Sync release-local-2504 with main

sethmanheim · web-flow · commit 15454b20950c · 2025-04-16T11:09:31.000-07:00
diff --git a/AKS-Arc/TOC.yml b/AKS-Arc/TOC.yml
@@ -33,9 +33,11 @@
     - name: High availability
       items: 
       - name: Use availability sets
-        href: availability-sets.md   
+        href: availability-sets.md
     - name: Supported scale requirements
       href: scale-requirements.md
+    - name: Connectivity modes
+      href: connectivity-modes.md  
     - name: Billing
       items:
       - name: Pricing details
diff --git a/AKS-Arc/connectivity-modes.md b/AKS-Arc/connectivity-modes.md
@@ -0,0 +1,46 @@
+---
+title: Connectivity modes in AKS Arc on Azure Local
+description: Learn about running AKS on Azure Local in disconnected and semi-connected mode.
+ms.topic: overview
+ms.date: 04/16/2025
+author: sethmanheim
+ms.author: sethm 
+ms.reviewer: abha
+ms.lastreviewed: 04/08/2025
+ms.custom: conceptual
+
+---
+
+# Connectivity modes in AKS on Azure Local
+
+AKS on Azure Local requires connectivity to Azure in order to use features such as Kubernetes cluster upgrades, and identity and access options such as Azure Entra ID. Also, Azure Arc agents on the AKS Arc cluster must remain connected to enable functionality such as [configuring (GitOps)](/azure/azure-arc/kubernetes/conceptual-gitops-flux2), Arc extensions, and [cluster connect](/azure/azure-arc/kubernetes/conceptual-cluster-connect). Since AKS on Azure Local clusters deployed at the edge might not always have stable network access, the Kubernetes cluster might occasionally be unable to reach Azure when it operates in a semi-connected state.
+
+## Understand connectivity modes
+
+When working with AKS on Azure Local clusters, it's important to understand how network connectivity modes impact your operations.
+
+- **Fully connected**: With ongoing network connectivity, AKS and Arc agents can consistently communicate with Azure. In this mode, there is typically little delay with tasks such as scaling out your AKS Arc cluster, upgrading the Kubernetes version, propagating GitOps configurations, enforcing Azure Policy and Gatekeeper policies, or collecting workload metrics and logs in Azure Monitor.
+
+- **Semi-connected**:  Refers to a temporary loss of connectivity with Azure, which is supported for a duration of up to 30 days. This constraint is due to the 30-day validity period of certificates managed by AKS on Azure Local. If network connectivity is not restored within this timeframe, the AKS Arc cluster may cease to function. To maintain cluster operability, it is recommended that the AKS Arc cluster establish connectivity with Azure at least once every 30 days. Failure to do so may result in certificate expiration, requiring the cluster to be deleted and redeployed.
+
+- **Disconnected**: We currently do not support running AKS on Azure Local in a disconnected environment beyond 30 days.
+
+## Impact of semi-connected mode (temporary disconnection) on AKS on Azure Local operations
+
+The connectivity status of a cluster is determined by the time of the latest heartbeat received from the Azure Arc agents deployed on the cluster.
+
+| AKS operation | Impact of temporary disconnection | Details | Workaround |
+| ------------- | ---------------------------------- |---------|------------|
+| Creating, updating, upgrading, and deleting Kubernetes clusters | Not supported | Since Kubernetes CRUD operations are driven by Azure, you can't perform any CRUD operations while disconnected. | No supported workaround. |
+| Scaling the Kubernetes cluster | Partially supported | You can't manually scale an existing nodepool or add a new nodepool to the Kubernetes cluster. | Your Kubernetes cluster scales dynamically if you [enabled autoscalar](auto-scale-aks-arc.md) while creating the Kubernetes cluster. |
+| Access the Kubernetes cluster | Partially supported | You can't use [Azure Entra](enable-authentication-microsoft-entra-id.md) and `az connectedk8s proxy`, since they require connectivity to Azure. | [Retrieve admin kubeconfig](retrieve-admin-kubeconfig.md) to access the Kubernetes cluster. |
+| Viewing Kubernetes cluster status | Partially supported | You can't use the Azure portal or Azure Resource Manager APIs to view Kubernetes cluster status. | Use local tools such as [kubectl get](https://kubernetes.io/docs/reference/kubectl/quick-reference/#viewing-and-finding-resources). |
+| MetalLB Arc extension | Partially supported | Your load balancer continues working but you can't add or remove IP pools or update MetalLB configuration. | No supported workaround. |
+| AKS cluster and application observability | Partially supported | You can't use Container Insights and [create diagnostic settings using Container Insights](kubernetes-monitor-audit-events.md#create-a-diagnostic-setting), since they require connectivity to Azure. | Use [3rd party on-premises monitoring solutions](aks-monitor-logging.md). |
+| SSH into the Kubernetes VMs | Supported | You can SSH into Kubernetes VMs. | No workaround needed. |
+| Collect logs for troubleshooting | Supported | You can collect logs for troubleshooting issues. | No workaround needed. |
+
+## Next steps
+
+- [Azure Arc connectivity modes](/azure//azure-arc/kubernetes/conceptual-connectivity-modes)
+- [Create and manage Kubernetes clusters on-premises using Azure CLI](aks-create-clusters-cli.md)
diff --git a/azure-local/hybrid-capabilities-with-azure-services-23h2.md b/azure-local/hybrid-capabilities-with-azure-services-23h2.md
@@ -4,7 +4,7 @@ description: This article describes the cloud service components of Azure Local,
 ms.topic: overview
 author: alkohli
 ms.author: alkohli
-ms.date: 02/20/2025
+ms.date: 04/16/2025
 ms.custom: e2e-hybrid
 ---
 
