Merge pull request #310153 from MicrosoftDocs/main

Auto Publish – main to live - 2026-01-06 06:00 UTC

Author: learn-build-service-prod[bot]

articles/azure-app-configuration/TOC.yml

@@ -315,6 +315,8 @@
       href: howto-set-up-private-access.md
     - name: Disable public network access
       href: howto-disable-public-access.md
+    - name: Network access errors
+      href: network-access-errors.md
   - name: Data encryption
     items:
     - name: Add Managed Identities

articles/azure-app-configuration/network-access-errors.md

@@ -0,0 +1,45 @@
+---
+title: Azure App Configuration network access errors
+description: Reference page for network access errors when using the Azure App Configuration data plane
+author: austintolani 
+ms.author: austintolani
+ms.service: azure-app-configuration
+ms.topic: reference
+ms.date: 1/5/2026
+---
+
+# Network access errors
+
+This article describes network access related errors that can occur when making requests to the Azure App Configuration data plane. 
+
+## IP address rejected
+
+When public network access is disabled for a configuration store, requests will be rejected unless they meet the criteria for inbound access.
+
+### Error response
+
+```http
+HTTP/1.1 403 Forbidden
+Content-Type: application/problem+json; charset=utf-8
+```
+
+```json
+{
+  "type": "https://azconfig.io/errors/ip-address-rejected",
+  "title": "Access to this resource is governed by a network access policy. The client IP address fails to meet the criteria for access.",
+  "status": 403
+}
+```
+
+**Reason:** The configuration store has public network access disabled and the IP address that the request originates from doesn't meet the criteria for inbound access.
+
+**Solution:** When a configuration store has public network access disabled, requests must originate from within a virtual network via a private endpoint.
+- Verify that the client making the request is within a virtual network and the relevant [DNS changes](./concept-private-endpoint.md#dns-changes-for-private-endpoints) are in place to ensure the endpoint of the configuration store resolves to the IP address of the private endpoint connected to the configuration store.
+- Verify that the private endpoint connection associated with the private endpoint has been approved. 
+
+## Related documentation
+
+- [Use private endpoints for Azure App Configuration](./concept-private-endpoint.md)
+- [Set up private access in Azure App Configuration](./howto-set-up-private-access.md)
+- [Disable public access in Azure App Configuration](./howto-disable-public-access.md)
+- [Troubleshoot Azure Private Endpoint connectivity problems](../private-link/troubleshoot-private-endpoint-connectivity.md)

articles/batch/batch-applications-to-pool-nodes.md

@@ -2,7 +2,7 @@
 title: Copy applications and data to pool nodes
 description: Learn how to copy applications and data to pool nodes.
 ms.topic: how-to
-ms.date: 07/01/2025
+ms.date: 01/05/2026
 # Customer intent: As a cloud engineer, I want to understand the methods for copying applications and data to compute nodes in Azure Batch, so that I can effectively manage data dependencies for different job types and optimize resource usage across the pool.
 ---
 
@@ -20,9 +20,9 @@ You need to determine the scope of a file - is the file required for a pool, a j
 
 For applications or data that need to be installed on every node in the pool, use pool start task resource files. Use this method along with either an [application package](batch-application-packages.md) or the start task's resource file collection in order to perform an install command.  
 
-For example, you can use the start task command line to move or install applications. You can also specify a list of files or containers in an Azure storage account. For more information, see [Add#ResourceFile in REST documentation](/rest/api/batchservice/pool/add#resourcefile).
+For example, you can use the start task command line to move or install applications. You can also specify a list of files or containers in an Azure storage account. For more information, see [ResourceFile in REST documentation](/rest/api/batchservice/pools/create-pool#resourcefile).
 
-If every job that runs on the pool runs an application (.exe) that must first be installed with a .msi file, you'll need to set the start task's **wait for success** property to **true**. For more information, see [Add#StartTask in REST documentation](/rest/api/batchservice/pool/add#starttask).
+If every job that runs on the pool runs an application (.exe) that must first be installed with a .msi file, you'll need to set the start task's **wait for success** property to **true**. For more information, see [StartTask in REST documentation](/rest/api/batchmanagement/pool/create#starttask).
 
