Sync release-local-2506 with main

Sync release-local-2506 with main

Author: sethmanheim

AKS-Arc/TOC.yml

@@ -62,6 +62,8 @@
         href: create-clusters-terraform.md
       - name: Azure Resource Manager template
         href: resource-manager-quickstart.md
+      - name: REST API
+        href: aks-create-clusters-api.md
     - name: Networking
       items:
       - name: Create logical networks

AKS-Arc/aks-create-clusters-api.md

@@ -0,0 +1,159 @@
+---
+title: Create Kubernetes clusters using REST APIs
+description: Learn how to create Kubernetes clusters in Azure Local using REST API for the Hybrid Container Service.
+ms.topic: how-to
+author: rcheeran
+ms.date: 06/19/2025
+ms.author: rcheeran 
+ms.lastreviewed: 06/19/2025
+ms.reviewer: rjaini
+---
+
+# Create Kubernetes clusters using the REST API
+
+[!INCLUDE [hci-applies-to-23h2](includes/hci-applies-to-23h2.md)]
+
+This article describes how to create Kubernetes clusters on Azure Local using the REST API. The Azure resource type for [AKS Arc provisioned clusters](/azure/templates/microsoft.hybridcontainerservice/provisionedclusterinstances?pivots=deployment-language-arm-template) is **"Microsoft.HybridContainerService/provisionedClusterInstances"**. This resource is an extension of the [connected clusters](/azure/templates/microsoft.kubernetes/connectedclusters?pivots=deployment-language-arm-template) resource type, **"Microsoft.Kubernetes/connectedClusters"**. Due to this dependency, you must first create a connected cluster resource before creating an AKS Arc resource.
+
+## Before you begin
+
+Before you begin, make sure you have the following details from your on-premises infrastructure administrator:
+
+- **Azure subscription ID**: The Azure subscription ID that Azure Local uses for deployment and registration.
+- **Custom Location ID**: The Azure Resource Manager ID of the custom location. The custom location is configured during the Azure Local cluster deployment. Your infrastructure admin should give you the Resource Manager ID of the custom location. This parameter is required in order to create Kubernetes clusters. If the infrastructure admin provides a custom location name and resource group name, you can also get the Resource Manager ID using the following command:
+
+  ```azurecli
+  az customlocation show --name "<custom location name>" --resource-group <azure resource group> --query "id" -o tsv
+  ```
+  
+- **Network ID**: The Azure Resource Manager ID of the Azure Local logical network you created [following these steps](aks-networks.md). Your admin should give you the ID of the logical network. This parameter is required in order to create Kubernetes clusters. If you know the resource group in which the logical network was created, you can also get the Azure Resource Manager ID using the following command:
+
+  ```azurecli
+  az stack-hci-vm network lnet show --name "<lnet name>" --resource-group <azure resource group> --query "id" -o tsv
+  ```
+  
+- **Create an SSH key pair**: Create an SSH key pair in Azure and store the private key file for troubleshooting and log collection purposes. For detailed instructions, see [Create and store SSH keys with the Azure CLI](/azure/virtual-machines/ssh-keys-azure-cli), or with the [Azure portal](/azure/virtual-machines/ssh-keys-portal).
+- To connect to the Kubernetes cluster from anywhere, create a Microsoft Entra group and add members to it. All the members in the Microsoft Entra group have cluster administrator access to the cluster. Make sure to add yourself as a member to the Microsoft Entra group. If you don't add yourself, you can't access the Kubernetes cluster using **kubectl**. For more information about creating Microsoft Entra groups and adding users, see [Manage Microsoft Entra groups and group membership](/entra/fundamentals/how-to-manage-groups).
+
+## Step 1: Create a connected cluster resource
+
+See the API definition for [connected clusters](/rest/api/hybridkubernetes/connected-cluster/create) and create a **PUT** request with the `kind` property set to `ProvisionedCluster`. The following example is a sample **PUT** request to create a connected cluster resource using the REST API:
+
+```http
+PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Kubernetes/connectedClusters/{connectedClusterName}?api-version=2024-01-01
+Content-Type: application/json
