Merge pull request #16634 from MicrosoftDocs/main

12/18/2024 PM Publish

Author: Taojunshen

AKS-Hybrid/TOC.yml

@@ -130,18 +130,18 @@
       items:    
           - name: Monitor Kubernetes object events
             href: kubernetes-monitor-object-events.md
-          - name: Monitor Kubernetes audit events
-            href: kubernetes-monitor-audit-events.md
-          - name: Monitor logs reference
-            href: kubernetes-monitor-metrics.md
+          - name: Get kubelet logs
+            href: aks-get-kubelet-logs.md
           - name: Enable Container Insights
             href: /azure/azure-monitor/containers/kubernetes-monitoring-enable
+          - name: Monitor Kubernetes audit events
+            href: kubernetes-monitor-audit-events.md
           - name: Use on-premises monitoring
             href: aks-monitor-logging.md
-          - name: Get kubelet logs
-            href: aks-get-kubelet-logs.md
           - name: Get on-demand logs for troubleshooting
             href: get-on-demand-logs.md
+          - name: Monitoring data reference
+            href: kubernetes-monitor-metrics.md
   - name: Troubleshooting
     items:
     - name: Troubleshoot & known issues

AKS-Hybrid/aks-create-clusters-cli.md

@@ -4,7 +4,7 @@ description: Learn how to create Kubernetes clusters in Azure Local using Azure
 ms.topic: how-to
 ms.custom: devx-track-azurecli
 author: sethmanheim
-ms.date: 11/18/2024
+ms.date: 12/18/2024
 ms.author: sethm 
 ms.lastreviewed: 01/25/2024
 ms.reviewer: guanghu
@@ -96,7 +96,7 @@ moc-l0ttdmaioew  Ready  control-plane,master 34m v1.24.11
 moc-ls38tngowsl  Ready  <none>               32m v1.24.11
 ```
 
-## Deploy the application
+## Deploy the application and load balancer
 
 A [Kubernetes manifest file](kubernetes-concepts.md#deployments) defines a cluster's desired state, such as which container images to run.
 
@@ -215,6 +215,8 @@ deployment "azure-vote-front" created
 service "azure-vote-front" created
 ```
 
+Deploy a MetalLB load balancer so it can assign an external IP for the application front end. You can [follow these instructions](deploy-load-balancer-cli.md) to deploy the MetalLB extension from the Azure portal, or using CLI.
+
 ## Test the application
 
 When the application runs, a Kubernetes service exposes the application frontend to the internet. This process can take a few minutes to complete.

