Merge pull request #313484 from MicrosoftDocs/main

learn-build-service-prod[bot] · web-flow · commit 81c31b3841e7 · 2026-03-21T06:08:40.000Z
Auto Publish – main to live - 2026-03-21 06:00 UTC
diff --git a/articles/dev-box/overview-what-is-microsoft-dev-box.md b/articles/dev-box/overview-what-is-microsoft-dev-box.md
@@ -9,7 +9,7 @@ author: RoseHJM
 ms.date: 10/31/2025
 adobe-target: true
 
-#Customer intent: #Customer intent: As a platform engineer, I want to understand what Microsoft Dev Box is and how it can help developer teams, so that I can efficiently set up and use cloud development environments for my teams.
+#Customer intent: As a platform engineer, I want to understand what Microsoft Dev Box is and how it helps developer teams, so that I can efficiently set up and use cloud development environments for my teams.
 ---
 
 # What is Microsoft Dev Box?
diff --git a/articles/high-performance-computing/index.yml b/articles/high-performance-computing/index.yml
@@ -111,12 +111,12 @@ productDirectory:
         links:
            - url: https://www.aka.ms/Microsoft-NVIDIA/HPCwire
              text: Microsoft - NVIDIA
-           - url: https://insidehpc.com/2023/03/manufacturing-repatriation-how-hpc-class-technologies-from-microsoft-azure-and-amd-support-manufacturers-reshoring-strategies/
-             text: Microsoft - AMD
-           - url: https://insidehpc.com/2022/10/staying-at-the-cutting-edge-of-automotive-design-technology-with-azure-cloud-platform-and-amd/
-             text: Azure Cloud and AMD for Manufacturing
-           - url: https://insidehpc.com/2023/03/azure-amd-and-the-power-of-cloud-based-hpc-for-sustainability-rd-projects/
-             text: Azure and AMD for Sustainability    
+#          - url: https://insidehpc.com/2023/03/manufacturing-repatriation-how-hpc-class-technologies-from-microsoft-azure-and-amd-support-manufacturers-reshoring-strategies/
+#            text: Microsoft - AMD
+#          - url: https://insidehpc.com/2022/10/staying-at-the-cutting-edge-of-automotive-design-technology-with-azure-cloud-platform-and-amd/
+#            text: Azure Cloud and AMD for Manufacturing
+#          - url: https://insidehpc.com/2023/03/azure-amd-and-the-power-of-cloud-based-hpc-for-sustainability-rd-projects/
+#            text: Azure and AMD for Sustainability    
      
       # Card
       - title: Related Technologies
diff --git a/articles/migrate/postgresql-assessment-properties.md b/articles/migrate/postgresql-assessment-properties.md
@@ -26,7 +26,7 @@ General assessment properties in Azure Migrate (preview) help set up key configu
 | **Right-Sizing**              | **Performance history**      | Used with performance-based sizing. Performance history specifies the duration used when performance data is evaluated. |
 |  **Right-Sizing**               | **Percentile utilization**   | Used with performance-based sizing. Percentile utilization specifies the percentile value of the performance sample used for rightsizing. Learn more about [sampling mechanism](target-right-sizing.md). |
 |  **Right-Sizing**                 | **Comfort factor**           | This is the buffer applied during assessment. It's a multiplying factor used with performance metrics of CPU, RAM, disk, and network data for VMs. It accounts for issues like seasonal usage, short performance history, and likely increases in future usage. The comfort factor is applied irrespective of type of assessment (As-is on premises or performance based). For **performance-based** assessment, it's multiplied with utilization value of the resources, whereas for **As-is on premises** assessment it's multiplied by allocated resources. <br> The default values change. <br>  For example, a 10-core VM with 20% utilization normally results in a two-core VM. With a comfort factor of 2.0, the result is a four-core VM instead. |
-| **Pricing settings**  | **Default savings option**  | Specify the savings option that you want the assessment to consider to help optimize your Azure compute cost. </br> [Azure reservations](/azure/cost-management-billing/reservations/save-compute-costs-reservations?view=migrate&preserve-view=true) (One year or three years reserved) are a good option for the most consistently running resources. </br> [Azure Savings Plan](/azure/cost-management-billing/savings-plan/savings-plan-compute-overview?view=migrate&preserve-view=true) (One year or three years savings plan) provide additional flexibility and automated cost optimization. </br> When you select **None**, the Azure compute cost is based on the pay-as-you-go rate considering 730 hours as VM uptime, unless specified otherwise in VM uptime attribute.|
+| **Pricing settings**  | **Default savings option**  | Specify the savings option that you want the assessment to consider to help optimize your Azure compute cost. </br> [Azure reservations](/azure/cost-management-billing/reservations/save-compute-costs-reservations?view=migrate&preserve-view=true) (One year or three years reserved) are a good option for the most consistently running resources. </br> [Azure Savings Plan](/azure/cost-management-billing/savings-plan/savings-plan-overview?view=migrate&preserve-view=true) (One year or three years savings plan) provide additional flexibility and automated cost optimization. </br> When you select **None**, the Azure compute cost is based on the pay-as-you-go rate considering 730 hours as VM uptime, unless specified otherwise in VM uptime attribute.|
 | |**Offer/Licensing program**| The [Azure offer](https://azure.microsoft.com/support/legal/offer-details/) in which you're enrolled. The assessment estimates the cost for that offer. Select one of the pay-as-you-go, Enterprise Agreement support, or pay-as-you-go Dev/Test. </br> You need to select pay-as-you-go in offer/licensing program to be able to use Reserved Instances or Azure Savings Plan. When you select any savings option other than **None**, the *Discount (%)* and *VM uptime* properties aren't applicable. The monthly cost estimates are calculated by multiplying 744 hours in the VM uptime field with the hourly price of the recommended SKU.|
 | |**Currency** | The billing currency for your account.| 
 | |**Discount (%)** | Any subscription-specific discounts you receive on top of the Azure offer. The default setting is 0%. | 
@@ -39,4 +39,4 @@ General assessment properties in Azure Migrate (preview) help set up key configu
 
