Merge branch 'release-local-disconnectednew' of https://github.com/MicrosoftDocs/azure-stack-docs-pr into rb-do-fallback

Author: ronmiab

.openpublishing.redirection.azure-local.json

@@ -1924,6 +1924,16 @@
       "source_path": "azure-local/manage/manage-network-atc.md", 
       "redirect_url": "/windows-server/networking/network-atc/manage-network-atc", 
       "redirect_document_id": false
+    },
+    {
+      "source_path": "azure-local/migrate/migrate-cluster-same-hardware.md", 
+      "redirect_url": "/azure-local/migrate/migration-azure-migrate-overview", 
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "azure-local/migrate/migrate-cluster-new-hardware.md", 
+      "redirect_url": "/azure-local/migrate/migration-azure-migrate-overview", 
+      "redirect_document_id": false
     }
   ]
 }

AKS-Arc/TOC.yml

@@ -80,12 +80,12 @@
           href: deploy-load-balancer-cli.md
         - name: Azure portal
           href: deploy-load-balancer-portal.md
-        # - name: Troubleshoot issues
-        #   href: load-balancer-troubleshoot.md
     - name: Security
       items:
       - name: Encrypt etcd secrets
         href: encrypt-etcd-secrets.md
+      - name: Validate signed container images
+        href: validate-signed-container-images.md
     - name: AI and Machine Learning
       items:
       - name: Deploy an AI model with the AI toolchain operator
@@ -107,7 +107,7 @@
       - name: Restrict SSH access
         href: restrict-ssh-access.md
       - name: Deploy and configure Workload Identity
-        href: workload-identity.md     
+        href: workload-identity.md
     - name: Storage
       href: concepts-storage.md
       items:
@@ -159,12 +159,18 @@
     items:
     - name: Troubleshoot and known issues
       href: aks-troubleshoot.md
-    - name: AKS on Azure Local support policy
-      href: aks-on-azure-local-support-policy.md
     - name: Get support
-      href: help-support.md
-    - name: Use diagnostic checker
-      href: aks-arc-diagnostic-checker.md
+      items:
+      - name: AKS on Azure Local support policy
+        href: aks-on-azure-local-support-policy.md
+      - name: Get support
+        href: help-support.md
+      - name: Use the support remediation tool
+        href: support-module.md
+      - name: Use diagnostic checker
+        href: aks-arc-diagnostic-checker.md
+    - name: Storage provisioning issue in cluster and node pool creation
+      href: storage-provision-issue.md
     - name: Control plane configuration validation errors
       href: control-plane-validation-errors.md
     - name: K8sVersionValidation error

AKS-Arc/aks-troubleshoot.md

@@ -3,9 +3,9 @@ title: Troubleshoot common issues in AKS enabled by Azure Arc
 description: Learn about common issues and workarounds in AKS enabled by Arc.
 ms.topic: how-to
 author: sethmanheim
-ms.date: 07/17/2025
+ms.date: 07/23/2025
 ms.author: sethm 
-ms.lastreviewed: 07/17/2025
+ms.lastreviewed: 07/23/2025
 ms.reviewer: rcheeran
 
 ---
@@ -24,6 +24,7 @@ The following sections describe known issues for AKS enabled by Azure Arc:
 
 | AKS Arc CRUD operation | Issue | Fix status |
 |------------------------|-------|------------|
+| AKS steady state       | [Storage provisioning issue impacting cluster and node pool creation](storage-provision-issue.md)|Active|
 | AKS cluster delete     | [Deleted AKS Arc cluster still visible on Azure portal](deleted-cluster-visible.md) | Active |
 | AKS steady state       | [AKS Arc telemetry pod consumes too much memory and CPU](telemetry-pod-resources.md) | Fixed in 2507 release  |
 | AKS cluster create     | [Can't create AKS cluster or scale node pool because of issues with AKS Arc images](gallery-image-not-usable.md) | Fixed in 2507 release |