+Authorization: Bearer <access_token>
+
+{
+    "location": "<region>",
+    "identity": {
+        "type": "SystemAssigned"
+    },
+    "kind": "ProvisionedCluster",
+    "properties": {
+        "agentPublicKeyCertificate": "",
+        "azureHybridBenefit": "NotApplicable",
+        "distribution": "AKS",
+        "distributionVersion": "1.0",
+        "aadProfile": {
+          "enableAzureRBAC": true,
+          "adminGroupObjectIDs": [
+            "<entra-group-id>"
+          ],
+          "tenantID": "<tenant-id>"
+    },
+  }
+}
+```
+
+Replace all placeholder values with your actual details. For more information, see the [connected clusters API documentation](/rest/api/hybridkubernetes/connected-cluster/create).
+
+## Step 2: Create a provisioned cluster resource
+
+See the API definition for [provisioned clusters](/rest/api/hybridcontainer/provisioned-cluster-instances/create-or-update). In this **PUT** call, pass the Azure Resource Manager identifier created in the previous step as the URI parameter. The following code is an example HTTP **PUT** request to create a provisioned cluster resource with only the required parameters:
+
+```http
+PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.HybridContainerService/provisionedClusterInstances/{clusterName}?api-version=2024-01-01-preview
+Content-Type: application/json
+Authorization: Bearer <access_token>
+
+{
+  "extendedLocation": {
+    "type": "CustomLocation",
+    "name": "<ARM ID of Custom Location>"
+  },
+  "properties": {
+    "controlPlane": {
+      "count": 1,
+      "vmSize": "Standard_A4_v2"
+    },
+    "agentPoolProfiles": [
+      {
+        "name": "default-nodepool-1",
+        "count": 1,
+        "vmSize": "Standard_A4_v2",
+        "osType": "Linux",
+      }
+    ],
+    "linuxProfile": {
+      "ssh": {
+        "publicKeys": [
+          {
+            "keyData": "<SSH public key>"
+          }
+        ]
+      }
+    },
+    "cloudProviderProfile": {
+      "infraNetworkProfile": {
+        "vnetSubnetIds": [
+          "<ARM ID of logical network>"
+        ]
+      }
+    },
+  }
+}
+
+```
+
+Replace the placeholder values with your actual details. For more information, see the [provisioned clusters API documentation](/rest/api/hybridcontainer/provisioned-cluster-instances/create-or-update).
+
+## Connect to the Kubernetes cluster
+
+Now you can connect to your Kubernetes cluster by running the `az connectedk8s proxy` command from your development machine. Make sure you sign in to Azure before running this command. If you have multiple Azure subscriptions, select the appropriate subscription ID using the [az account set](/cli/azure/account#az-account-set) command.
+
+This command downloads the **kubeconfig** of your Kubernetes cluster to your development machine and opens a proxy connection channel to your on-premises Kubernetes cluster. The channel is open for as long as the command runs. Let this command run for as long as you want to access your cluster. If it times out, close the CLI window, open a fresh one, and then run the command again.
+
+You must have Contributor permissions on the resource group that hosts the Kubernetes cluster in order to successfully run the following command:
+
+```azurecli
+az connectedk8s proxy --name $aksclustername --resource-group $resource_group --file .\aks-arc-kube-config
+```
+
+Expected output:
+
+```output
+Proxy is listening on port 47011
+Merged "aks-workload" as current context in .\\aks-arc-kube-config
+Start sending kubectl requests on 'aks-workload' context using
+kubeconfig at .\\aks-arc-kube-config
+Press Ctrl+C to close proxy.
+```
+
+Keep this session running and connect to your Kubernetes cluster from a different terminal or command prompt. Verify that you can connect to your Kubernetes cluster by running the `kubectl get` command. This command returns a list of the cluster nodes:
+
+```azurecli
+kubectl get node -A --kubeconfig .\aks-arc-kube-config
+```
+
+The following example output shows the node you created in the previous steps. Make sure the node status is **Ready**:
+
+```output
+NAME             STATUS ROLES                AGE VERSION
+moc-l0ttdmaioew  Ready  control-plane,master 34m v1.24.11
+moc-ls38tngowsl  Ready  <none>               32m v1.24.11
+```
+
+## Next steps
+
+[AKS Arc overview](overview.md)

