Merge branch 'main' into nl-tag-build-content-batch2

Author: rwestMSFT

azure-sql/includes/virtual-machines-port-exclusion.md

@@ -0,0 +1,56 @@
+---
+author: MashaMSFT
+ms.author: mathoma
+ms.date: 04/30/2025
+ms.service: azure-vm-sql-server
+ms.topic: include
+---
+When using an Azure Load Balancer to support a Virtual Network Name (VNN) resource, you must configure the cluster to reply to the health probe requests. If the health probe fails to get a response from a backend instance, then no new connections are sent to that backend instance until the health probe succeeds again. 
+
+To set the probe port parameter in PowerShell, use the following script once per applicable IP address resource: 
+
+```powershell
+$ClusterNetworkName = "<MyClusterNetworkName>" # The cluster network name. Use Get-ClusterNetwork on Windows Server 2012 or later to find the name. 
+$IPResourceName = "<IPResourceName>" # The IP address resource name. 
+[int]$ProbePort = <nnnnn> # The probe port that you configured in the health probe of the load balancer for a given Frontend IP Address. Any unused TCP port is valid.  
+
+Import-Module FailoverClusters  
+
+Get-ClusterResource $IPResourceName | Set-ClusterParameter -Multiple @{"Address"="$IPResourceName";"ProbePort"=$ProbePort;"SubnetMask"="255.255.255.255";"Network"="$ClusterNetworkName";"EnableDhcp"=0} 
+```
+
+The changes you make don't take effect until the IP address resource is taken offline and brought online again. Perform a failover of the resource for this change to take effect. 
+
+After you set the cluster probe, use the following PowerShell script to check cluster parameters: 
+
+```powershell
+Get-ClusterResource $IPResourceName | Get-ClusterParameter 
+```
+
+## Exclude ports from the dynamic port range
+
+When using a health probe port between 49,152 and 65,536 (the [default dynamic port range for TCP/IP](/windows/client-management/troubleshoot-tcpip-port-exhaust#default-dynamic-port-range-for-tcpip)), add an exclusion for each health probe port on every VM. 
+
+Configuring port exclusion prevents other system processes from being dynamically assigned the same port on the VM
+
+To set a port exclusion, use the following PowerShell script: 
+-  for each health probe port 
+-  on every VM
+
+```powershell
+[int]$ProbePort = <nnnnn> # The probe port that you configured in the health probe of the load balancer. Any unused TCP port is valid. 
+
+netsh int ipv4 add excludedportrange tcp startport=$ProbePort numberofports=1 store=persistent 
+```
+
+To confirm that exclusions have been configured correctly, use the following command: 
+
+```powershell
+netsh int ipv4 show excludedportrange tcp 
+```
+
+
+
+
+
+

azure-sql/virtual-machines/windows/availability-group-az-commandline-configure.md

@@ -193,7 +193,6 @@ Although the disk witness is the most resilient quorum option, it requires an Az
 
 If you have an even number of votes in the cluster, configure the [quorum solution](hadr-cluster-quorum-configure-how-to.md) that best suits your business needs. For more information, see [Quorum with SQL Server VMs](hadr-windows-server-failover-cluster-overview.md#quorum). 
 
-
 ## Validate cluster 
 
 For a failover cluster to be supported by Microsoft, it must pass cluster validation. Connect to the VM using your preferred method, such as [Bastion](/azure/bastion/bastion-connect-vm-rdp-windows), and validate that your cluster passes validation before proceeding further. Failure to do so leaves your cluster in an unsupported state. 
@@ -217,8 +216,9 @@ Manually create the availability group as you normally would, by using [SQL Serv
 
 The Always On availability group listener requires an internal instance of Azure Load Balancer. The internal load balancer provides a "floating" IP address for the availability group listener that allows for faster failover and reconnection. If the SQL Server VMs in an availability group are part of the same availability set, you can use a Basic load balancer. Otherwise, you need to use a Standard load balancer.  
 