AKS-Arc/azure-rbac-local.md

@@ -6,8 +6,8 @@ ms.custom: devx-track-azurecli
 author: sethmanheim
 ms.author: sethm
 ms.reviewer: leslielin
-ms.date: 05/21/2025
-ms.lastreviewed: 05/21/2025
+ms.date: 07/25/2025
+ms.lastreviewed: 07/25/2025
 
 # Intent: As an IT Pro, I want to use Azure RBAC to authenticate connections to my AKS clusters over the Internet or on a private network.
 # Keyword: Kubernetes role-based access control AKS Azure RBAC AD
@@ -45,7 +45,17 @@ Before you begin, make sure you have the following prerequisites:
   az extension update --name connectedk8s
   ```
 
-- To interact with Kubernetes clusters, you must install [**kubectl**](https://kubernetes.io/docs/tasks/tools/) and [**kubelogin**](https://azure.github.io/kubelogin/install.html).
+- To interact with Kubernetes clusters, you must install [**kubectl**](https://kubernetes.io/docs/tasks/tools/) and [**kubelogin**](https://azure.github.io/kubelogin/install.html). You can use the following Azure CLI or Azure PowerShell commands to install both **kubectl** and **kubelogin**:
+
+   # [Azure CLI](#tab/cli)
+
+   Install kubectl locally using the [az aks install-cli](/cli/azure/aks?view=azure-cli-latest#az-aks-install-cli&preserve-view=true) command.
+
+   # [PowerShell](#tab/powershell)
+
+   Install kubectl locally using the [Install-AzAksCliTool](/powershell/module/az.aks/install-azaksclitool?view=azps-14.2.0&preserve-view=true) cmdlet.
+
+   ---
 - The following permissions are required to enable Azure RBAC when creating a Kubernetes cluster:
   - To create a Kubernetes cluster, the [**Azure Kubernetes Service Arc Contributor**](/azure/role-based-access-control/built-in-roles/containers#azure-kubernetes-service-arc-contributor-role) role is required.
   - To use the `--enable-azure-rbac` parameter, the [**Role Based Access Control Administrator**](/azure/role-based-access-control/built-in-roles/privileged#role-based-access-control-administrator) role is required for access to the **Microsoft.Authorization/roleAssignments/write** permission.
@@ -222,4 +232,4 @@ az role definition delete -n "AKS Arc Deployment Reader"
 - [Access and identity options](concepts-security-access-identity.md) for AKS enabled by Azure Arc
 - [Create an Azure service principal with Azure CLI](/cli/azure/azure-cli-sp-tutorial-1)
 - Available Azure permissions for [Hybrid + Multicloud](/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes)
-- Help to protect your cluster in other ways by following the guidance in the [security book for AKS enabled by Azure Arc](/azure/azure-arc/kubernetes/conceptual-security-book?toc=/azure/aks/aksarc/toc.json&bc=/azure/aks/aksarc/breadcrumb/toc.json).
+- Help to protect your cluster in other ways by following the guidance in the [security book for AKS enabled by Azure Arc](/azure/azure-arc/kubernetes/conceptual-security-book?toc=/azure/aks/aksarc/toc.json&bc=/azure/aks/aksarc/breadcrumb/toc.json).

AKS-Arc/kubernetes-rbac-local.md

@@ -3,12 +3,12 @@ title: Control access using Microsoft Entra ID and Kubernetes RBAC in AKS enable
 description: Learn how to use Microsoft Entra group membership to restrict access to cluster resources using Kubernetes role-based access control (Kubernetes RBAC) in AKS Arc.
 author: sethmanheim
 ms.author: sethm 
-ms.lastreviewed: 06/25/2025
-ms.reviewer: abha
+ms.lastreviewed: 07/25/2025
+ms.reviewer: leslielin
 ms.topic: how-to
 ms.custom:
   - devx-track-azurecli
-ms.date: 06/25/2025
+ms.date: 07/25/2025
 
 # Intent: As an IT Pro, I need to learn how to enable Kubernetes role-based access control so that I can manage access to resources.
 # Keyword: Kubernetes role-based access control 
@@ -20,16 +20,24 @@ ms.date: 06/25/2025
 
 You can configure Azure Kubernetes Service (AKS) to use Microsoft Entra ID for user authentication. In this configuration, you sign in to a Kubernetes cluster using a Microsoft Entra authentication token. Once authenticated, you can use the built-in Kubernetes role-based access control (Kubernetes RBAC) to manage access to namespaces and cluster resources based on a user's identity or group membership.
 
