Merge pull request #310982 from MicrosoftDocs/main

Auto Publish – main to live - 2026-01-28 06:00 UTC

Author: learn-build-service-prod[bot]

.openpublishing.redirection.json

@@ -2892,7 +2892,12 @@
     },
     {
       "source_path_from_root": "/articles/bastion/quickstart-developer-sku.md",
-      "redirect_url": "/azure/bastion/quickstart-developer",
+      "redirect_url": "/azure/bastion/quickstart-host-portal",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/bastion/quickstart-developer.md",
+      "redirect_url": "/azure/bastion/quickstart-host-portal",
       "redirect_document_id": false
     },
     {
@@ -2907,7 +2912,12 @@
     },
     {
       "source_path_from_root": "/articles/bastion/bastion-create-host-portal.md",
-      "redirect_url": "/azure/bastion/tutorial-create-host-portal",
+      "redirect_url": "/azure/bastion/quickstart-host-portal",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/bastion/tutorial-create-host-portal.md",
+      "redirect_url": "/azure/bastion/quickstart-host-portal",
       "redirect_document_id": false
     },
     {
@@ -6628,7 +6638,7 @@
     {
       "source_path": "articles/vpn-gateway/about-zone-redundant-vnet-gateways.md",
       "redirect_url": "/azure/reliability/reliability-virtual-network-gateway",
-      "redirect_document_id": true
+      "redirect_document_id": false
     },
     {
       "source_path": "articles/dns/dns-sdk.md",

articles/api-management/TOC.yml

@@ -129,6 +129,8 @@
       href: protect-with-ddos-protection.md
     - name: Configure Front Door
       href: front-door-api-management.md
+    - name: Access resource protected by network security perimeter
+      href: using-network-security-perimeter.md
   - name: Configuration management
     items:
     - name: Landing zone accelerator

articles/api-management/api-management-api-import-restrictions.md

@@ -64,6 +64,10 @@ API Management only supports:
 - OpenAPI version 3.0.x (up to version 3.0.3)
 - OpenAPI version 3.1 (import only)
 
+> [!NOTE]
+> API Management does not fully support OpenAPI 3.1. The platform allows 3.1 documents to be *imported*, but most 3.1-specific constructs (such as updated JSON Schema, callbacks, links, examples, requestBodies, headers, and other components) are not processed or enforced. During import, unsupported features are ignored, downgraded to 3.0-equivalent behavior, or removed.
+> Because of this, OpenAPI 3.1 should be treated as **import-compatible only**, not feature-compatible. For full fidelity, use OpenAPI 2.0 or 3.0.x.
+
 **Size limitations**
 
 | Size limit | Description |

articles/api-management/breaking-changes/trusted-service-connectivity-retirement-march-2026.md

@@ -101,6 +101,8 @@ You can configure the networking of target resources to one of the following opt
 
   - [Transition to a Network Security Perimeter in Azure](/azure/private-link/network-security-perimeter-transition)
 
+  - [How to front a network security perimeter-protected Azure resource with Azure API Management](../using-network-security-perimeter.md)
+
 ### Step 3: Disable trusted service connectivity in API Management gateway
 
 After ensuring that your API Management gateway doesn't access other Azure services using trusted service connectivity, you must explicitly disable trusted connectivity in your gateway to acknowledge you have verified that the service no longer depends on trusted connectivity.