AKS-Hybrid/kubernetes-monitor-audit-events.md

@@ -3,7 +3,7 @@ title: Monitor Kubernetes audit events in AKS enabled by Azure Arc
 description: Learn how to create a diagnostic setting to access Kubernetes audit logs.
 author: sethmanheim
 ms.topic: how-to
-ms.date: 02/26/2024
+ms.date: 12/18/2024
 ms.author: sethm 
 ms.lastreviewed: 02/26/2024
 ms.reviewer: guanghu
@@ -26,7 +26,7 @@ Install the Arc K8S extension by running the following command:
 az k8s-extension create -g <resouerce-group-name> -c <cluster-name> --cluster-type connectedClusters --extension-type Microsoft.AKSArc.AzureMonitor --name "aksarc-azuremonitor" --auto-upgrade true
 ```
 
-After the extension installs successfully, follow the instructions in [Diagnostic settings in Azure Monitor](/azure/azure-monitor/essentials/diagnostic-settings#resource-logs) to create a diagnostic setting using the Azure portal, Azure CLI, or PowerShell. During this process, you can specify which categories of logs to collect. The categories for AKS Arc are listed in the [Azure Monitor reference](/azure/azure-monitor/logs/manage-logs-tables).
+After the extension installs successfully, follow the instructions in [Diagnostic settings in Azure Monitor](/azure/azure-monitor/essentials/diagnostic-settings#resource-logs) to create a diagnostic setting using the Azure portal, Azure CLI, or PowerShell. During this process, you can specify which categories of logs to collect. The categories for AKS Arc are listed in the [Monitoring data reference](/azure/azure-monitor/logs/manage-logs-tables).
 
 The example command is as follows:
 
@@ -36,32 +36,16 @@ az monitor diagnostic-settings create –name <Diagnostics_Setting_Name> --resou
 
 :::image type="content" source="media/kubernetes-monitor-audit-events/diagnostic-settings.png" alt-text="Screenshot of portal blade showing diagnostic settings." lightbox="media/kubernetes-monitor-audit-events/diagnostic-settings.png":::
 
-AKS supports either [Azure diagnostics mode](/azure/azure-monitor/essentials/resource-logs#azure-diagnostics-mode) or [resource-specific mode](/azure/azure-monitor/essentials/resource-logs#resource-specific) for resource logs. The mode specifies the tables in the Log Analytics workspace to which the data is sent. Azure diagnostics mode sends all data to the [AzureDiagnostics table](/azure/azure-monitor/reference/tables/azurediagnostics), while resource-specific mode sends data to [ArcK8SAudit](/azure/azure-monitor/reference/tables/arck8saudit), [ArcK8SAuditAdmin](/azure/azure-monitor/reference/tables/arck8sauditadmin), and [ArcK8SControlPlane](/azure/azure-monitor/reference/tables/arck8scontrolplane), as shown in the log category table in the next section.
+AKS supports either [Azure diagnostics mode](/azure/azure-monitor/essentials/resource-logs#azure-diagnostics-mode) or [resource-specific mode](/azure/azure-monitor/essentials/resource-logs#resource-specific) for resource logs. The mode specifies the tables in the Log Analytics workspace to which the data is sent. Azure diagnostics mode sends all data to the [AzureDiagnostics table](/azure/azure-monitor/reference/tables/azurediagnostics), while resource-specific mode sends data to [ArcK8SAudit](/azure/azure-monitor/reference/tables/arck8saudit), [ArcK8SAuditAdmin](/azure/azure-monitor/reference/tables/arck8sauditadmin), and [ArcK8SControlPlane](/azure/azure-monitor/reference/tables/arck8scontrolplane), as shown in the log category table in the next section.
 
-After you save the setting, it can take an hour to see the events in the Log Analytics workspace or other supported destination. You can write a KQL query to extract the insights based on the log category you enabled.
-
-### Log category
-
-|       Category                   |      Description                                                                                                                                                                                                |      Table  (resource-specific mode)  |
-|----------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------|
-|      kube-apiserver              |     Logs from the API server.                                                                                                                                                                                   |     ArcK8SControlPlane.                |
-|      kube-audit                  |     Audit log data for every audit event including get, list, create, update, delete, patch, and post.                                                                                                          |     ArcK8SAudit                       |
-|      kube-audit-admin            |     Subset of the kube-audit log category. Significantly reduces the number of logs by excluding the get and list audit events from the log.                                                                    |     ArcK8SAuditAdmin                  |
-|      kube-controller-manager     |     Gain deeper visibility of issues that may arise between Kubernetes and the Azure control plane. A typical example is the AKS cluster having a lack of permissions to interact with Azure.                   |     ArcK8SControlPlane                |
-|      kube-scheduler              |     Logs from the scheduler.                                                                                                                                                                                    |     ArcK8SControlPlane.                |
-|      cluster-autoscaler          |     Understand why the AKS cluster is scaling up or down, which may not be expected. This information is also useful to correlate time intervals where something interesting might have happened in the cluster.  |     ArcK8SControlPlane                |
-|      cloud-controller-manager    |     Logs from the cloud-node-manager component of the Kubernetes cloud controller manager.                                                                                                                      |     ArcK8SControlPlane                |
-|      guard                       |     Managed Microsoft Entra ID and Azure RBAC audits. For managed Microsoft Entra ID, this category includes token in and user info out. For Azure RBAC, it includes access reviews in and out.                        |     ArcK8SControlPlane                |
-|      csi-aksarcdisk-controller   |     Logs from the AKS Arc CSI storage driver.                                                                                                                                                                    |     ArcK8SControlPlane.                |
-|      csi-aksarcsmb-controller    |     Logs from the AKS Arc SMB CSI storage driver.                                                                                                                                                                |     ArcK8SControlPlane.                |
-|      csi-aksarcnfs-controller    |     Logs from the AKS Arc NFS CSI storage driver.                                                                                                                                                                |     ArcK8SControlPlane.                |
+After you save the settings, it can take up to an hour to see the events in the Log Analytics workspace or other supported destination. You can write a KQL query to extract the insights based on the log categories you enabled.
 
 ## Delete and disable the diagnostics setting
 
 You can delete the diagnostics setting using the Azure portal, PowerShell, or Azure CLI:
 
