vm network nic update -g $resource_group --name $nicname --network-security-group '""'
@@ -676,8 +679,7 @@ This section describes the manage operations supported for network security rule
     $nsgname = "examplensg"
     ```
 
-2. Run this command to show details of a network security rule:
-
+1. Run this command to show details of a network security rule:
 
     ```azurecli
     az stack-hci-vm network nsg rule show -g $resource_group -n $securityrulename --nsg-name $nsgname
@@ -733,7 +735,6 @@ This section describes the manage operations supported for network security rule
 
 ### Update a network security rule
 
-
 1. Set the following parameters in your Azure CLI session.
 
     ```azurecli
@@ -967,7 +968,7 @@ To dissociate a network security group from a network interface, follow these st
 
 1. Go to **Azure Local resource page > Resources > Network interfaces**.
 
-    :::image type="content" source="./media/manage-network-security-groups/associate-network-security-group-network-interface-1.png" alt-text="Screenshot of selecting network interface to dissociate from the network security group." lightbox="./media/manage-network-security-groups/associate-network-security-group-network-interface-1.png"::: 
+    :::image type="content" source="./media/manage-network-security-groups/associate-network-security-group-network-interface-1.png" alt-text="Screenshot of selecting network interface to dissociate from the network security group." lightbox="./media/manage-network-security-groups/associate-network-security-group-network-interface-1.png":::
 
 1. In the right pane, from the list of network interfaces, select an interface that has a network security group attached to it.
 1. Go to **Settings > Network security groups**.
@@ -982,7 +983,6 @@ To dissociate a network security group from a network interface, follow these st
 The operation takes a few minutes to complete. You can see the status of the operation in the **Notifications** pane.
 After the network security group is dissociated from the network interface, the page refreshes to indicate the dissociation.
 
-
 ## List network security rules in a network security group
 
 To list network security rules in a network security group, follow these steps:
@@ -1004,12 +1004,10 @@ To update a network security rule, follow these steps:
 
 ---
 
-
 ## Next steps
 
 - [Troubleshoot SDN enabled by Arc](../index.yml).
 
-
 ::: moniker-end
 
 ::: moniker range="<=azloc-2505"