@@ -18,7 +18,7 @@ Your on-premises Azure Local solution integrates with Azure cloud via several cl
 
 ## Azure Local cloud service
 
-The Azure Local cloud service in Azure is a key part of the Azure Local product offering. It includes standard Azure components, such as a resource provider in Azure Resource Manager and a UI extension in the Azure portal. These components enable access to Azure Local functionality via familiar Azure tools and UX, such as [Azure portal](manage/azure-portal.md), [Azure PowerShell](/powershell/module/az.stackhci/?view=azps-7.2.0&preserve-view=true), and [Azure CLI](/cli/azure/stack-hci?view=azure-cli-latest&preserve-view=true). The Azure Local cloud service also enables contextual navigation from an Azure Local resource to its Arc servers and Arc virtual machines (VMs).
+The Azure Local cloud service in Azure is a key part of the Azure Local product offering. It includes standard Azure components, such as a resource provider in Azure Resource Manager and a UI extension in the Azure portal. These components enable access to Azure Local functionality via familiar Azure tools and UX, such as [Azure portal](manage/azure-portal.md), [Azure PowerShell](/powershell/module/az.stackhci/?view=azps-7.2.0&preserve-view=true), and [Azure CLI](/cli/azure/stack-hci?view=azure-cli-latest&preserve-view=true). The Azure Local cloud service also enables contextual navigation from an Azure Local resource to its Arc-enabled servers and Azure Local virtual machines (VMs) enabled by Azure Arc.
 
 The Azure Local cloud service extends the hybrid capabilities for Azure Local by enabling the following cloud-based functionalities:
 
@@ -50,11 +50,11 @@ Azure Arc simplifies governance and management by delivering a consistent manage
 
 Azure Local delivers hybrid value through the following Azure Arc technologies:
 
-- [**Arc machines.**](/azure/azure-arc/servers/overview) As part of the Azure Local deployment process, you must register every Azure Local that you intend to join with Azure Arc. For more information, see [Register your machines and assign permissions for Azure Local deployment](deploy/deployment-arc-register-server-permissions.md).
+- [**Arc-enabled servers.**](/azure/azure-arc/servers/overview) As part of the Azure Local deployment process, you must register every Azure Local that you intend to join with Azure Arc. For more information, see [Register your machines and assign permissions for Azure Local deployment](deploy/deployment-arc-register-server-permissions.md).
 