 - [Least privilege PostgreSQL account](postgresql-least-privilege-configuration.md).
 - [PostgreSQL workloads for Migration to Azure](tutorial-assess-postgresql.md).
-- [Review PostgreSQL assessment](tutorial-review-postgresql-report.md).
+- [Review PostgreSQL assessment](tutorial-review-postgresql-report.md).
diff --git a/articles/networking/security/includes/25535.md b/articles/networking/security/includes/25535.md
@@ -13,11 +13,13 @@ ms.custom: Network-Secure-Recommendation
 # userimpact: Low
 # implementationcost: Medium
 ---
-Azure Firewall is a cloud-native network security service that provides centralized inspection, logging, and enforcement for outbound traffic. However, using Azure Firewall alone for outbound connectivity can lead to SNAT port exhaustion under high-traffic workloads. The recommendation is to deploy NAT Gateway alongside Azure Firewall — Azure Firewall handles outbound security inspection (threat intelligence filtering, intrusion detection and prevention, TLS inspection, and egress policy enforcement), while NAT Gateway provides scalable SNAT ports for the actual outbound traffic flow. In a secure network architecture, outbound traffic from VNet-integrated workloads such as VMs, AKS clusters, App Service, and Functions should be explicitly routed through Azure Firewall before reaching external services, with NAT Gateway configured on the AzureFirewallSubnet to handle outbound translation. Without this combined approach, organizations risk either uninspected outbound traffic or SNAT port exhaustion leading to dropped connections. This check verifies that effective network routes direct outbound traffic to the firewall's private IP address for eligible workloads across all subscriptions.
+Azure Firewall is a cloud-native network security service that provides centralized inspection, logging, and enforcement for outbound traffic. In a secure network architecture, outbound traffic from VNet-integrated workloads such as VMs, AKS clusters, App Service, and Functions should be explicitly routed through Azure Firewall before reaching external services. This routing ensures that outbound security inspection — including threat intelligence filtering, intrusion detection and prevention, TLS inspection, and egress policy enforcement — is applied to all outbound flows. Without this routing, outbound traffic bypasses the firewall entirely, leaving the environment exposed to data exfiltration and command-and-control communication. This check verifies that effective network routes direct outbound traffic to the firewall's private IP address for eligible workloads across all subscriptions.
+
+For high-traffic workloads that risk SNAT port exhaustion, consider deploying [Azure NAT Gateway alongside Azure Firewall](/azure/firewall/integrate-with-nat-gateway). NAT Gateway provides up to 64,512 SNAT ports per public IP address compared to Azure Firewall's 2,496 SNAT ports per public IP per instance. When associated with the AzureFirewallSubnet, NAT Gateway handles outbound translation while Azure Firewall continues to inspect traffic — with no double NAT.
 
