Merge pull request #313382 from MicrosoftDocs/main

Auto Publish – main to live - 2026-03-19 06:00 UTC

Author: learn-build-service-prod[bot]

articles/app-service/tutorial-nodejs-mongodb-app.md

@@ -25,7 +25,7 @@ ms.custom:
 
 # Tutorial: Deploy a Node.js + MongoDB web app to Azure
 
-This tutorial shows how to create a secure Node.js app in [Azure App Service](overview.md) that's connected to an [Azure Cosmos DB for MongoDB](/azure/cosmos-db/mongodb/mongodb-introduction) database. Azure App Service provides a highly scalable, self-patching web hosting service using the Linux operating system. When you're finished, you have an Express.js app running on Azure App Service on Linux.
+This tutorial shows how to create a secure Node.js app in [Azure App Service](overview.md) that's connected to an [Azure DocumentDB](https://learn.microsoft.com/azure/documentdb/) database. Azure App Service provides a highly scalable, self-patching web hosting service using the Linux operating system. When you're finished, you have an Express.js app running on Azure App Service on Linux.
 
 :::image type="content" source="./media/tutorial-nodejs-mongodb-app/azure-portal-browse-app-2.png" alt-text="Screenshot of Node.js application storing data in Cosmos DB.":::
 
@@ -125,7 +125,7 @@ Having issues? Check the [Troubleshooting section](#troubleshooting).
 
 ## Create App Service and Azure Cosmos DB
 
-In this step, you create the Azure resources. The steps used in this tutorial create a set of secure-by-default resources that include App Service and Azure Cosmos DB for MongoDB. For the creation process, you specify:
+In this step, you create the Azure resources. The steps used in this tutorial create a set of secure-by-default resources that include App Service and Azure DocumentDB. For the creation process, you specify:
 
 - The **Name** for the web app. It's part of the DNS name for your app.
 - The **Region** to run the app physically in the world. It's also part of the DNS name for your app.
@@ -171,7 +171,7 @@ Sign in to the [Azure portal](https://portal.azure.com/) and follow these steps
         - **Virtual network** → Integrated with the App Service app and isolates back-end network traffic.
         - **Private endpoint** → Access endpoint for the database resource in the virtual network.
         - **Network interface** → Represents a private IP address for the private endpoint.
-        - **Azure Cosmos DB for MongoDB** → Accessible only from behind the private endpoint. A database and a user are created for you on the server.
+        - **Azure DocumentDB** → Accessible only from behind the private endpoint. A database and a user are created for you on the server.
         - **Private DNS zone** → Enables DNS resolution of the Azure Cosmos DB server in the virtual network.
 
     :::column-end:::

articles/application-gateway/media/tutorial-ingress-controller-add-on-new/tutorial-ingress-controller-add-on-new.png

@@ -385,8 +385,8 @@ For the legacy cloning script, version 1.0.11 is the new version of the migratio
 ### Public IP retention script
 
 After you successfully migrate the configuration and thoroughly test your new V2 gateway, this step focuses on redirecting live traffic.
-
-We provide an Azure PowerShell script that *retains the public IP address from V1*. Here are important considerations for the script:
+> [!NOTE]
+> The IP migration script does not support public IP address resources that have name beginning with a numeric character. 
 
 - The script reserves the Basic public IP from V1, converts it to Standard, and attaches it to the V2 gateway. This action effectively redirects all incoming traffic to the V2 gateway.
 - This IP swap operation typically results in a brief *downtime of approximately one to five minutes*. Plan accordingly.