-This article describes how to control access using Kubernetes RBAC in a Kubernetes cluster based on Microsoft Entra group membership in AKS. You create a demo group and users in Microsoft Entra ID. Then, you create roles and role bindings in the cluster to grant the appropriate permissions to create and view resources.
+This article describes how to control access using Kubernetes RBAC in a Kubernetes cluster based on Microsoft Entra group membership in AKS. First, you create a demo group and users in Microsoft Entra ID. Then you create roles and role bindings in the cluster to grant the appropriate permissions to create and view resources.
 
 ## Prerequisites
 
 Before you set up Kubernetes RBAC using Microsoft Entra ID, you must have the following prerequisites:
 
-- An AKS enabled by Azure Arc cluster. If you need to set up your cluster, see the instructions for using the [Azure portal](aks-create-clusters-portal.md) or [Azure CLI](aks-create-clusters-cli.md).
+- An AKS Arc cluster. If you need to set up your cluster, see the instructions for using the [Azure portal](aks-create-clusters-portal.md) or [Azure CLI](aks-create-clusters-cli.md).
 - Azure CLI installed and configured. If you need to install CLI or upgrade, see [Install Azure CLI](/cli/azure/install-azure-cli).
-- **Azure CLI and the connectedk8s extension**. The Azure command-line interface (Azure CLI) is a set of commands used to create and manage Azure resources. To check whether you have the Azure CLI, open a command line tool, and type: `az -v`. Also, install the [connectedk8s extension](https://github.com/Azure/azure-cli-extensions/tree/main/src/connectedk8s) in order to open a channel to your Kubernetes cluster. For installation instructions, see [How to install the Azure CLI](/cli/azure/install-azure-cli).
-- **Kubectl**. The Kubernetes command-line tool, **kubectl**, enables you to run commands that target your Kubernetes clusters. To check whether you have installed kubectl, open a command line tool, and type: `kubectl version --client`. Make sure your kubectl client version is at least `v1.24.0`. For installation instructions, see [kubectl](https://kubernetes.io/docs/tasks/tools/#kubectl).
+- Azure CLI and the **connectedk8s** extension. The Azure command-line interface (Azure CLI) is a set of commands used to create and manage Azure resources. To check whether you have the Azure CLI, open a command prompt and type `az -v`. Also, install the [connectedk8s extension](https://github.com/Azure/azure-cli-extensions/tree/main/src/connectedk8s) in order to open a channel to your Kubernetes cluster. For installation instructions, see [How to install the Azure CLI](/cli/azure/install-azure-cli).
+- **Kubectl**. The Kubernetes command line tool, **kubectl**, enables you to run commands that target your Kubernetes clusters. To check whether you installed **kubectl**, open a command prompt and type `kubectl version --client`. Make sure your **kubectl** client version is at least **v1.24.0**. You can use the following Azure CLI or Azure PowerShell commands to install **kubectl**:
+
+   # [Azure CLI](#tab/cli)
+
+   Install kubectl locally using the [az aks install-cli](/cli/azure/aks?view=azure-cli-latest#az-aks-install-cli&preserve-view=true) command.
+
+   # [PowerShell](#tab/powershell)
+
+   Install kubectl locally using the [Install-AzAksCliTool](/powershell/module/az.aks/install-azaksclitool?view=azps-14.2.0&preserve-view=true) cmdlet.
 - You can access your Kubernetes cluster with the specified permissions either with direct mode or proxy mode.
   - To access the Kubernetes cluster directly using the `az aksarc get-credentials` command, you need the **Microsoft.HybridContainerService/provisionedClusterInstances/listUserKubeconfig/action**, which is included in the **Azure Kubernetes Service Arc Cluster User** role permissions
   - To access the Kubernetes cluster from anywhere with a proxy mode using `az connectedk8s proxy` command, you need the **Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action**, which is included in **Azure Arc-enabled Kubernetes Cluster User** role permission. Meanwhile, you need to verify that the agents and the machine performing the onboarding process meet the network requirements in [Azure Arc-enabled Kubernetes network requirements](/azure/azure-arc/kubernetes/network-requirements?tabs=azure-cloud#details).

