Merge pull request #310877 from MicrosoftDocs/repo_sync_working_branch

Confirm merge from repo_sync_working_branch to main to sync with https://github.com/MicrosoftDocs/azure-docs (branch main)

Author: Taojunshen

articles/active-directory-b2c/add-password-reset-policy.md

@@ -12,7 +12,7 @@ ms.subservice: b2c
 zone_pivot_groups: b2c-policy-type
 ms.custom: sfi-image-nochange
 
-#Customer Intent: As an Azure AD B2C administrator, I want to set up a password reset flow for local accounts, so that users can reset their passwords if they forget them.
+# Customer Intent: As an Azure AD B2C administrator, I want to set up a password reset flow for local accounts, so that users can reset their passwords if they forget them.
 ---
 
 # Set up a password reset flow in Azure Active Directory B2C
@@ -43,7 +43,7 @@ The default name of the **Change email** button in *selfAsserted.html* is **chan
 [!INCLUDE [active-directory-b2c-customization-prerequisites](../../includes/active-directory-b2c-customization-prerequisites.md)]
 
 
-- The B2C Users need to have an authentication method specified for self-service password reset. Select the B2C User, in the left menu under **Manage**, select **Authentication methods**. Ensure **Authentication contact info** is set. B2C users created via a Sign-up flow has this set by default. For users created via Azure Portal or by Graph API, you need to set **Authentication contact info** for SSPR to work. 
+- The B2C users need to have an authentication method specified for self-service password reset. Select the B2C User, in the left menu under **Manage**, select **Authentication methods**. Ensure **Authentication contact info** is set. B2C users created via a Sign-up flow has this set by default. For users created via Azure Portal or by Graph API, you need to set **Authentication contact info** for SSPR to work. 
 
 
 ## Self-service password reset (recommended)
@@ -52,7 +52,7 @@ The new password reset experience is now part of the sign-up or sign-in policy.
 
 ::: zone pivot="b2c-user-flow"
 
-The self-service password reset experience can be configured for the Sign in (Recommended) or Sign up and sign in (Recommended) user flows. If you don't have one of these user flows setup, create a [sign-up or sign-in](add-sign-up-and-sign-in-policy.md) user flow.
+The self-service password reset experience can be configured for the Sign in (Recommended) or Sign up and sign in (Recommended) user flows. If you don't have one of these user flows set up, create a [sign-up or sign-in](add-sign-up-and-sign-in-policy.md) user flow.
 
 To set up self-service password reset for the sign-up or sign-in user flow:
 

articles/application-gateway/application-gateway-faq.yml

@@ -443,6 +443,10 @@ sections:
         answer: |
           Yes, the Application Gateway v2 SKU supports Key Vault. For more information, see [TLS termination with Key Vault certificates](key-vault-certs.md).
 
+      - question: Why can't I select an Azure key vault from a different subscription in the Azure portal when configuring a TLS listener certificate on Application Gateway?
+        answer: |
+          The Azure portal currently allows selecting key vaults only from the same subscription as Application Gateway. This is a known portal limitation. However, Application Gateway does support using a key vault from a different subscription (within the same Microsoft Entra ID tenant) by configuring the certificate through the Azure CLI or PowerShell by using the key vault secret ID, provided the Application Gateway managed identity has the required permissions on the key vault.
+
       - question: How do I configure HTTPS listeners for .com and .NET sites?
         answer: |
           For multiple domain-based (host-based) routing, you can create multisite listeners, set up listeners that use HTTPS as the protocol, and associate the listeners with the routing rules. For more information, see [Hosting multiple sites by using Application Gateway](./multiple-site-overview.md).

articles/application-gateway/ingress-controller-annotations.md

@@ -38,8 +38,7 @@ For AGIC to observe an ingress resource, the resource *must be annotated* with `
 | [appgw.ingress.kubernetes.io/use-private-ip](#use-private-ip) | `bool` | `false` ||
 | [appgw.ingress.kubernetes.io/override-frontend-port](#override-frontend-port) | `bool` | `false` ||
 | [appgw.ingress.kubernetes.io/cookie-based-affinity](#cookie-based-affinity) | `bool` | `false` ||
-| [appgw.ingress.kubernetes.io/request-timeout]
-(#request-timeout) | `int32` (seconds) | `30` ||
+| [appgw.ingress.kubernetes.io/request-timeout](#request-timeout) | `int32` (seconds) | `30` ||
 | [appgw.ingress.kubernetes.io/use-private-ip](#use-private-ip) | `bool` | `false` ||
 | [appgw.ingress.kubernetes.io/backend-protocol](#backend-protocol) | `string` | `http` | `http`, `https` |
 | [appgw.ingress.kubernetes.io/hostname-extension](#hostname-extension) | `string` | `nil` ||

articles/route-server/expressroute-vpn-support.md

@@ -71,7 +71,6 @@ You can replace the SD-WAN appliance with an Azure VPN gateway to create a fully
 
 ### VPN gateway configuration considerations
 
-For Azure VPN gateways, route learning behavior depends on your BGP configuration:
 For Azure VPN gateways, route learning behavior depends on your BGP configuration. BGP-enabled VPN gateways learn on-premises routes dynamically through BGP, provide automatic route updates when network topology changes, and offer enhanced failover and redundancy capabilities. For configuration guidance on BGP-enabled gateways, see [Configure BGP for Azure VPN Gateway](../vpn-gateway/bgp-howto.md). In contrast, VPN gateways without BGP learn routes from local network gateway definitions, require static route configuration for on-premises networks, and need manual updates when topology changes occur. For configuration guidance on non-BGP gateways, see [Create a local network gateway](../vpn-gateway/tutorial-site-to-site-portal.md#LocalNetworkGateway).
 
 Regardless of BGP configuration, VPN gateways advertise learned routes to Azure Route Server when route exchange is enabled.
@@ -95,4 +94,4 @@ When troubleshooting route exchange issues, first verify that route exchange is
 - [Azure Route Server frequently asked questions](route-server-faq.md)
 - [Configure Azure Route Server](configure-route-server.md)
 - [Configure ExpressRoute and VPN coexistence](../expressroute/how-to-configure-coexisting-gateway-portal.md?toc=/azure/route-server/toc.json)
-- [Learn about routing preference with Azure Route Server](hub-routing-preference.md)
+- [Learn about routing preference with Azure Route Server](hub-routing-preference.md)

articles/sentinel/connect-aws.md

@@ -211,7 +211,7 @@ Setting up this connector has two steps:
 
 If your CloudWatch logs aren't in the format accepted by Microsoft Sentinel - .csv file in a GZIP format without a header - use a lambda function [view the source code](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/AWS-S3/CloudWatchLambdaFunction.py) within AWS to send CloudWatch events to an S3 bucket in the accepted format.
 
-The lambda function uses Python 3.9 runtime and x86_64 architecture.
+The lambda function uses Python 3.12 runtime and x86_64 architecture.
 
 To deploy the lambda function:
 
@@ -220,7 +220,7 @@ To deploy the lambda function:
 
    :::image type="content" source="media/cloudwatch-lambda-function/lambda-basic-information.png" alt-text="Screenshot of the AWS Management Console Basic information screen." lightbox="media/cloudwatch-lambda-function/lambda-basic-information.png":::
 
-1. Type a name for the function and select **Python 3.9** as the runtime and **x86_64** as the architecture.
+1. Type a name for the function and select **Python 3.12** as the runtime and **x86_64** as the architecture.
 1. Select **Create function**.
 1. Under **Choose a layer**, select a layer and select **Add**.