-> [!NOTE]
-> The internal load balancer should be in the same virtual network as the SQL Server VM instances. 
+> [!IMPORTANT]
+> - The internal load balancer should be in the same virtual network as the SQL Server VM instances. 
+> - The public IP resource for each SQL Server VM should have a Standard SKU to be compatible with the Standard load balancer. To determine the SKU of your VM's public IP resource, go to **Resource Group**, select your **Public IP Address** resource for the desired SQL Server VM, and locate the value under **SKU** in the **Overview** pane.  
 
 The following code snippet creates the internal load balancer:
 
@@ -247,8 +247,6 @@ $intLb = New-AzLoadBalancer -name <load balancer name> -ResourceGroupName <resou
 
 ---
 
->[!IMPORTANT]
-> The public IP resource for each SQL Server VM should have a Standard SKU to be compatible with the Standard load balancer. To determine the SKU of your VM's public IP resource, go to **Resource Group**, select your **Public IP Address** resource for the desired SQL Server VM, and locate the value under **SKU** in the **Overview** pane.  
 
 ## Create listener
 
@@ -337,6 +335,10 @@ New-AzAvailabilityGroupListener -ResourceGroupName <resource group name> `
 
 ---
 
+## Configure probe port
+
+[!INCLUDE [virtual-machines-port-exclusion](../../includes/virtual-machines-port-exclusion.md)]
+
 ## Modify number of replicas 
 There's an added layer of complexity when you're deploying an availability group to SQL Server VMs hosted in Azure. The resource provider and the virtual machine group now manage the resources. As such, when you're adding or removing replicas in the availability group, there's an additional step of updating the listener metadata with information about the SQL Server VMs. When you're modifying the number of replicas in the availability group, you must also use the [az sql vm group ag-listener update](/cli/azure/sql/vm/group/ag-listener#az-sql-vm-group-ag-listener-update) command to update the listener with the metadata of the SQL Server VMs. 
 

azure-sql/virtual-machines/windows/availability-group-clusterless-workgroup-configure.md

@@ -15,7 +15,6 @@ tags: azure-service-management
 
 This article explains the steps necessary to create an Active Directory domain-independent cluster with an Always On availability group; this is also known as a workgroup cluster. This article focuses on the steps that are relevant to preparing and configuring the workgroup and availability group, and glosses over steps that are covered in other articles, such as how to create the cluster, or deploy the availability group. 
 
-
 ## Prerequisites
 
 To configure a workgroup availability group, you need the following:
@@ -35,7 +34,6 @@ For reference, the following parameters are used in this article, but can be mod
 | **DNS suffix** | ag.wgcluster.example.com | 
 | **Work group name** | AGWorkgroup | 
 
-
 ## Set a DNS suffix 
 
 In this step, configure the DNS suffix for both servers. For example, `ag.wgcluster.example.com`. This allows you to use the name of the object you want to connect to as a fully qualified address within your network, such as `AGNode1.ag.wgcluster.example.com`. 
@@ -280,7 +278,7 @@ In this step, configure your availability group, and add your databases to it. D
 
 ## Configure a load balancer
 
-In this final step, configure the load balancer using either the [Azure portal](availability-group-load-balancer-portal-configure.md) or [PowerShell](availability-group-listener-powershell-configure.md).
+In this final step, configure the load balancer by using either the [Azure portal](availability-group-load-balancer-portal-configure.md) or [PowerShell](availability-group-listener-powershell-configure.md).
 
 However, there may be some [limitations](https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/sql-server-workgroup-cluster-fcm-errors/ba-p/371387) when using the Windows Cluster GUI, and as such, you should use PowerShell to create a client access point or the network name for your listener with the following example script:
 