     You can install, upgrade, and manage Azure Arc extensions on Azure Local to run hybrid services like monitoring and Windows Admin Center in the Azure portal. For more information, see [Azure Arc extension management on Azure Local](manage/arc-extension-management.md).
 
-- **Arc VMs.** Azure Arc VM management lets you provision and manage Windows and Linux VMs hosted in an on-premises Azure Local environment. Administrators can manage Arc VMs on their Azure Local by using Azure management tools, including Azure portal, Azure CLI, Azure PowerShell, and Azure Resource Manager (ARM) templates. For more information, see [What is Azure Arc VM management?](manage/azure-arc-vm-management-overview.md).
+- **Azure Local VMs.** Azure Local VM management lets you provision and manage Windows and Linux VMs hosted in an on-premises Azure Local environment. Administrators can manage VMs on their Azure Local by using Azure management tools, including Azure portal, Azure CLI, Azure PowerShell, and Azure Resource Manager (ARM) templates. For more information, see [What is Azure Arc VM management?](manage/azure-arc-vm-management-overview.md).
 
 - [**Azure Kubernetes Service (AKS) enabled by Arc.**](/azure/aks/hybrid/) AKS on Azure Local uses Azure Arc to create new Kubernetes clusters on Azure Local directly from Azure. It enables you to use familiar tools like the Azure portal, Azure CLI, and Azure Resource Manager templates to create and manage your Kubernetes clusters running on Azure Local. For more information, see [What's new in AKS on Azure Local](/azure/aks/hybrid/aks-whats-new-23h2).
 
diff --git a/azure-local/includes/hci-create-a-vm-image.md b/azure-local/includes/hci-create-a-vm-image.md
@@ -3,7 +3,7 @@ author: ronmiab
 ms.author: robess
 ms.service: azure-local
 ms.topic: include
-ms.date: 11/26/2024
+ms.date: 04/10/2025
 ---
 
 Follow these steps using Azure CLI on your Azure Local to create the VM image from the VHDX you created earlier.
@@ -41,7 +41,7 @@ Follow these steps using Azure CLI on your Azure Local to create the VM image fr
     | `location`       | Location for your Azure Local instance. For example, the location could be `eastus` or `westreurope`. |
     | `os-type`         | Operating system associated with the source image. This system can be Windows or Linux.           |
 
-1. Use the VHDX of the VM to create a gallery image. Use this VM image to create Azure Arc virtual machines on Azure Local.
+1. Use the VHDX of the VM to create a gallery image. Use this VM image to create Azure Local VMs.
 
     Make sure to copy the VHDX in user storage in the cluster shared volume of Azure Local. For example, the path could look like `C:\ClusterStorage\UserStorage_1\linuxvhdx`.
 
diff --git a/azure-local/includes/hci-registration-azure-prerequisites.md b/azure-local/includes/hci-registration-azure-prerequisites.md
@@ -3,7 +3,7 @@ author: alkohli
 ms.author: alkohli
 ms.service: azure-local
 ms.topic: include
-ms.date: 04/02/2025
+ms.date: 04/16/2025
 ms.reviewer: alkohli
 ms.lastreviewed: 03/20/2025
 ---
@@ -14,16 +14,16 @@ ms.lastreviewed: 03/20/2025
    Run the following [PowerShell commands](/azure/azure-resource-manager/management/resource-providers-and-types#azure-powershell) to register:
 