 ## Application package references
 

articles/batch/batch-certificate-migration-guide.md

@@ -3,7 +3,7 @@ title: Migrate Batch account certificates to Azure Key Vault
 description: Learn how to migrate Batch account certificates to Azure Key Vault and plan for feature end of support.
 ms.service: azure-batch
 ms.topic: how-to
-ms.date: 07/01/2025
+ms.date: 01/05/2026
 # Customer intent: "As a cloud administrator, I want to migrate Batch account certificates to Azure Key Vault, so that I can ensure continued secure access and management of my certificates after the Batch account certificates feature is retired on February 29, 2024."
 ---
 
@@ -13,7 +13,7 @@ On *February 29, 2024*, the Azure Batch account certificates feature will be ret
 
 ## About the feature
 
-Certificates are often required in various scenarios such as decrypting a secret, securing communication channels, or [accessing another service](credential-access-key-vault.md). Currently, Azure Batch offers two ways to manage certificates on Batch pools. You can add certificates to a Batch account or you can use the Azure Key Vault VM extension to manage certificates on Batch pools. Only the [certificate functionality on an Azure Batch account](/rest/api/batchservice/certificate) and the functionality it extends to Batch pools via `CertificateReference` to [Add Pool](/rest/api/batchservice/pool/add#certificatereference), [Patch Pool](/rest/api/batchservice/pool/patch#certificatereference), [Update Properties](/rest/api/batchservice/pool/update-properties#certificatereference) and the corresponding references on Get and List Pool APIs are being retired. Additionally, for Linux pools, the environment variable `$AZ_BATCH_CERTIFICATES_DIR` will no longer be defined and populated.
+Certificates are often required in various scenarios such as decrypting a secret, securing communication channels, or [accessing another service](credential-access-key-vault.md). Currently, Azure Batch offers two ways to manage certificates on Batch pools. You can add certificates to a Batch account or you can use the Azure Key Vault VM extension to manage certificates on Batch pools. For Linux pools, the environment variable `$AZ_BATCH_CERTIFICATES_DIR` will no longer be defined and populated.
 
 ## Feature end of support
 

articles/batch/batch-cli-get-started.md

@@ -2,7 +2,7 @@
 title: Get started with Azure CLI for Batch
 description: Learn how to manage Azure Batch service resources using the Azure Command Line Interface (Azure CLI).
 ms.topic: how-to
-ms.date: 07/01/2025
+ms.date: 01/05/2026
 ms.custom: H1Hack27Feb2017, devx-track-azurecli
 
 # Customer intent: As a cloud developer, I want to learn how to manage Azure Batch resources using the command-line interface, so that I can automate resource management tasks and improve efficiency in my cloud workflows.
@@ -97,7 +97,7 @@ When you specify a JSON file for a new resource, don't use other parameters in y
 
 The [Batch REST API reference](/rest/api/batchservice/) documentation lists any JSON syntax required to create a resource. 
 
-To see the JSON syntax required to create a resource, refer to the [Batch REST API reference](/rest/api/batchservice/) documentation. Go to the **Examples** section in the resource operation's reference page. Then, find the subsection titled **Add \<resource type>**. For example, [Add a basic task](/rest/api/batchservice/task/add#add-a-basic-task). Use the example JSON code as templates for your configuration files. 
+To see the JSON syntax required to create a resource, refer to the [Batch REST API reference](/rest/api/batchservice/) documentation. Go to the **Examples** section in the resource operation's reference page. Then, find the subsection titled **Add \<resource type>**. For example, [Add a basic task](/rest/api/batchservice/tasks/create-task). Use the example JSON code as templates for your configuration files. 
 
 For a sample script that specifies a JSON file, see [Run a job and tasks with Batch](./scripts/batch-cli-sample-run-job.md).
 

articles/batch/batch-compute-node-environment-variables.md

@@ -2,7 +2,7 @@
 title: Task runtime environment variables
 description: Task runtime environment variable guidance and reference for Azure Batch Analytics.
 ms.topic: concept-article
-ms.date: 06/13/2024
+ms.date: 01/05/2026
 # Customer intent: As a cloud engineer, I want to understand the Azure Batch runtime environment variables so that I can effectively reference them in my task command lines for successful execution within the Batch computing environment.
 ---
 