articles/application-gateway/migrate-v1-v2.md

@@ -57,6 +57,27 @@ Deploying a new AKS cluster with the AGIC add-on enabled without specifying an e
 az aks create -n myCluster -g myResourceGroup --network-plugin azure --enable-managed-identity -a ingress-appgw --appgw-name myApplicationGateway --appgw-subnet-cidr "10.225.0.0/16" --generate-ssh-keys
 ```
 
+## Enable the add-on for the existing AKS cluster
+
+You already have an existing AKS cluster and will enable the AGIC add-on. The add-on can be enabled either through the Azure portal or by using the Azure CLI.
+
+# [Azure Portal](#tab/azure-portal)
+
+In this page in the screenshot, you can create it simply by selecting the checkbox. If you want to specify a subnet prefix, select *Create new* and configure it manually.
+
+:::image type="content" source="media/tutorial-ingress-controller-add-on-new/tutorial-ingress-controller-add-on-new.png" alt-text="Screenshot of enabling AGIC addon by Portal." lightbox="media/tutorial-ingress-controller-add-on-new/tutorial-ingress-controller-add-on-new.png":::
+
+# [Azure CLI](#tab/azure-cli)
+
+You can give the name of the application gateway as well as subnet CIDR by the command.
+appgw-subnet-cidr should be in the address prefixes in your virtual network. Please change *10.0.250.0/24* to your preferred application gateway subnet CIDR. This must always be within the address space range of your virtual network.
+
+```azurecli
+$ az aks enable-addons --resource-group ${RG_NAME} --name ${CLUSTER_NAME} --addons ingress-appgw --appgw-subnet-cidr "10.0.250.0/24"
+```
+
+In most cases, enabling the add-on automatically assigns the required permissions. However, depending on the environment, the permissions may not be granted automatically. In such cases, you should verify the permissions and assign them manually if necessary.
+
 > [!NOTE] 
 > Please ensure the identity used by AGIC has the proper permissions. A list of permissions needed by the identity can be found here: [Configure Infrastructure - Permissions](configuration-infrastructure.md#permissions). If a custom role is not defined with the required permissions, you may use the _Network Contributor_ role.
 

articles/application-gateway/tutorial-ingress-controller-add-on-new.md

@@ -270,7 +270,7 @@
       href: /security/benchmark/azure/baselines/functions-security-baseline?toc=/azure/azure-functions/toc.json&bc=/azure/azure-functions/breadcrumb/toc.json
   - name: Reliability
     items:
-    - name: Availability zones and disaster recovery
+    - name: Reliability in Azure Functions
       displayName: availability zones, high-availability, zone redundancy, disaster recovery
       href: /azure/reliability/reliability-functions?toc=/azure/azure-functions/toc.json&bc=/azure/azure-functions/breadcrumb/toc.json
     - name: Zone redundancy

articles/azure-functions/TOC.yml

@@ -67,6 +67,8 @@
       href: migrate-nested-confidential-vms.md
     - name: Virtual Machine Metablob Disk
       href: virtual-machine-metablob-disk.md
+    - name: How to disable Virtual Machine Metablob Disk
+      href: disable-confidential-vm-metadata-blob.md
     - name: Quickly create confidential VMs
       items:
       - name: Create a Confidential VM through the Azure portal

articles/confidential-computing/TOC.yml

@@ -0,0 +1,76 @@
+---
+title: Disable VMMD blob creation for Confidential VMs
+description: Instructions for opting out of the Virtual Machine Metablob Disk (VMMD).
+author: linuxelf001
+ms.topic: include
+ms.service: azure-virtual-machines
+ms.date: 03/11/2026
+ms.author: raginjup
+ms.reviewer: raginjup
+ms.custom: include file
+---
+
+# Disable VMMD blob creation for Confidential VMs
+
+This article outlines the background and the steps required to opt out of the newly introduced Virtual Machine Metadata (VMMD) blob feature in the Microsoft Azure Confidential VMs.
+
+Microsoft Azure Confidential VMs (CVMs) recently adopted a **3blob** architecture comprising disk, VM Guest State (VMGS), and Virtual Machine Metadata (VMMD) blobs. This architecture update moves key information from the VMGS blob to a new VMMD blob to provide seamless support for various online key rotation scenarios.
+
+Automation built for the previous architecture involving export, import, and upload scenarios may fail for certain workflows. If your workflows include a breaking scenario, you can deploy confidential VMs with legacy format by registering the `DisableConfidentialVMMetadataBlob` preview feature.
+
+## Prerequisites
+
+Before beginning, check to make sure that you have the following:
+
+* An Azure account with an active subscription. [Create an account for free.](https://azure.microsoft.com/free)
+* A confidential VM with managed disks.
+
+## Required Access
+
+To list, register, or unregister preview features in your Azure subscription, you need access to the `Microsoft.Features/*` actions. This permission is granted through the [Contributor](../role-based-access-control/built-in-roles/privileged.md#contributor) and [Owner](../role-based-access-control/built-in-roles/privileged.md#owner) built-in roles. You can also specify the required access through a [custom role](../role-based-access-control/custom-roles.md).
+
+> [!NOTE]