@@ -295,9 +293,11 @@ Set-ClusterResourceDependency -Resource TestName -Dependency "[IPAddress1] or [I
 Start-ClusterResource -Name TestName -Verbose 
 ```
 
+## Configure probe port
 
+[!INCLUDE [virtual-machines-port-exclusion](../../includes/virtual-machines-port-exclusion.md)]
 
-## Next steps
+## Related content
 
 Once the availability group is deployed, consider optimizing the [HADR settings for SQL Server on Azure VMs](hadr-cluster-best-practices.md). 
 

azure-sql/virtual-machines/windows/availability-group-listener-powershell-configure.md

@@ -52,7 +52,7 @@ If you are restricting access with an Azure Network Security Group, ensure that
 
 ## Determine the load balancer SKU required
 
-[Azure load balancer](/azure/load-balancer/load-balancer-overview) is available in two SKUs: Basic & Standard. The standard load balancer is recommended as the  Basic SKU is scheduled to be [retired on September 30, 2025](https://azure.microsoft.com/updates/azure-basic-load-balancer-will-be-retired-on-30-september-2025-upgrade-to-standard-load-balancer/). The standard load balancer is required for virtual machines in an availability zone.  Standard load balancer requires that all VM IP addresses use standard IP addresses.
+[Azure load balancer](/azure/load-balancer/load-balancer-overview) is available in two SKUs: Basic & Standard. The standard load balancer is recommended as the  Basic SKU is scheduled to be [retired on September 30, 2025](https://azure.microsoft.com/updates/azure-basic-load-balancer-will-be-retired-on-30-september-2025-upgrade-to-standard-load-balancer/). The standard load balancer is required for virtual machines in an availability zone. Standard load balancer requires that all VM IP addresses use standard IP addresses.
 
 The current [Microsoft template](./availability-group-quickstart-template-configure.md) for an availability group uses a basic load balancer with basic IP addresses.
 
@@ -127,6 +127,7 @@ foreach($VMName in $VMNames)
     }
 ```
 
+
 ## <a name="Add-IP"></a> Example script: Add an IP address to an existing load balancer with PowerShell
 
 To use more than one availability group, add an additional IP address to the load balancer. Each IP address requires its own load-balancing rule, probe port, and front port. 
@@ -255,7 +256,7 @@ Use the following PowerShell cmdlets to create an internal load balancer for Azu
 * [New-AzLoadBalancerProbeConfig](/powershell/module/Az.Network/New-AzLoadBalancerProbeConfig) creates a probe configuration for a load balancer.
 * [Remove-AzLoadBalancer](/powershell/module/Az.Network/Remove-AzLoadBalancer) removes a load balancer from an Azure resource group.
 
-## Next steps 
+## Related content 
 
 
 To learn more, see:

azure-sql/virtual-machines/windows/availability-group-quickstart-template-configure.md

@@ -167,7 +167,7 @@ To configure the internal load balancer and create the availability group listen
    | **Listener** | The DNS name that you want to assign to the listener. By default, this template specifies the name "aglistener," but you can change it. The name should not exceed 15 characters. |
    | **Listener Port** | The port that you want the listener to  use. Typically, this port should be the default of 1433. This is the port number that the template specifies. But if your default port has been changed, the listener port should use that value instead. | 
    | **Listener IP** | The IP address that you want the listener to use. This address will be created during template deployment, so provide one that isn't already in use.  |
-   | **Existing Subnet** | The name of the internal subnet of your SQL Server VMs (for example: *default*). You can determine this value by going to **Resource Group**, selecting your virtual network, selecting **Subnets** in the **Settings** pane, and copying the value under **Name**. |
+| **Existing Subnet** | The name of the internal subnet of your SQL Server VMs (for example: *default*). You can determine this value by going to **Resource Group**, selecting your virtual network, selecting **Subnets** in the **Settings** pane, and copying the value under **Name**. |
    | **Existing Internal Load Balancer** | The name of the internal load balancer that you created in step 3. |
    | **Probe Port** | The probe port that you want the internal load balancer to use. The template uses 59999 by default, but you can change this value. |
 
@@ -178,6 +178,10 @@ To configure the internal load balancer and create the availability group listen
 >[!NOTE]
 >If your deployment fails halfway through, you'll need to manually [remove the newly created listener](#remove-listener) by using PowerShell before you redeploy the **101-sql-vm-aglistener-setup** quickstart template. 
 