azure-local/known-issues.md

@@ -71,6 +71,7 @@ The following table lists the known issues in this release:
 |Feature  |Issue  |Workaround  |
 |---------|---------|---------|
 | Update <!--54889342--> |  A critical VM operational status not OK alert is shown in the Azure portal under **Update readiness** and in the **Alerts** pane after the update has completed successfully. Additionally, the alert appears when running the `Get-HealthFault` cmdlet. | No action is required on your part. This alert will resolve automatically in a few days. |
+| Deployment <!-- 33153622-->| Updating Azure Arc extensions manually from the Azure Local Machine page via the Azure portal will result in issues during deployment. The extensions that shouldn't be updated manually are: `AzureEdgeDeviceManagement`, `AzureEdgeLifecycleManager`, and `AzureEdgeAKVBackupForWindows`. | Installing extensions manually from the Azure Local machine page is not supported. |
 
 ## Known issues from previous releases
 
@@ -221,7 +222,6 @@ The following table lists the fixed issues in this release:
 | Upgrade <!--30251075--> | Added a check to validate enough free memory to start an Azure Arc resource bridge VM.    |   |
 | Security <!--XXXX--> | Mitigation for security vulnerability CVE-2024-21302 was implemented. See the [Guidance for blocking rollback of Virtualization-based Security (VBS) related security updates](https://support.microsoft.com/topic/guidance-for-blocking-rollback-of-virtualization-based-security-vbs-related-security-updates-b2e7ebf4-f64d-4884-a390-38d63171b8d3)   |   |
 | Deployment  | During Azure Local deployment via portal, **Validate selected machines** fails with this error message: `Mandatory extension [Lcm controller] installed version [30.2503.0.907] is not equal to the required version [30.2411.2.789] for Arc machine [Name of the machine]. Please create EdgeDevice resource again for this machine to fix the issue.`   | Reinstall the correct version of `AzureEdgeLifecycleManager` extension. Follow these steps: <br> 1. Select the machine and then select **Install extensions**. <br> <br>![Screenshot of extension installation on Azure Local machines.](media/known-issues/select-machine-2.png)<br> <br> 2. Repeat this step for each machine you intend to cluster. It takes roughly 15 minutes for the installation to complete. <br> 3. Verify that the `AzureEdgeLifecycleManager` extension version is 30.2411.2.789. <br><br> ![Screenshot of extension version installed on Azure Local machines that can be validated.](media/known-issues/select-machine-1.png) <br><br> 4. After the extensions are installed on all the machines in the list, select **Add machines** to refresh the list. <br> 5. Select **Validate selected machines**. The validation should succeed. |
-| Deployment <!--31699269--> | During the Azure Local deployment and update on OEM-licensed devices, `ConfigureSecurityBaseline` fails at the **Apply security settings on servers** step. | This issue is now fixed. |
 
 ## Known issues in this release
 
@@ -288,7 +288,6 @@ The following table lists the known issues from previous releases:
 