+> The portal only shows a preview feature when the service that owns the feature explicitly opts in. The opt-out enablement would have to set on customer subscriptions and then the customers can continue to use **2blob** CVMs. <br><br> AFEC Name: Microsoft.Compute/DisableConfidentialVMMetadataBlob <br> Preview feature name: DisableConfidentialVMMetadataBlob <br><br> [Learn More…](../azure-resource-manager/management/preview-features.md)
+
+## How to Opt Out of VMMD Blob creation
+
+To opt out of the **3blob** architecture and disable the VMMD creation, follow these steps to register the `DisableConfidentialVMMetadataBlob` feature through the Azure portal:
+
+1. Sign in to the Azure portal.
+
+2. Search for `Subscriptions` in the top search bar and click on the link.
+![Screenshot of Subscriptions in the search bar.](media/search-subscriptions.png)
+
+3. On the `Subscriptions` page, select the name of the subscription you wish to configure.
+
+4. In the left menu, under `Settings`, select `Preview features`.
+![Screenshot of Preview features under settings.](media/access-preview-features.png)
+
+5. In the filter box of the `Preview features` screen, enter `DisableConfidentialVMMetadataBlob` and select the feature from the list.
+![Screenshot of DisableConfidentialVMMetadataBlob preview feature.](media/disable-confidential-vm-feature.png)
+
+6. Select Register.
+![Screenshot of registering preview feature.](media/register-confidential-vm-feature.png)
+
+The status changes to `Registered` once the process completes.
+
+## Features Disabled After Opting Out
+
+Using the legacy **2blob** architecture prevents access to the following services and capabilities designed for the new **3blob** format used in the latest Confidential VMs.
+
+* **Backup and Restore**<br>
+The Azure Backup service doesn't support 2 blob confidential VMs configured with the opt-out feature. 
+
+* **Key Rotation**<br>
+Online key rotation depends on the VMMD blob and therefore is only available for **3blob** resources. Confidential VMs using the **2blob** format can't rotate keys while online. Automated key rotation may also fail if the resource is online.
+
+
+## Next Steps
+
+* [Deploy a confidential VM from Azure](/azure/confidential-computing/quick-create-confidential-vm-portal)
+* [Azure confidential computing documentation](/azure/confidential-computing/)
+
+## Related Articles
+
+* [Azure managed disks overview](/azure/virtual-machines/managed-disks-overview)
+* [Managed disk migration guide](/azure/virtual-machines/linux/convert-unmanaged-to-managed-disks) 

articles/confidential-computing/disable-confidential-vm-metadata-blob.md

@@ -149,7 +149,7 @@ Every ExpressRoute Direct instance consists of two physical ports. You can activ
 
     MACsec is now enabled on the ExpressRoute Direct ports on Microsoft side. If you didn't configure it on your edge devices, you can proceed to configure them with the same MACsec secrets and cipher.
 
-1. (Optional) To activate the ports that are in Administrative Down state, run the following commands:
+1. (Required for on-premises Cisco devices) Enable Secure Channel Identifier (SCI) on the ExpressRoute Direct ports. This setting is required when your on-premises device is a Cisco router connecting to the Azure Juniper MSEE. Without SCI enabled, traffic fails between both sides.
 
     ```azurepowershell-interactive
     $erDirect = Get-AzExpressRoutePort -ResourceGroupName "your_resource_group" -Name "your_direct_port_name"
@@ -159,6 +159,9 @@ Every ExpressRoute Direct instance consists of two physical ports. You can activ
     ```
     
     SCI is now enabled on the ExpressRoute Direct ports.
+
+    > [!IMPORTANT]
+    > MACsec on ExpressRoute Direct is only supported on Juniper MSEE devices. If your ExpressRoute Direct resource is on a Cisco MSEE, you need to recreate the ExpressRoute Direct resource to land on a Juniper device. To verify your MSEE device type, check the ExpressRoute Direct resource in the Azure portal.
     
 ### How to disable MACsec
 

articles/expressroute/expressroute-howto-macsec.md

@@ -4,7 +4,7 @@ description: Learn how to handle large messages in workflows with chunking and w
 services: logic-apps
 ms.suite: integration
 ms.topic: how-to
-ms.date: 09/16/2025
+ms.date: 03/15/2026
 #Customer intent: As an integration developer who works with Azure Logic Apps, I need to understand when and how to use chunking to support large messages.
 ---
 
@@ -100,6 +100,13 @@ To reference the data, in the chunking action, use the expression `body('Compose
     "type": "ApiConnection"
 },
 ```
+> [!NOTE]
+>
+> When an action has chunking enabled, the action's outputs contain only the `body` property. Other output properties such as `statusCode` and `headers` are unavailable.
+>
+> If you use tracked properties that reference unavailable properties, for example, `@action()['outputs']['statusCode']` or `@action()['outputs']['headers']`, the action fails with the error message, `TrackedPropertiesEvaluationFailed`. This error happens even when the underlying operation, such as a file download, successfully completes. 
+>
+> To avoid this error, remove any references to unavailable properties from tracked properties in actions that use chunking to process large messages.
 