AKS-Arc/storage-provision-issue.md

@@ -0,0 +1,60 @@
+---
+title: Troubleshoot issue in which storage provisioning fails
+description: Learn how to troubleshoot and mitigate an issue that occurs when storage provisioning fails.
+ms.topic: troubleshooting
+author: rcheeran
+ms.author: rcheeran
+ms.date: 07/23/2025
+ms.reviewer: rcheeran
+ms.lastreviewed: 07/23/2025
+
+---
+
+# Troubleshoot storage provisioning issue during cluster and node pool creation
+
+This article describes an issue in which new AKS Arc nodes are created on a single storage path/volume of the Azure Local cluster, breaking the expected round-robin distribution among volumes. Over time, this might cause insufficient disk space on that path, potentially resulting in deployment failures.
+
+## Symptoms
+
+During cluster creation or node pool creation and scale operations, you might see the following error message:
+
+```output
+The system failed to create <Azure resource name>: There is not enough space on the disk.
+```
+
+## Cause
+
+The issue is caused by a recent regression introduced in Azure Local, version 2506.
+
+## Mitigation
+
+This issue was fixed in AKS on [Azure Local, version 2507](/azure/azure-local/whats-new?view=azloc-2507&preserve-view=true#features-and-improvements-in-2507). However, this mitigation works only when you create new Azure Local instances with version 2507. Upgrading from Azure Local versions 2506 to 2507 does not resolve the issue.
+
+### Workaround for Azure Local version 2506
+
+This issue only affects clusters in Azure Local version 2506. Install the [support module](support-module.md) and run the commands provided in this module.
+
+First, run the following command to check for known issues in your AKS Arc environment:
+
+```powershell
+Test-SupportAksArcKnownIssues
+```
+
+Then, run the following command to fix this known issue on your deployment. This command finds all available fixes for the current version, and installs those fixes:
+
+```powershell
+Invoke-SupportAksArcRemediation
+```
+
+## Verification
+
+Once the fix is done, you should be able to create your clusters and node pools. If you still encounter issues, please [reach out to Microsoft Support](#contact-microsoft-support).  
+
+## Contact Microsoft Support
+
+If the problem persists, collect the [AKS cluster logs](get-on-demand-logs.md) before you [create a support request](help-support.md).
+
+## Next steps
+
+- [Use the diagnostic checker tool to identify common environment issues](aks-arc-diagnostic-checker.md)
+- [Review AKS on Azure Local architecture](cluster-architecture.md)

AKS-Arc/support-module.md

@@ -0,0 +1,103 @@
+---
+title: Support.AksArc diagnostic and remediation tool
+description: Learn how to run commands in the Support.AksArc PowerShell module to diagnose and remediate issues in AKS Arc environments.
+ms.topic: troubleshooting
+author: sethmanheim
+ms.author: sethm
+ms.date: 07/22/2025
+ms.reviewer: sumsmith
+ms.lastreviewed: 07/22/2025
+
+---
+
+# Support.AksArc module
+
+The [**Support.AksArc**](https://www.powershellgallery.com/packages/Support.AksArc) PowerShell module provides diagnostic and remediation capabilities for AKS Arc environments. Before you open a support request, you can run the specified commands in this module to help diagnose and potentially resolve issues.
+
+You should run the commands if you experience any of the following symptoms:
+
+- Solution upgrade fails in MOC binaries state.
+- Solution upgrade fails in Arc Resource Bridge stage.
+- MOC service doesn't stay online.
+- Arc Resource Bridge is offline.
+
+## Commands
+
+The **Support.AksArc** module contains the following PowerShell commands:
+
+- `Test-SupportAksArcKnownIssues`: tests for known issues.
+- `Invoke-SupportAksArcRemediation`: fixes identified issues.
+
+## Installation
+
+To install the module, run the following commands:
+
+```powershell
+Install-Module -Name Support.AksArc
+Import-Module Support.AksArc