 ```azurecli
-az monitor diagnostic-settings delete –name <diagnostics-setting-name> --resource <resource-name> -g <resource-group-name>
+az monitor diagnostic-settings delete -name <diagnostics-setting-name> --resource <resource-name> -g <resource-group-name>
 ```
 
 After you successfully delete the setting, you can then delete the extension using Azure CLI:

AKS-Hybrid/kubernetes-monitor-metrics.md

@@ -3,10 +3,10 @@ title: Metrics and monitoring logs in AKS Arc
 description: Learn about metrics and logs used to monitor Kubernetes clusters in AKS Arc.
 author: sethmanheim
 ms.topic: how-to
-ms.date: 05/30/2024
+ms.date: 12/18/2024
 ms.author: sethm 
 ms.lastreviewed: 03/28/2024
-ms.reviewer: haojiehan
+ms.reviewer: haojiehang
 
 ---
 
@@ -16,16 +16,27 @@ This article provides an overview of the metrics and logs used to monitor Kubern
 
 ## Metrics
 
-The following table lists the platform metrics collected for AKS Arc. Follow each link for a detailed list of the metrics for each particular type.
+### Platform Metrics
+
+The following table lists the platform metrics supported for AKS Arc. To view these basic platform metrics, you can install the observability extension on your Kubernetes cluster and wait a few minutes to start the automatic metrics ingestion. Follow each link for a detailed list of the metrics for each particular type:
 
 | Metric type           | Resource provider/type namespace                       |
 |-----------------------|--------------------------------------------------------|
 | Provisioned clusters  | [Microsoft.HybridContainerService/provisionedClusters](/azure/azure-monitor/reference/supported-metrics/microsoft-hybridcontainerservice-provisionedclusters-metrics)   |
 | Connected clusters    | [Microsoft.Kubernetes/connectedClusters](/azure/azure-monitor/reference/supported-metrics/microsoft-kubernetes-connectedclusters-metrics)                 |
 
-## Azure Monitor resource logs
+### Prometheus Metrics
+
+To view more granular metrics, it's recommended that you enable the Managed Prometheus extension in your Kubernetes, and then query Prometheus metrics in Metrics Explorer or Managed Grafana. For the extension onboarding instructions, [see this article](/azure/azure-monitor/containers/kubernetes-monitoring-enable?tabs=cli#enable-prometheus-and-grafana). 
+
+
+## Azure Monitor Logs
 
-AKS Arc implements control plane logs (including audit logs) for clusters as [resource logs in Azure Monitor](/azure/azure-monitor/essentials/resource-logs). For more information about creating diagnostic settings to collect these logs, see [Monitor Kubernetes audit events](/azure/aks/hybrid/kubernetes-monitor-audit-events). The following table lists the resource log categories you can collect for AKS Arc:
+AKS Arc supports two types of logs: Control Plane logs implemented as resource logs, and container insights logs. For more information about exporting control plane logs such as audit logs using diagnostic settings, see [Monitor Kubernetes audit events](/azure/aks/hybrid/kubernetes-monitor-audit-events). For more information about enabling container insights, see [Enable Container Insights](/azure/azure-monitor/containers/kubernetes-monitoring-enable?tabs=cli). 
+
+### Control Plane Logs
+
+The following table lists the log categories available for AKS Arc. You can also see this table in the [Azure Monitor resource log reference](/azure/azure-monitor/reference/supported-logs/microsoft-kubernetes-connectedclusters-logs):
 
 | Category                   | Description                                                                                                                                                                                                   | Table (resource-specific mode)  |
 |----------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------|
@@ -43,23 +54,18 @@ AKS Arc implements control plane logs (including audit logs) for clusters as [re
 
 For more information, see the list of [all resource log category types supported in Azure Monitor](/azure/azure-monitor/essentials/resource-logs-schema).
 
-## Azure Monitor log tables
-
-The following table lists all the Azure Monitor log tables relevant to AKS Arc:
+### Azure Monitor log tables
 
-| Resource Type     | Notes                                                                                            |
-|-------------------|--------------------------------------------------------------------------------------------------|
-| [ConnectedCluster](/azure/azure-monitor/logs/manage-logs-tables)  | Follow this link for a list of all tables used by AKS Arc, and a description of their structure.  |
+You can analyze both the control plane logs and the container insights in Log Analytics Workspace. See the Log Analytics tables in the [Azure Monitor Reference](/azure/azure-monitor/reference/tables-index#azure-arc-enabled-kubernetes).
 
-## Azure Activity log
+## Activity log
 