 <a name="set-up-chunking"></a>
 

articles/logic-apps/logic-apps-handle-large-messages.md

@@ -296,7 +296,8 @@ Stack | VMware, Hyper-V, and physical servers. | VMware, Hyper-V, and physical s
 Windows servers | Windows Server 2008 R2 and later are supported. | Not supported.
 Linux servers | Not supported | Servers that meet the [requirements](/azure/migrate/migrate-support-matrix-hyper-v?view=migrate#hyper-v-host-requirements)
 Web server versions | IIS 7.5 and later | Tomcat 8 or later
-Required privileges | The least privileged user should be a part of the two user groups 1. Remote Management Users 2. IIS_IUSRS. The users must have read permissions to the following locations: C:\Windows\system32\inetsrv\config, C:\Windows\system32\inetsrv\config\applicationHost.config and C:\Windows\system32\inetsrv\config\redirection.config. | **Read (r)** and **Execute (x)** permissions recursively on all CATALINA_HOME directories.
+Protocol | WinRM port 5986 (HTTPS) by default, if HTTPS prerequisites aren't configured on the target servers, communication falls back to WinRM port 5985 (HTTP) | SSH port 22 (TCP)
+Required privileges | The least privileged user should be a part of the two user groups 1. Remote Management Users 2. IIS_IUSRS. The users must have read permissions to the following locations: C:\Windows\system32\inetsrv\config, C:\Windows\system32\inetsrv\config\applicationHost.config and C:\Windows\system32\inetsrv\config\redirection.config. Add the user to 'log on as batch job' using secpol.msc and ensure user is not part of 'deny log on as batch job'. | **Read (r)** and **Execute (x)** permissions recursively on all CATALINA_HOME directories.
 
 > [!NOTE]
 > Data is always encrypted at rest and during transit.