 **Remediation action**
 
-- [Configure Azure Firewall routing](/azure/firewall/tutorial-firewall-deploy-portal#configure-routing)
+- [Configure Azure Firewall routing](/azure/firewall/tutorial-firewall-deploy-portal#create-a-default-route)
 - [Manage route tables and routes](/azure/virtual-network/manage-route-table)
 - [Control App Service outbound traffic with Azure Firewall](/azure/app-service/network-secure-outbound-traffic-azure-firewall)
 - [Azure Firewall security rules](/azure/firewall/rule-processing)
diff --git a/articles/networking/security/includes/25537.md b/articles/networking/security/includes/25537.md
@@ -15,6 +15,9 @@ ms.custom: Network-Secure-Recommendation
 ---
 Azure Firewall Threat Intelligence-based filtering alerts and denies traffic from and to known malicious IP addresses, fully qualified domain names (FQDNs), and URLs sourced from the Microsoft Threat Intelligence feed. When enabled, Azure Firewall evaluates traffic against threat intelligence rules before applying network address translation (NAT), network, or application rules. This check verifies that Threat Intelligence is enabled in "Alert and deny" mode in the Azure Firewall policy. Without this feature enabled, the environment remains exposed to known malicious IPs, domains, and URLs, creating risk of compromise or data exfiltration.
 
+> [!NOTE]
+> "Alert and deny" mode requires Azure Firewall Standard or Premium. Azure Firewall Basic supports alert mode only. For a full feature comparison, see [Choose the right Azure Firewall SKU](/azure/firewall/choose-firewall-sku).
+
 **Remediation action**
 
 - [Azure Firewall threat intelligence configuration](/azure/firewall-manager/threat-intelligence-settings)
diff --git a/articles/networking/security/includes/26885.md b/articles/networking/security/includes/26885.md
@@ -17,7 +17,7 @@ Azure DDoS Protection provides advanced mitigation capabilities for public IP ad
 
 **Remediation action**
 
-- [Configure Azure DDoS Protection metrics and diagnostic logs](/azure/ddos-protection/diagnostic-logging)
+- [Configure Azure DDoS Protection metrics and diagnostic logs](/azure/ddos-protection/ddos-view-diagnostic-logs)
 - [Configure diagnostic settings for Azure resources](/azure/azure-monitor/essentials/diagnostic-settings)
 - [Azure DDoS Protection overview](/azure/ddos-protection/ddos-protection-overview)
 - [Create and configure Azure DDoS Network Protection using the Azure portal](/azure/ddos-protection/manage-ddos-protection)
diff --git a/articles/networking/security/includes/26886.md b/articles/networking/security/includes/26886.md
@@ -17,7 +17,5 @@ When Azure DDoS Protection is enabled for public IP addresses, diagnostic loggin
 
 **Remediation action**
 
-- [Configure Azure DDoS Protection diagnostic logging](/azure/ddos-protection/diagnostic-logging)
-- [View and configure DDoS diagnostic logs](/azure/ddos-protection/diagnostic-logging#configure-ddos-diagnostic-logs)
-- [Azure DDoS Protection monitoring and logging](/azure/ddos-protection/monitor-ddos-protection)
-- [View and analyze DDoS logs](/azure/ddos-protection/monitor-ddos-protection)
+- [View and configure DDoS Protection diagnostic logs](/azure/ddos-protection/ddos-view-diagnostic-logs)
+- [Monitor Azure DDoS Protection](/azure/ddos-protection/monitor-ddos-protection)
diff --git a/articles/networking/security/index.yml b/articles/networking/security/index.yml
@@ -25,6 +25,10 @@ highlightedContent:
       itemType: overview # controls the icon image and super-title text 
       url: /azure/networking/security/network-security
     # Card
+    - title: Azure network security Zero Trust recommendations
+      itemType: concept
+      url: /azure/networking/security/zero-trust-network-security
+    # Card
     - title: Azure best practices for network security
       itemType: concept
       url: ../../security/fundamentals/network-best-practices.md
diff --git a/articles/networking/security/zero-trust-application-gateway-waf.md b/articles/networking/security/zero-trust-application-gateway-waf.md
@@ -17,16 +17,37 @@ For a summary of all Azure network security Zero Trust recommendations, see [Azu
 