articles/api-management/media/using-network-security-perimeter/api-operation.png

@@ -0,0 +1,187 @@
+---
+title: How to front a network security perimeter-protected Azure resource with Azure API Management
+description: Step-by-step guidance to secure an Azure service backend with a network security perimeter and access it via Azure API Management using managed identity.
+ms.service: azure-api-management
+ms.topic: how-to
+ms.date: 01/27/2026
+author: dlepow
+ms.author: danlep
+ai-usage: ai-assisted
+---
+
+# How to front a network security perimeter-protected Azure resource with Azure API Management
+
+This article shows how to secure an Azure service resource with an Azure [network security perimeter](/azure/private-link/network-security-perimeter-concepts) and access it through Azure API Management. 
+
+As an example, you configure an Azure Storage account with a network security perimeter to allow traffic from your subscription (containing the API Management instance), use API Management's managed identity to authenticate to Azure Storage, and verify access with the API Management test console. Trusted service connectivity and public access to the storage account will be disabled.
+
+## Why use a network security perimeter with API Management?
+
+A network security perimeter provides a supported, centralized perimeter to explicitly allow traffic while keeping public access disabled. It provides:
+
+- **Modern token trust model:** Managed identity tokens now include trust mode claims that no longer permit implicit network bypass. A network security perimeter establishes the explicit network path your backend requires.
+- **Centralized governance:** A network security perimeter consolidates per‑service network rules into a single perimeter, improving consistency and observability across protected resources.
+- **Works without a virtual network:** For API Management instances not isolated with a virtual network, network security perimeter enables secure access by subscription or IP range. If virtual network isolation is available and preferred, you can continue to use that approach.
+
+> [!NOTE]
+> Beginning March 2026, [API Management is retiring trusted service connectivity](breaking-changes/trusted-service-connectivity-retirement-march-2026.md) from the gateway to select backend Azure services. If those backends such as Azure storage accounts rely on trusted Microsoft services or resource instances for network access, you must migrate. A network security perimeter provides the supported, centralized perimeter to explicitly allow traffic while keeping public access disabled.
+
+## Prerequisites
+
+- An Azure subscription and Owner or Contributor permissions.
+- An Azure API Management instance with a system-assigned or user-assigned managed identity enabled.
+- An Azure Storage account 
+    - Configure a container and at least one test blob (for example, a JSON file). 
+    - To begin, enable public network access to the storage account. By default, this setting also enables trusted Microsoft services and resource instances to access the storage account. You modify access later when associating the network security perimeter. 
+
+## Overview of steps
+
+1. Configure API Management to call Azure Storage using a managed identity.
+
+1. Block public network access to the storage account.
+
+1. Create a network security perimeter profile and associate the storage account.
+
+1. Add an inbound access rule to allow API Management traffic.
+
+1. Move network security perimeter access mode from **transition** to **enforced**.
+
+## Step 1. Configure API Management to call Azure Storage by using managed identity
+
+Configure API Management to call Azure Storage. Add a test API and operation, and configure a policy to authenticate by using API Management's managed identity. 
+
+1. In the [Azure portal](https://portal.azure.com/), go to your API Management instance. 
+1. Ensure that a system-assigned or user-assigned managed identity is enabled. For steps, see [Use managed identities in API Management](api-management-howto-use-managed-service-identity.md).
+1. Go to the storage account and grant the managed identity access:
+	1. In the left menu, select **Access control (IAM)** > **Add role assignment**.
+	1. Select **Storage Blob Data Reader** role (or **Contributor**, if write access is required) and assign to the API Management managed identity. 
+    1. Complete the role assignment steps.
+
+### Configure an API operation to call Azure Storage    
+
+1. Add an HTTP API that fronts the Azure Storage blob URI (for example, `https://<storage-account-name>.blob.core.windows.net/apimtest`). 
+1. Add a GET operation targeting the container.
+	:::image type="content" source="media/using-network-security-perimeter/api-operation.png" alt-text="Screenshot showing a sample API operation to access a blob container in the portal.":::
+	
+1. On the **Design** tab, select the operation and then select the policy editor (`</>`). Edit the operation's policy definition to add the API version header and managed identity authentication. 
+
+In the following example:
+
+* The `authentication-managed-identity` policy assumes that the API Management instance has a system-assigned managed identity enabled and can access Azure Storage. To use a user-assigned managed identity, set a `client-id` attribute in the policy. For more information, see the [policy reference](authentication-managed-identity-policy.md).
+* The `set-header` policy sets the [required Storage REST API version header](/rest/api/storageservices/get-blob?tabs=microsoft-entra-id#request-headers).
+
+    ```xml
+    <policies>
+    	<inbound>
+    		<base />
+    		<!-- Authenticate to Storage using API Management managed identity -->