 |Feature  |Issue  |Workaround  |
 |---------|---------|---------|
-| Deployment <!--31699269-->| This issue affects deployment and update on OEM-licensed devices. During deployment, you might see this error at **Apply security settings on servers**: <br></br>`Type 'ConfigureSecurityBaseline' of Role 'AzureStackOSConfig' raised an exception: [ConfigureSecurityBaseline] ConfigureSecurityBaseline failed on <server name> with exception: -> Failed to apply OSConfiguration enforcement for ASHCIApplianceSecurityBaselineConfig on <server name>`. | If you haven’t started the update, see [Azure Local OEM license devices](https://github.com/Azure/AzureLocal-Supportability/blob/main/TSG/Security/TSG-Azure-Local-HCI-OEM-license-devices.md) to apply the preventive steps before updating to Azure Local 2411.3. <br></br> If you’ve encountered the issue, use the same insructions to validate and apply the mitigation. |
 | Azure Local VM management | The Mochostagent service might appear to be running but can get stuck without updating logs for over a month. You can identify this issue by checking the service logs in `C:\programdata\mochostagent\logs` to see if logs are being updated. | Run the following command to restart the mochostagent service: `restart-service mochostagent`. |
 | Update | When viewing the readiness check results for an Azure Local instance via the Azure Update Manager, there might be multiple readiness checks with the same name.  |There's no known workaround in this release. Select **View details** to view specific information about the readiness check. |
 | Update | There's an intermittent issue in this release when the Azure portal incorrectly reports the update status as **Failed to update** or **In progress** though the update is complete.  |[Connect to your Azure Local instance](./update/update-via-powershell-23h2.md#connect-to-your-azure-local) via a remote PowerShell session. To confirm the update status, run the following PowerShell cmdlets: <br><br> `$Update = get-solutionupdate`\| `? version -eq "<version string>"`<br><br>Replace the version string with the version you're running. For example, "10.2405.0.23". <br><br>`$Update.state`<br><br>If the update status is **Installed**, no further action is required on your part. Azure portal refreshes the status correctly within 24 hours. <br> To refresh the status sooner, follow these steps on one of the nodes. <br>Restart the Cloud Management cluster group.<br>`Stop-ClusterGroup "Cloud Management"`<br>`Start-ClusterGroup "Cloud Management"`|
@@ -330,11 +329,13 @@ The following issues are fixed in this release:
 
 ## Known issues in this release
 
-The following table lists the known issues in this release:
+There's no known issue in this release. Any previously known issues have been fixed in subsequent releases.
+
+<!--The following table lists the known issues in this release:
 
 |Feature  |Issue  |Workaround  |
 |---------|---------|---------|
-| Deployment <!--31699269-->| This issue affects deployment and update on OEM-licensed devices. During deployment, you might see this error at **Apply security settings on servers**: <br></br>`Type 'ConfigureSecurityBaseline' of Role 'AzureStackOSConfig' raised an exception: [ConfigureSecurityBaseline] ConfigureSecurityBaseline failed on <server name> with exception: -> Failed to apply OSConfiguration enforcement for ASHCIApplianceSecurityBaselineConfig on <server name>`. | If you haven’t started the update, see [Azure Local OEM license devices](https://github.com/Azure/AzureLocal-Supportability/blob/main/TSG/Security/TSG-Azure-Local-HCI-OEM-license-devices.md) to apply the preventive steps before updating to Azure Local 2411.3. <br></br> If you’ve encountered the issue, use the same insructions to validate and apply the mitigation. |
+| Deployment <!--31699269--| This issue affects deployment and update on OEM-licensed devices. During deployment, you might see this error at **Apply security settings on servers**: <br></br>`Type 'ConfigureSecurityBaseline' of Role 'AzureStackOSConfig' raised an exception: [ConfigureSecurityBaseline] ConfigureSecurityBaseline failed on <server name> with exception: -> Failed to apply OSConfiguration enforcement for ASHCIApplianceSecurityBaselineConfig on <server name>`. | If you haven’t started the update, see [Azure Local OEM license devices](https://github.com/Azure/AzureLocal-Supportability/blob/main/TSG/Security/TSG-Azure-Local-HCI-OEM-license-devices.md) to apply the preventive steps before updating to Azure Local 2411.3. <br></br> If you’ve encountered the issue, use the same insructions to validate and apply the mitigation. |-->
 
 
 ## Known issues from previous releases

azure-local/manage/arc-extension-management.md

@@ -6,7 +6,7 @@ ms.author: robess
 ms.topic: how-to
 ms.custom: devx-track-azurecli, devx-track-azurepowershell
 ms.reviewer: arduppal
-ms.date: 10/22/2024
+ms.date: 06/12/2025
 ---
 