 ## Recommendations
 
-| Recommendation | Risk level | User impact | Implementation cost |
-|---|---|---|---|
-| [!INCLUDE [Application Gateway WAF is enabled in prevention mode](includes/25541.md)] | High | Low | Low |
-| [!INCLUDE [Request body inspection is enabled in Application Gateway WAF](includes/26879.md)] | High | Low | Low |
-| [!INCLUDE [Default rule set is enabled in Application Gateway WAF](includes/26881.md)] | High | Low | Low |
-| [!INCLUDE [Bot protection rule set is enabled and assigned in Application Gateway WAF](includes/26882.md)] | High | Low | Low |
-| [!INCLUDE [HTTP DDoS protection rule set is enabled in Application Gateway WAF](includes/27015.md)] | High | Low | Low |
-| [!INCLUDE [Rate limiting is enabled in Application Gateway WAF](includes/27016.md)] | High | Low | Medium |
-| [!INCLUDE [JavaScript challenge is enabled in Application Gateway WAF](includes/27017.md)] | Medium | Low | Low |
-| [!INCLUDE [Diagnostic logging is enabled in Application Gateway WAF](includes/26888.md)] | High | Low | Low |
+### Application Gateway WAF is enabled in prevention mode
+
+[!INCLUDE [Application Gateway WAF is enabled in prevention mode](includes/25541.md)]
+
+### Request body inspection is enabled in Application Gateway WAF
+
+[!INCLUDE [Request body inspection is enabled in Application Gateway WAF](includes/26879.md)]
+
+### Default rule set is enabled in Application Gateway WAF
+
+[!INCLUDE [Default rule set is enabled in Application Gateway WAF](includes/26881.md)]
+
+### Bot protection rule set is enabled and assigned in Application Gateway WAF
+
+[!INCLUDE [Bot protection rule set is enabled and assigned in Application Gateway WAF](includes/26882.md)]
+
+### HTTP DDoS protection rule set is enabled in Application Gateway WAF
+
+[!INCLUDE [HTTP DDoS protection rule set is enabled in Application Gateway WAF](includes/27015.md)]
+
+### Rate limiting is enabled in Application Gateway WAF
+
+[!INCLUDE [Rate limiting is enabled in Application Gateway WAF](includes/27016.md)]
+
+### JavaScript challenge is enabled in Application Gateway WAF
+
+[!INCLUDE [JavaScript challenge is enabled in Application Gateway WAF](includes/27017.md)]
+
+### Diagnostic logging is enabled in Application Gateway WAF
+
+[!INCLUDE [Diagnostic logging is enabled in Application Gateway WAF](includes/26888.md)]
 
 ## Related content
 
diff --git a/articles/networking/security/zero-trust-azure-firewall.md b/articles/networking/security/zero-trust-azure-firewall.md
@@ -17,13 +17,25 @@ For a summary of all Azure network security Zero Trust recommendations, see [Azu
 
 ## Recommendations
 
-| Recommendation | Risk level | User impact | Implementation cost |
-|---|---|---|---|
-| [!INCLUDE [Outbound traffic from VNet-integrated workloads is routed through Azure Firewall](includes/25535.md)] | High | Low | Medium |
-| [!INCLUDE [Threat intelligence is enabled in deny mode on Azure Firewall](includes/25537.md)] | High | Low | Low |
-| [!INCLUDE [IDPS inspection is enabled in deny mode on Azure Firewall](includes/25539.md)] | High | Low | Low |
-| [!INCLUDE [Inspection of outbound TLS traffic is enabled on Azure Firewall](includes/25550.md)] | High | Low | Low |
-| [!INCLUDE [Diagnostic logging is enabled in Azure Firewall](includes/26887.md)] | High | Low | Low |
+### Outbound traffic from VNet-integrated workloads is routed through Azure Firewall
+
+[!INCLUDE [Outbound traffic from VNet-integrated workloads is routed through Azure Firewall](includes/25535.md)]
+
+### Threat intelligence is enabled in deny mode on Azure Firewall
+
+[!INCLUDE [Threat intelligence is enabled in deny mode on Azure Firewall](includes/25537.md)]
+
+### IDPS inspection is enabled in deny mode on Azure Firewall
+
+[!INCLUDE [IDPS inspection is enabled in deny mode on Azure Firewall](includes/25539.md)]
+
+### Inspection of outbound TLS traffic is enabled on Azure Firewall
+
+[!INCLUDE [Inspection of outbound TLS traffic is enabled on Azure Firewall](includes/25550.md)]
+
+### Diagnostic logging is enabled in Azure Firewall
+
+[!INCLUDE [Diagnostic logging is enabled in Azure Firewall](includes/26887.md)]
 