@@ -40,7 +40,7 @@ The command lines executed by tasks on compute nodes don't run under a shell. Th
 | AZ_BATCH_ACCOUNT_NAME           | The name of the Batch account that the task belongs to.                  | All tasks.   | mybatchaccount |
 | AZ_BATCH_ACCOUNT_URL            | The URL of the Batch account. | All tasks. | `https://myaccount.westus.batch.azure.com` |
 | AZ_BATCH_APP_PACKAGE            | A prefix of all the app package environment variables. For example, if Application "FOO" version "1" is installed onto a pool, the environment variable is AZ_BATCH_APP_PACKAGE_FOO_1 (on Linux) or AZ_BATCH_APP_PACKAGE_FOO#1 (on Windows). AZ_BATCH_APP_PACKAGE_FOO_1 points to the location that the package was downloaded (a folder). When using the default version of the app package, use the AZ_BATCH_APP_PACKAGE environment variable without the version numbers. If in Linux, and the application package name is "Agent-linux-x64" and the version is "1.1.46.0, the environment name is actually: AZ_BATCH_APP_PACKAGE_agent_linux_x64_1_1_46_0, using underscores and lower case. For more information, see [Execute the installed applications](batch-application-packages.md#execute-the-installed-applications) for more details. | Any task with an associated app package. Also available for all tasks if the node itself has application packages. | AZ_BATCH_APP_PACKAGE_FOO_1 (Linux) or AZ_BATCH_APP_PACKAGE_FOO#1 (Windows) |
-| AZ_BATCH_AUTHENTICATION_TOKEN   | An authentication token that grants access to a limited set of Batch service operations. This environment variable is only present if the [authenticationTokenSettings](/rest/api/batchservice/task/add#authenticationtokensettings) are set when the [task is added](/rest/api/batchservice/task/add#request-body). The token value is used in the Batch APIs as credentials to create a Batch client, such as in the [BatchClient.Open() .NET API](/dotnet/api/microsoft.azure.batch.batchclient.open#Microsoft_Azure_Batch_BatchClient_Open_Microsoft_Azure_Batch_Auth_BatchTokenCredentials_). The token doesn't support private networking. | All tasks. | OAuth2 access token |
+| AZ_BATCH_AUTHENTICATION_TOKEN   | An authentication token that grants access to a limited set of Batch service operations. This environment variable is only present if the [authenticationTokenSettings](/rest/api/batchservice/tasks/create-task#authenticationtokensettings) are set when the [task is added](/rest/api/batchservice/tasks/create-task#request-body). The token value is used in the Batch APIs as credentials to create a Batch client, such as in the [BatchClient.Open() .NET API](/dotnet/api/microsoft.azure.batch.batchclient.open#Microsoft_Azure_Batch_BatchClient_Open_Microsoft_Azure_Batch_Auth_BatchTokenCredentials_). The token doesn't support private networking. | All tasks. | OAuth2 access token |
 | AZ_BATCH_CERTIFICATES_DIR       | A directory within the [task working directory](files-and-directories.md) in which certificates are stored for Linux compute nodes. This environment variable does not apply to Windows compute nodes.                                                  | All tasks.   |  /mnt/batch/tasks/workitems/batchjob001/job-1/task001/certs |
 | AZ_BATCH_HOST_LIST              | The list of nodes that are allocated to a [multi-instance task](batch-mpi.md) in the format `nodeIP,nodeIP`. | Multi-instance primary and subtasks. | `10.0.0.4,10.0.0.5` |
 | AZ_BATCH_IS_CURRENT_NODE_MASTER | Specifies whether the current node is the master node for a [multi-instance task](batch-mpi.md). Possible values are `true` and `false`.| Multi-instance primary and subtasks. | `true` |

articles/batch/batch-custom-images.md

@@ -2,7 +2,7 @@
 title: Use a managed image to create a custom image pool
 description: Create a Batch custom image pool from a managed image to provision compute nodes with the software and data for your application.
 ms.topic: concept-article
-ms.date: 03/18/2024
+ms.date: 01/05/2026
 ms.devlang: csharp
 # Customer intent: As a cloud architect, I want to create a custom image pool using a managed image so that I can provision virtual machines with tailored software and configurations for my batch processing applications.
 ---
@@ -39,7 +39,7 @@ To scale Batch pools reliably with a managed image, we recommend creating the ma
 
 ### Prepare a VM
 
-If you're creating a new VM for the image, use a first party Azure Marketplace image supported by Batch as the base image for your managed image. Only first party images can be used as a base image. To get a full list of Azure Marketplace image references supported by Azure Batch, see [List Supported Images](/rest/api/batchservice/account/listsupportedimages).
+If you're creating a new VM for the image, use a first party Azure Marketplace image supported by Batch as the base image for your managed image. Only first party images can be used as a base image. To get a full list of Azure Marketplace image references supported by Azure Batch, see [List Supported Images](/rest/api/batchservice/pools/list-supported-images).
 
 > [!NOTE]
 > You can't use a third-party image that has additional license and purchase terms as your base image. For information about these Marketplace images, see the guidance for [Linux](/azure/virtual-machines/linux/cli-ps-findimage#check-the-purchase-plan-information) or [Windows](/azure/virtual-machines/windows/cli-ps-findimage#view-purchase-plan-properties) VMs.
@@ -138,7 +138,7 @@ Also note the following considerations:
 
   Limits may be reduced if you configure the pool with [inbound NAT pools](pool-endpoint-configuration.md).
 