+    		<authentication-managed-identity resource="https://storage.azure.com/" />
+    		<!-- Set Storage API version header -->
+    		<set-header name="x-ms-version" exists-action="override">
+    			<value>2025-11-05</value>
+    		</set-header>
+    	</inbound>
+    	<backend>
+    		<forward-request />
+    	</backend>
+    	<outbound>
+    		<base />
+    	</outbound>
+    	<on-error>
+    		<base />
+    	</on-error>
+    </policies>
+    ```
+
+> [!NOTE]
+> - The `resource` value should be `https://storage.azure.com/` for Azure Storage.
+> - Ensure the managed identity is assigned the appropriate RBAC role.
+
+### Test the API operation
+
+Before configuring the network security perimeter, test that the API operation can reach the storage account.
+
+1. In the left menu, under **APIs**, select your API and operation.
+1. Select the **Test** tab.
+1. Select **Test** and call the operation. Optionally select **Trace** to capture detailed telemetry.
+
+Expected results:
+ - The call succeeds with a `200 OK` response and returns the blob content.
+ - If you enabled **Trace**, you can verify that API Management added the managed identity token to the Authorization header. 
+ 
+## Step 2. Block public network access to the storage account
+
+If you now block public network access to the storage account, the API call from API Management fails because trusted service connectivity is disabled.
+
+1. In the Azure portal, go to your storage account.
+1. In the left menu, under **Security + networking**, select **Networking**.
+1. On the **Public access** tab, select **Manage**. **Disable** public network access.
+1. Select **Save**.
+
+### Test the API operation
+
+Test that the API operation can no longer reach the storage account.
+
+1. In the Azure portal, go to your API Management instance.
+1. In the left menu, under **APIs**, select your API and operation.
+1. Select the **Test** tab.
+1. Select **Test** and call the operation. Optionally select **Trace** to capture detailed telemetry.
+
+Expected result:
+ - The call fails with a `403 Forbidden` response.
+  
+## Step 3. Create a network security perimeter profile and associate the storage account
+
+For typical steps to create a network security perimeter and associate an Azure resource with a profile, see [Create a network security perimeter and profile](/azure/private-link/create-network-security-perimeter-portal). Brief steps follow:
+
+1. In the Azure portal, search for **Network Security Perimeters** and select it.
+1. Select **+ Create** and provide a name and region. Accept the defaults for other settings and create the perimeter.
+1. After deployment, go to the **Settings** > **Associated resources** blade to associate the storage account with an existing or new profile.
+
+## Step 4: Add an inbound access rule to allow API Management traffic
+
+To allow API Management to reach the storage account through the perimeter, add an inbound rule. The simplest approach is by Azure subscription.
+
+1. In the left menu of our network security perimeter, select **Settings** > **Profiles**, then select the profile you associated with the storage account.
+1. In the left menu, select **Settings** > **Inbound access rules** > **+ Add**:
+    1. Enter a name for the rule.
+    1. Select **Source type** *Subscriptions*, then in **Allowed sources** select the subscription that contains your API Management instance.
+1. Select **Add**.
+
+> [!NOTE]
+> If you select IP address-based control, specify API Management's outbound public IP address range in the inbound rule. Ensure you include all outbound [IP addresses](api-management-howto-ip-addresses.md#ip-addresses-for-outbound-traffic) for your API Management instance.
+> 
+
+### Confirm the network configuration in the storage account
+
+1. In the Azure portal, go to your storage account.
+1. In the left menu, under **Security + networking**, select **Networking**. 
+1. Under **Network security perimeter**, confirm that the storage account is associated with your network security perimeter profile and that the access rule is listed.
+
+  :::image type="content" source="media/using-network-security-perimeter/public-access-settings.png" alt-text="Screenshot of public access settings in the storage account in the portal.":::
+
+### Test the API operation
+
+Test that the API operation can reach the storage account in the network security perimeter.
+
+1. In the Azure portal, go to your API Management instance.
+1. In the left menu, under **APIs**, select your API and operation.
+1. Select the **Test** tab.
+1. Select **Test** and call the operation. Optionally select **Trace** to capture detailed telemetry.
+
+Expected result:
+ - The call succeeds with a `200 OK` response and returns the blob content.
+	
+## Step 5. Move access mode to enforced
+
+A network security perimeter supports the following [access modes](/azure/private-link/network-security-perimeter-transition):
+
+- **Transition:** Applies both existing per-resource network settings and network security perimeter rules. This mode is the default when you first associate a resource.
+- **Enforced:** Applies only network security perimeter rules. Use this mode once you validate access.
+
+After you validate access in **transition** mode, set the network security perimeter's access mode to **enforced**. For more information, see [Steps to configure publicNetworkAccess and accessMode properties](/azure/private-link/network-security-perimeter-transition#steps-to-configure-publicnetworkaccess-and-accessmode-properties).
+
+## Related content
+
+- Learn more about [network security perimeter concepts and capabilities](/azure/private-link/network-security-perimeter-concepts)
+- [Networking options in API Management](virtual-network-concepts.md)