+```
+
+## Usage
+
+> [!NOTE]
+> Make sure to run these PowerShell commands locally, not in a PowerShell remote session.
+
+The following command performs a health check:
+
+```powershell
+Test-SupportAksArcKnownIssues
+```
+
+This command performs auto-remediation (tests and fixes all issues):
+
+```powershell
+Invoke-SupportAksArcRemediation
+```
+
+## Example output
+
+The following example output from the `Test-SupportAksArcKnownIssues` command shows the results of a failed test:
+
+```output
+Test Name                                                  Status Message
+---------                                                  --------------
+Validate Failover Cluster Service Responsiveness           Passed Failover Cluster service is responsive.
+Validate Missing MOC Cloud Agents                          Passed No missing MOC cloud agents found.
+Validate MOC Cloud Agent Running                           Passed MOC Cloud Agent is running
+Validate Missing MOC Node Agents                           Passed All MOC nodes have the Node Agent service installed and healthy.
+Validate Missing MOC Host Agents                           Passed All nodes have MOC host agents installed and healthy
+Validate MOC is on Latest Patch Version                    Failed MOC is not on the latest patch version. Current: 1.15.5.10626, Latest: 1.15.7.10719
+Validate Expired Certificates                              Passed No expired certificates found
+Validate MOC Nodes Not Active                              Passed All MOC nodes are in the 'Active' state
+Validate Multiple MOC Cloud Agent Instances                Passed No multiple instances of MOC Cloud Agent found
+Validate Windows Event Log Running                         Passed Windows Event Log is running
+Validate Gallery Image Stuck In Deleting                   Passed No gallery images are stuck in deleting state
+Validate Virtual Machine Stuck In Pending                  Passed No virtual machines are stuck in pending state
+Validate Virtual Machine Management Service Responsiveness Passed Virtual Machine Management service is responsive
+```
+
+The following example output shows a successful result for all tests:
+
+```output
+Test Name                                                  Status Message
+---------                                                  --------------
+Validate Failover Cluster Service Responsiveness           Passed  Failover Cluster service is responsive.
+Validate Missing MOC Cloud Agents                          Passed  No missing MOC cloud agents found.
+Validate MOC Cloud Agent Running                           Passed  MOC Cloud Agent is running
+Validate Missing MOC Node Agents                           Passed  All MOC nodes have the Node Agent service installed and healthy.
+Validate Missing MOC Host Agents                           Passed  All nodes have MOC host agents installed and healthy.
+Validate MOC is on Latest Patch Version                    Passed  MOC is on the latest patch version.
+Validate Expired Certificates                              Passed  No expired certificates found.
+Validate MOC Nodes Not Active                              Passed  All NMC nodes are in the 'Active' state.
+Validate NMC Nodes Sync with Cluster Nodes                 Passed  All NMC nodes are in sync with cluster nodes.
+Validate Multiple NMC Cloud Agent Instances                Passed  No multiple instances of NMC Cloud Agent found.
+Validate NMC Powershell Not Stuck in Updating              Passed  NMC Powershell is not stuck in updating state.
+Validate Windows Event Log Running                         Passed  Windows Event Log is running
+Validate Gallery Image Stuck In Deleting                   Passed  No gallery images are stuck in deleting state.
+Validate Virtual Machine Stuck In Pending                  Passed  No virtual machines are stuck in pending state.
+Validate Virtual Machine Management Service Responsiveness Passed  Virtual Machine Management service is responsive.
+```
+
+## Next steps
+
+[Use the diagnostic checker tool to identify common environment issues](aks-arc-diagnostic-checker.md)