    ```powershell
-   Register-ResourceProviderIfRequired -ProviderNamespace "Microsoft.HybridCompute" 
-   Register-ResourceProviderIfRequired -ProviderNamespace "Microsoft.GuestConfiguration" 
-   Register-ResourceProviderIfRequired -ProviderNamespace "Microsoft.HybridConnectivity" 
-   Register-ResourceProviderIfRequired -ProviderNamespace "Microsoft.AzureStackHCI" 
-   Register-ResourceProviderIfRequired -ProviderNamespace "Microsoft.Kubernetes" 
-   Register-ResourceProviderIfRequired -ProviderNamespace "Microsoft.KubernetesConfiguration" 
-   Register-ResourceProviderIfRequired -ProviderNamespace "Microsoft.ExtendedLocation" 
-   Register-ResourceProviderIfRequired -ProviderNamespace "Microsoft.ResourceConnector" 
-   Register-ResourceProviderIfRequired -ProviderNamespace "HybridContainerService"
-   Register-ResourceProviderIfRequired -ProviderNamespace "Microsoft.Attestation"
+   Register-ResourceProvider -ProviderNamespace "Microsoft.HybridCompute" 
+   Register-ResourceProvider -ProviderNamespace "Microsoft.GuestConfiguration" 
+   Register-ResourceProvider -ProviderNamespace "Microsoft.HybridConnectivity" 
+   Register-ResourceProvider -ProviderNamespace "Microsoft.AzureStackHCI" 
+   Register-ResourceProvider -ProviderNamespace "Microsoft.Kubernetes" 
+   Register-ResourceProvider -ProviderNamespace "Microsoft.KubernetesConfiguration" 
+   Register-ResourceProvider -ProviderNamespace "Microsoft.ExtendedLocation" 
+   Register-ResourceProvider -ProviderNamespace "Microsoft.ResourceConnector" 
+   Register-ResourceProvider -ProviderNamespace "Microsoft.HybridContainerService"
+   Register-ResourceProvider -ProviderNamespace "Microsoft.Attestation"
    ```
 
     > [!NOTE]
diff --git a/azure-local/includes/hci-vm-prerequisites.md b/azure-local/includes/hci-vm-prerequisites.md
@@ -3,10 +3,10 @@ author: alkohli
 ms.author: alkohli
 ms.service: azure-local
 ms.topic: include
-ms.date: 10/23/2024
+ms.date: 04/10/2025
 ---
 
-- Access to an Azure subscription with the appropriate RBAC role and permissions assigned. For more information, see [RBAC roles for Azure Local Arc VM management](../manage/assign-vm-rbac-roles.md#about-builtin-rbac-roles).
+- Access to an Azure subscription with the appropriate RBAC role and permissions assigned. For more information, see [RBAC roles for Azure Local VM management](../manage/assign-vm-rbac-roles.md#about-builtin-rbac-roles).
 - Access to a resource group where you want to provision the VM.
 - Access to one or more VM images on your Azure Local. These VM images could be created by one of the following procedures:
     - [VM image starting from an image in Azure Marketplace](../manage/virtual-machine-image-azure-marketplace.md).
diff --git a/azure-local/manage/azure-site-recovery.md b/azure-local/manage/azure-site-recovery.md
@@ -4,7 +4,7 @@ description: Use Azure Site Recovery to protect Hyper-V VM workloads running on
 ms.topic: article
 author: alkohli
 ms.author: alkohli
-ms.date: 04/11/2025
+ms.date: 04/16/2025
 ---
 <!-- This article is used by the Windows Server Docs, all links must be site relative (except include files). For example, /azure-stack/hci/manage/azure-site-recovery -->
 
@@ -32,7 +32,7 @@ The disaster recovery strategy for Azure Site Recovery consists of the following
 In the current implementation of Azure Site Recovery integration with Azure Local, you can start the disaster recovery and prepare the infrastructure from the Azure Local resource in the Azure portal. After the preparation is complete, you can finish the remaining steps from the Site Recovery resource in the Azure portal.
 
 > [!NOTE]
-> Azure Site Recovery doesn't support the replication, failover, and failback of the Arc resource bridge and Arc VMs.
+> Azure Site Recovery doesn't support the replication, failover, and failback of the Azure Arc resource bridge and Azure Local VMs enabled by Azure Arc.
 
 ## Overall workflow
 
@@ -230,9 +230,9 @@ To fail back from Azure, follow the instructions in [Fail back from Azure](/azur
 
 Consider the following information before you use Azure Site Recovery to protect your on-premises VM workloads by replicating those VMs to Azure.
 