 # Azure Arc extension management on Azure Local
@@ -385,9 +385,9 @@ New-AzStackHciExtension `
 
 ### Manual extension upgrade via the Azure portal
 
-The manual extension upgrade works like the [Automatic extension upgrade](/azure/azure-arc/servers/manage-automatic-vm-extension-upgrade?tabs=azure-portal#how-does-automatic-extension-upgrade-work). On an Azure Local Arc-enabled cluster, when you manually upgrade an extension, Azure saves the version you've selected. Azure then attempts to upgrade the extension on all nodes in the cluster to that version.
+The manual extension upgrade works like the [Automatic extension upgrade](/azure/azure-arc/servers/manage-automatic-vm-extension-upgrade?tabs=azure-portal#how-does-automatic-extension-upgrade-work). On an Azure Local Arc-enabled cluster, when you manually upgrade an extension, Azure saves the version you've selected. Azure then attempts to upgrade the extension on all nodes in the cluster to that version. Make sure that [extensions are supported for manual upgrade](#extensions-not-supported-for-manual-upgrade).
 
-On some servers, if the extension upgrade fails the platform attempts to upgrade to the selected version during the next [Azure Local cloud sync](../faq.yml).
+On some servers, if the extension upgrade fails, the platform attempts to upgrade to the selected version during the next [Azure Local cloud sync](../faq.yml).
 
 Use the manual workflow in these scenarios:
 
@@ -404,6 +404,13 @@ To manually upgrade an extension, follow these steps:
 
 3. Choose the latest version and select **Save**.
 
+
+#### Extensions not supported for manual upgrade
+
+Updating Azure Arc extensions manually from the Azure Local Machine page via the Azure portal may result in issues during deployment. The extensions that shouldn't be updated manually are: `AzureEdgeDeviceManagement`, `AzureEdgeLifecycleManager`, and `AzureEdgeAKVBackupForWindows` as shown in the figure.
+
+:::image type="content" source="media/arc-extension-management/arc-extension-installation.png" alt-text="Screenshot of extensions that shouldn't be manually updated." lightbox="media/arc-extension-management/arc-extension-installation.png":::
+
 ### Disable automatic extension upgrade
 
 You can disable automatic upgrades for certain extensions in the Azure portal. To disable automatic upgrades, navigate to the **Extensions** page and perform these steps:

azure-local/manage/media/arc-extension-management/arc-extension-installation.png

@@ -2,7 +2,7 @@
 title: Create MySQL databases in Azure Stack Hub 
 description: Learn how to create and manage MySQL databases provisioned using the MySQL Adapter Resource Provider in Azure Stack Hub.
 author: sethmanheim
-ms.topic: article
+ms.topic: how-to
 ms.date: 1/17/2025
 ms.author: sethm
 ms.lastreviewed: 10/16/2019

azure-stack/operator/azure-stack-mysql-resource-provider-databases.md

@@ -2,7 +2,7 @@
 title: Deploy MySQL resource provider on Azure Stack Hub 
 description: Learn how to deploy the MySQL resource provider adapter and MySQL databases as a service on Azure Stack Hub.  
 author: sethmanheim
-ms.topic: article 
+ms.topic: install-set-up-deploy
 ms.date: 09/02/2021
 ms.author: sethm
 ms.reviewer: jiadu

azure-stack/operator/azure-stack-mysql-resource-provider-deploy.md

@@ -2,7 +2,7 @@
 title: Add MySQL hosting servers in Azure Stack Hub 
 description: Learn how to add MySQL hosting servers for provisioning through the MySQL Adapter Resource Provider.
 author: sethmanheim
-ms.topic: article
+ms.topic: how-to
 ms.date: 08/23/2022
 ms.author: sethm
 ms.reviewer: xiaofmao

azure-stack/operator/azure-stack-mysql-resource-provider-hosting-servers.md

@@ -2,7 +2,7 @@
 title: Remove the MySQL resource provider in Azure Stack Hub 
 description: Learn how to remove the MySQL resource provider from your Azure Stack Hub deployment.
 author: sethmanheim
-ms.topic: article
+ms.topic: how-to
 ms.date: 01/17/2025
 ms.author: sethm
 ms.lastreviewed: 09/26/2021