+## Configure probe port
+
+[!INCLUDE [virtual-machines-port-exclusion](../../includes/virtual-machines-port-exclusion.md)]
+
 ## Remove listener
 If you later need to remove the availability group listener that the template configured, you must go through the SQL IaaS Agent extension. Because the listener is registered through the SQL IaaS Agent extension, just deleting it via SQL Server Management Studio is insufficient. 
 

azure-sql/virtual-machines/windows/availability-group-vnn-azure-load-balancer-configure.md

@@ -4,7 +4,7 @@ description: Learn to configure an Azure load balancer to route traffic to the v
 author: AbdullahMSFT
 ms.author: amamun
 ms.reviewer: mathoma
-ms.date: 06/18/2024
+ms.date: 04/30/2025
 ms.service: azure-vm-sql-server
 ms.subservice: hadr
 ms.topic: how-to
@@ -207,6 +207,28 @@ Get-ClusterResource $IPResourceName | Get-ClusterParameter
 
 ---
 
+## Configure port exclusion 
+
+When using a health probe port between 49,152 and 65,536 (the [default dynamic port range for TCP/IP](/windows/client-management/troubleshoot-tcpip-port-exhaust#default-dynamic-port-range-for-tcpip)), add an exclusion for each health probe port on every VM. 
+
+Configuring port exclusion prevents other system processes from being dynamically assigned the same port on the VM
+
+To set a port exclusion, use the following PowerShell script: 
+-  for each health probe port 
+-  on every VM
+
+```powershell
+[int]$ProbePort = <nnnnn> # The probe port that you configured in the health probe of the load balancer. Any unused TCP port is valid. 
+
+netsh int ipv4 add excludedportrange tcp startport=$ProbePort numberofports=1 store=persistent 
+```
+
+To confirm that exclusions have been configured correctly, use the following command: 
+
+```powershell
+netsh int ipv4 show excludedportrange tcp 
+```
+
 ## Modify the connection string 
 
 For clients that support it, add `MultiSubnetFailover=True` to the connection string. Although the `MultiSubnetFailover` connection option isn't required, it provides the benefit of a faster subnet failover. This is because the client driver tries to open a TCP socket for each IP address in parallel. The client driver waits for the first IP address to respond with success. After the successful response, the client driver uses that IP address for the connection.

azure-sql/virtual-machines/windows/failover-cluster-instance-vnn-azure-load-balancer-configure.md

@@ -4,7 +4,7 @@ description: Learn to configure an Azure Load Balancer to route traffic to the v
 author: AbdullahMSFT
 ms.author: amamun
 ms.reviewer: mathoma
-ms.date: 06/18/2024
+ms.date: 04/30/2025
 ms.service: azure-vm-sql-server
 ms.subservice: hadr
 ms.topic: how-to
@@ -203,6 +203,28 @@ Get-ClusterResource $IPResourceName | Get-ClusterParameter
 
 ---
 
+## Configure port exclusion 
+
+When using a health probe port between 49,152 and 65,536 (the [default dynamic port range for TCP/IP](/windows/client-management/troubleshoot-tcpip-port-exhaust#default-dynamic-port-range-for-tcpip)), add an exclusion for each health probe port on every VM. 
+
+Configuring port exclusion prevents other system processes from being dynamically assigned the same port on the VM
+
+To set a port exclusion, use the following PowerShell script: 
+-  for each health probe port 
+-  on every VM
+
+```powershell
+[int]$ProbePort = <nnnnn> # The probe port that you configured in the health probe of the load balancer. Any unused TCP port is valid. 
+
+netsh int ipv4 add excludedportrange tcp startport=$ProbePort numberofports=1 store=persistent 
+```
+
+To confirm that exclusions have been configured correctly, use the following command: 
+
+```powershell
+netsh int ipv4 show excludedportrange tcp 
+```
+
 ## Modify the connection string 
 
 For clients that support it, add `MultiSubnetFailover=True` to the connection string. Although the `MultiSubnetFailover` connection option isn't required, it provides the benefit of a faster subnet failover. This is because the client driver tries to open a TCP socket for each IP address in parallel. The client driver waits for the first IP address to respond with success. After the successful response, the client driver uses that IP address for the connection.