-The following table links to a few example operations related to AKS Arc that might be created in the [Activity log](/azure/azure-monitor/essentials/activity-log-insights). Use the activity log to track information such as when a cluster is created, or had its configuration change:
+The following table lists a few example operations related to AKS that might be created in the activity log. Use the activity log to track information such as when a cluster is created, or had its configuration change. You can view this information in the portal or by using other methods. You can also use it to create an activity log alert to be proactively notified when an event occurs:
 
 | Resource Type                | Notes                                                                            |
 |------------------------------|----------------------------------------------------------------------------------|
 | [ProvisionedClusterInstances](/rest/api/hybridcontainer/provisioned-cluster-instances)  | Follow this link for a list and descriptions of operations used in AKS Arc.  |
 
-For more information about the schema of Activity log entries, see the [Activity log schema](/azure/azure-monitor/essentials/activity-log-schema).
 
 ## Next steps
 

AKS-Hybrid/resource-manager-quickstart.md

@@ -3,7 +3,7 @@ title: Deploy a Kubernetes (AKS) cluster using an Azure Resource Manager templat
 description: Learn how to deploy a Kubernetes cluster in AKS enabled by Azure Arc using an Azure Resource Manager template.
 ms.topic: quickstart-arm
 ms.custom: devx-track-arm-template, devx-track-azurecli
-ms.date: 12/17/2024
+ms.date: 12/18/2024
 author: sethmanheim
 ms.author: sethm 
 ms.lastreviewed: 01/31/2024
@@ -125,7 +125,7 @@ az aksarc show --resource-group "<resource-group-name>" --name "<cluster-name>"
 
 Similiar to step 3, download the node pool template and parameters from the [AKSArc repo](https://github.com/Azure/aksArc/tree/main/deploymentTemplates) and review the default values.
 
-### Deploy the template and validate results using Azure CLI (optional)
+## Step 8: Deploy the template and validate the deployment (optional)
 
 Review and apply the template. This process takes a few minutes to complete. You can use the Azure CLI to validate that the node pool is created successfully:
 

azure-local/TOC.yml

@@ -364,12 +364,6 @@ items:
         href: manage/vm-affinity.md
       - name: VM load balancing
         href: manage/vm-load-balancing.md
-      - name: Dynamic CPU compatibility
-        href: /windows-server/virtualization/hyper-v/manage/dynamic-processor-compatibility-mode?pivots=azure-local&context=/azure/azure-local/context/context
-      - name: GPU Partitioning
-        href: /windows-server/virtualization/hyper-v/gpu-partitioning?pivots=azure-local&context=/azure/azure-local/context/context
-      - name: Partition and assign GPUs to a virtual machine
-        href: /windows-server/virtualization/hyper-v/partition-assign-vm-gpu?pivots=azure-local&context=/azure/azure-local/context/context
       - name: Attach GPU to Linux VM
         href: manage/attach-gpu-to-linux-vm.md
 

azure-local/assurance/azure-stack-pci-dss-guidance.md

@@ -1,7 +1,7 @@
 ---
 title: PCI DSS guidance for Azure Local
 description: Learn about PCI DSS compliance using Azure Local.
-ms.date: 11/07/2024
+ms.date: 12/17/2024
 ms.topic: conceptual
 ms.service: azure-stack-hci
 ms.author: nguyenhung
@@ -95,9 +95,9 @@ By default, all host communications to local and remote endpoints are encrypted
 
 Windows Defender Antivirus is a utility application that enables enforcement of real-time system scanning and periodic scanning to protect platform and workloads against viruses, malware, spyware, and other threats. By default, Microsoft Defender Antivirus is enabled on Azure Local. Microsoft recommends using Microsoft Defender Antivirus with Azure Local rather than third-party antivirus and malware detection software and services as they may impact the operating system's ability to receive updates. Learn more at [Microsoft Defender Antivirus on Windows Server](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-on-windows-server).
 
-#### Windows Defender Application Control (WDAC)
+#### Application Control
 
-Windows Defender Application Control (WDAC) is enabled by default on Azure Local to control which drivers and applications are allowed to run directly on each server, helping prevent malware from accessing the systems. Learn more about base policies included in Azure Local and how to create supplemental policies at [Windows Defender Application Control for Azure Local](/azure-stack/hci/concepts/security-windows-defender-application-control).
+Application Control is enabled by default on Azure Local to control which drivers and applications are allowed to run directly on each server, helping prevent malware from accessing the systems. Learn more about base policies included in Azure Local and how to create supplemental policies at [Application Control for Azure Local](/azure-stack/hci/concepts/security-windows-defender-application-control).
 
 #### Microsoft Defender for Cloud