-- Extensions installed by Arc aren’t visible on the Azure VMs. The Arc server will still show the extensions that are installed, but you can't manage those extensions (for example, install, upgrade, or uninstall) while the machine is in Azure.
+- Extensions installed by Arc aren’t visible on the Azure VMs. The Arc-enabled server will still show the extensions that are installed, but you can't manage those extensions (for example, install, upgrade, or uninstall) while the machine is in Azure.
 - Guest Configuration policies won't run while the machine is in Azure, so any policies that audit the OS security/configuration won't run until the machine is migrated back on-premises.
-- Log data (including Sentinel, Defender, and Azure Monitor info) will be associated with the Azure VM while it's in Azure. Historical data is associated with the Arc server. If it's migrated back on-premises, it starts being associated with the Arc server again. They can still find all the logs by searching by computer name as opposed to resource ID, but it's worth noting the Portal UX experiences look for data by resource ID so you'll only see a subset on each resource.
+- Log data (including Sentinel, Defender, and Azure Monitor info) will be associated with the Azure VM while it's in Azure. Historical data is associated with the Arc-enabled server. If it's migrated back on-premises, it starts being associated with the Arc-enabled server again. They can still find all the logs by searching by computer name as opposed to resource ID, but it's worth noting the Portal UX experiences look for data by resource ID so you'll only see a subset on each resource.
 - We strongly recommend that you don't install the Azure VM Guest Agent to avoid conflicts with Arc if there's any potential that the machine will be migrated back on-premises. If you need to install the guest agent, make sure that the VM has extension management disabled. If you try to install/manage extensions using the Azure VM guest agent when there are already extensions installed by Arc on the same machine (or vice versa), you run into all sorts of issues because our agents are unaware of the previous extension installations and will encounter state reconciliation issues.
 
 ## Known issues
@@ -243,8 +243,8 @@ Here's a list of known issues and the associated workarounds in this release:
 |----|----------------------|---------------------------|
 | 1. | When you register Azure Site Recovery with a system, a machine fails to install Azure Site Recovery or register to the Azure Site Recovery service.  | In this instance, your VMs may not be protected. Verify that all machines in the system are registered in the Azure portal by going to the **Recovery Services vault** \> **Jobs** \> **Site Recovery Jobs**. |
 | 2. | Azure Site Recovery agent fails to install. No error details are seen at the system or machine levels in the Azure Local portal. | When the Azure Site Recovery agent installation fails, it is because of the one of the following reasons:  <br><br> - Installation fails as Hyper-V isn't set up on the host. </br><br> - The Hyper-V host is already associated to a Hyper-V site and you're trying to install the extension with a different Hyper-V site. </br>  |
-| 3. | Azure Site Recovery agent fails to install. Error message of "Microsoft Azure Site Recovery Provider installation has failed with exit code - 1." appears in the portal with the failed installation. | The installation fails when WDAC is enforced. <br><br> - Setting WDAC to "Audit" mode allows the installation to complete. To set the WDAC mode to be Audit, you can follow the instructions in [Manage WDAC settings with PowerShell](/azure-stack/hci/manage/manage-wdac#manage-wdac-settings-with-powershell) |
-| 4. | Failback of an Arc VM to an alternate cluster fails. | Failback of an Arc VM to an alternate cluster isn't supported |
+| 3. | Azure Site Recovery agent fails to install. Error message of "Microsoft Azure Site Recovery Provider installation has failed with exit code - 1." appears in the portal with the failed installation. | The installation fails when WDAC is enforced. <br><br> - Setting WDAC to "Audit" mode will allow the installation to complete.  To set the WDAC mode to be Audit, you can follow the instructions in [Manage WDAC settings with PowerShell](/azure-stack/hci/manage/manage-wdac#manage-wdac-settings-with-powershell) |
+| 4. | Failback of an Azure Local VM to an alternate cluster fails. | Failback of an Azure Local VM to an alternate cluster is not supported |
 
 ## Next steps
 