-- **Resize timeout** - If your pool contains a fixed number of nodes (doesn't autoscale), increase the resizeTimeout property of the pool to a value such as 20-30 minutes. If your pool doesn't reach its target size within the timeout period, perform another [resize operation](/rest/api/batchservice/pool/resize).
+- **Resize timeout** - If your pool contains a fixed number of nodes (doesn't autoscale), increase the resizeTimeout property of the pool to a value such as 20-30 minutes. If your pool doesn't reach its target size within the timeout period, perform another [resize operation](/rest/api/batchservice/pools/resize-pool).
 
   If you plan a pool with more than 300 compute nodes, you might need to resize the pool multiple times to reach the target size.
 

articles/batch/batch-customer-managed-key.md

@@ -2,7 +2,7 @@
 title: Configure customer-managed keys for your Azure Batch account with Azure Key Vault and Managed Identity
 description: Learn how to encrypt Batch data using customer-managed keys.
 ms.topic: how-to
-ms.date: 07/01/2025
+ms.date: 01/05/2026
 ms.devlang: csharp
 ms.custom: devx-track-azurecli
 # Customer intent: As a cloud solutions architect, I want to configure customer-managed keys for my Azure Batch account using Azure Key Vault and managed identities, so that I can enhance data security and control over the encryption of sensitive information.
@@ -215,7 +215,7 @@ az batch account set \
 - **How can I rotate my keys?** Customer-managed keys aren't automatically rotated unless the [key is versionless with an appropriate key rotation policy set within Key Vault](/azure/key-vault/keys/how-to-configure-key-rotation). To manually rotate the key, update the Key Identifier that the account is associated with.
 - **After I restore access how long will it take for the Batch account to work again?** It can take up to 10 minutes for the account to be accessible again once access is restored.
 - **While the Batch Account is unavailable what happens to my resources?** Any pools that are active when Batch access to the customer-managed key is lost will continue to run. However, the nodes in these pools will transition into an unavailable state, and tasks will stop running (and be requeued). Once access is restored, nodes become available again, and tasks are restarted.
-- **Does this encryption mechanism apply to VM disks in a Batch pool?** No. For Cloud Services Configuration pools (which are [deprecated](https://azure.microsoft.com/updates/azure-batch-cloudserviceconfiguration-pools-will-be-retired-on-29-february-2024/)), no encryption is applied for the OS and temporary disk. For Virtual Machine Configuration pools, the OS and any specified data disks are encrypted with a Microsoft platform managed key by default. Currently, you can't specify your own key for these disks. To encrypt the temporary disk of VMs for a Batch pool with a Microsoft platform managed key, you must enable the [diskEncryptionConfiguration](/rest/api/batchservice/pool/add#diskencryptionconfiguration) property in your [Virtual Machine Configuration](/rest/api/batchservice/pool/add#virtualmachineconfiguration) Pool. For highly sensitive environments, we recommend enabling temporary disk encryption and avoiding storing sensitive data on OS and data disks. For more information, see [Create a pool with disk encryption enabled](./disk-encryption.md)
+- **Does this encryption mechanism apply to VM disks in a Batch pool?** No. For Cloud Services Configuration pools (which are [deprecated](https://azure.microsoft.com/updates/azure-batch-cloudserviceconfiguration-pools-will-be-retired-on-29-february-2024/)), no encryption is applied for the OS and temporary disk. For Virtual Machine Configuration pools, the OS and any specified data disks are encrypted with a Microsoft platform managed key by default. Currently, you can't specify your own key for these disks. To encrypt the temporary disk of VMs for a Batch pool with a Microsoft platform managed key, you must enable the [diskEncryptionConfiguration](/rest/api/batchservice/pools/create-pool#diskencryptionconfiguration) property in your [Virtual Machine Configuration](/rest/api/batchservice/pools/create-pool#virtualmachineconfiguration) Pool. For highly sensitive environments, we recommend enabling temporary disk encryption and avoiding storing sensitive data on OS and data disks. For more information, see [Create a pool with disk encryption enabled](./disk-encryption.md)
 - **Is the system-assigned managed identity on the Batch account available on the compute nodes?** No. The system-assigned managed identity is currently used only for accessing the Azure Key Vault for the customer-managed key. To use a user-assigned managed identity on compute nodes, see [Configure managed identities in Batch pools](managed-identity-pools.md).
 
 ## Next steps