articles/api-management/media/using-network-security-perimeter/public-access-settings.png

@@ -5,7 +5,7 @@ services: application-gateway
 author: mbender-ms
 ms.service: azure-appgw-for-containers
 ms.topic: release-notes
-ms.date: 11/10/2025
+ms.date: 1/28/2026
 ms.author: mbender
 # Customer intent: As a Kubernetes operator, I want to access the release notes for the ALB Controller, so that I can understand the latest updates and changes to optimize my configuration and deployments of Application Gateway for Containers.
 ---
@@ -27,12 +27,13 @@ Instructions for new or existing deployments of ALB Controller are found in the
 
 | ALB Controller Version | Gateway API Version | Minimum Kubernetes Version | Release Notes |
 | ---------------------- | ------------------- | ------------------ | ------------- |
-| 1.8.12 | v1.2.1 | v1.27 | WAF improvements |
+| 1.9.11 | v1.2.1 | v1.27 | [allowPrivilegeEscalation false](https://github.com/Azure/AKS/issues/5389), [Integration with AKS Istio Service Mesh Add-on](https://github.com/Azure/AKS/issues/5479), [fix for NAP with Karpenter](https://github.com/Azure/AKS/issues/5486), general image updates |
 
 ## Release history
 
 | ALB Controller Version | Gateway API Version | Minimum Kubernetes Version | Release Notes |
 | ---------------------- | ------------------- | ------------------ | ------------- |
+| 1.8.12 | v1.2.1 | v1.27 | WAF improvements |
 | 1.8.9 | v1.2.1 | v1.27 | [Slow start load balancing algorithm](api-specification-kubernetes.md#alb.networking.azure.io/v1.BackendLoadBalancingPolicy), Image updated to use [Azure Linux 3.0](https://github.com/microsoft/azurelinux), [nodeSelector fix](https://github.com/Azure/AKS/issues/5302), miscellaneous bug fixes and enhancements |
 | 1.7.12 | v1.2.1 | v1.27 | Hotfix for pod crash due to [invalid Provider ID](https://github.com/Azure/AKS/issues/5310) |
 | 1.7.9 | v1.2.1 | v1.27 | [Web Application Firewall (WAF) Public Preview](https://aka.ms/agc/waf), Updated to Gateway API v1.2.1, [nodeSelector support](https://github.com/Azure/AKS/issues/4370#issuecomment-2894487836), [Permissions fix for Overlay networks](https://github.com/Azure/AKS/issues/5039), fix for SAN regex matching, miscellaneous performance improvements |

articles/api-management/using-network-security-perimeter.md

@@ -7,7 +7,7 @@ author: mbender-ms
 ms.service: azure-appgw-for-containers
 ms.custom: devx-track-azurecli
 ms.topic: quickstart
-ms.date: 11/10/2025
+ms.date: 1/27/2026
 ms.author: mbender
 # Customer intent: As a Kubernetes administrator, I want to install the Application Gateway for Containers ALB Controller on my AKS cluster, so that I can efficiently manage load balancing rules and enhance application traffic handling.
 ---
@@ -147,7 +147,7 @@ You need to complete the following tasks before deploying Application Gateway fo
     az aks get-credentials --resource-group $RESOURCE_GROUP --name $AKS_NAME
     helm install alb-controller oci://mcr.microsoft.com/application-lb/charts/alb-controller \
          --namespace $HELM_NAMESPACE \
-         --version 1.8.12 \
+         --version 1.9.11 \
          --set albController.namespace=$CONTROLLER_NAMESPACE \
          --set albController.podIdentity.clientID=$(az identity show -g $RESOURCE_GROUP -n azure-alb-identity --query clientId -o tsv)
     ```
@@ -165,7 +165,7 @@ You need to complete the following tasks before deploying Application Gateway fo
     az aks get-credentials --resource-group $RESOURCE_GROUP --name $AKS_NAME
     helm upgrade alb-controller oci://mcr.microsoft.com/application-lb/charts/alb-controller \
         --namespace $HELM_NAMESPACE \
-        --version 1.8.12 \
+        --version 1.9.11 \
         --set albController.namespace=$CONTROLLER_NAMESPACE \
         --set albController.podIdentity.clientID=$(az identity show -g $RESOURCE_GROUP -n azure-alb-identity --query clientId -o tsv)
     ```

articles/application-gateway/for-containers/alb-controller-release-notes.md

@@ -5,7 +5,7 @@ services: application-gateway
 author: JackStromberg
 ms.service: azure-appgw-for-containers
 ms.topic: how-to
-ms.date: 11/15/2025
+ms.date: 1/28/2026
 ms.author: jstrom
 ---
 
@@ -29,9 +29,6 @@ Here's a diagram of Application Gateway for Containers integrating with Istio se
 
 The ALB Controller Istio Extension consists of two pods, deployed in active / standby configuration to allow resiliency during node failure, handle certificate lifecycle management between Application Gateway for Containers and Istio, and implicitly handle mTLS configuration to services part of a service mesh.
 
->[!NOTE]
->Application Gateway for Containers only supports the community/open source version of Istio today. Istio-based service mesh add-on for AKS isn't supported at this time.
-
 >[!NOTE]
 >To use ALB Controller Service Mesh Extension, you must define your ingress intent using Gateway API. Ingress API isn't supported.
 
@@ -51,7 +48,7 @@ az aks get-credentials --resource-group $RESOURCE_GROUP --name $AKS_NAME
 
 helm install alb-controller-servicemesh-extension oci://mcr.microsoft.com/application-lb/charts/alb-controller-servicemesh-extension \
      --namespace $HELM_NAMESPACE \
-     --version 1.8.12
+     --version 1.9.11
 ```
 
 ### Verify the ALB Controller installation