 ## Related content
 
diff --git a/articles/networking/security/zero-trust-ddos-protection.md b/articles/networking/security/zero-trust-ddos-protection.md
@@ -17,11 +17,17 @@ For a summary of all Azure network security Zero Trust recommendations, see [Azu
 
 ## Recommendations
 
-| Recommendation | Risk level | User impact | Implementation cost |
-|---|---|---|---|
-| [!INCLUDE [DDoS Protection is enabled for all public IP addresses in VNets](includes/25533.md)] | High | Low | Low |
-| [!INCLUDE [Metrics are enabled for DDoS-protected public IPs](includes/26885.md)] | Medium | Low | Low |
-| [!INCLUDE [Diagnostic logging is enabled for DDoS-protected public IPs](includes/26886.md)] | Medium | Low | Low |
+### DDoS Protection is enabled for all public IP addresses in VNets
+
+[!INCLUDE [DDoS Protection is enabled for all public IP addresses in VNets](includes/25533.md)]
+
+### Metrics are enabled for DDoS-protected public IPs
+
+[!INCLUDE [Metrics are enabled for DDoS-protected public IPs](includes/26885.md)]
+
+### Diagnostic logging is enabled for DDoS-protected public IPs
+
+[!INCLUDE [Diagnostic logging is enabled for DDoS-protected public IPs](includes/26886.md)]
 
 ## Related content
 
diff --git a/articles/networking/security/zero-trust-front-door-waf.md b/articles/networking/security/zero-trust-front-door-waf.md
@@ -17,16 +17,37 @@ For a summary of all Azure network security Zero Trust recommendations, see [Azu
 
 ## Recommendations
 
-| Recommendation | Risk level | User impact | Implementation cost |
-|---|---|---|---|
-| [!INCLUDE [Azure Front Door WAF is enabled in prevention mode](includes/25543.md)] | High | Low | Low |
-| [!INCLUDE [Request body inspection is enabled in Azure Front Door WAF](includes/26880.md)] | High | Low | Low |
-| [!INCLUDE [Default rule set is assigned in Azure Front Door WAF](includes/26883.md)] | High | Low | Low |
-| [!INCLUDE [Bot protection rule set is enabled and assigned in Azure Front Door WAF](includes/26884.md)] | High | Low | Low |
-| [!INCLUDE [Rate limiting is enabled in Azure Front Door WAF](includes/27018.md)] | High | Low | Medium |
-| [!INCLUDE [JavaScript challenge is enabled in Azure Front Door WAF](includes/27019.md)] | Medium | Low | Low |
-| [!INCLUDE [CAPTCHA challenge is enabled in Azure Front Door WAF](includes/27020.md)] | Medium | Low | Low |
-| [!INCLUDE [Diagnostic logging is enabled in Azure Front Door WAF](includes/26889.md)] | High | Low | Low |
+### Azure Front Door WAF is enabled in prevention mode
+
+[!INCLUDE [Azure Front Door WAF is enabled in prevention mode](includes/25543.md)]
+
+### Request body inspection is enabled in Azure Front Door WAF
+
+[!INCLUDE [Request body inspection is enabled in Azure Front Door WAF](includes/26880.md)]
+
+### Default rule set is assigned in Azure Front Door WAF
+
+[!INCLUDE [Default rule set is assigned in Azure Front Door WAF](includes/26883.md)]
+
+### Bot protection rule set is enabled and assigned in Azure Front Door WAF
+
+[!INCLUDE [Bot protection rule set is enabled and assigned in Azure Front Door WAF](includes/26884.md)]
+
+### Rate limiting is enabled in Azure Front Door WAF
+
+[!INCLUDE [Rate limiting is enabled in Azure Front Door WAF](includes/27018.md)]
+
+### JavaScript challenge is enabled in Azure Front Door WAF
+
+[!INCLUDE [JavaScript challenge is enabled in Azure Front Door WAF](includes/27019.md)]
+
+### CAPTCHA challenge is enabled in Azure Front Door WAF
+
+[!INCLUDE [CAPTCHA challenge is enabled in Azure Front Door WAF](includes/27020.md)]
+
+### Diagnostic logging is enabled in Azure Front Door WAF
+
+[!INCLUDE [Diagnostic logging is enabled in Azure Front Door WAF](includes/26889.md)]
 
 ## Related content
 
diff --git a/articles/networking/security/zero-trust-network-security.md b/articles/networking/security/zero-trust-network-security.md
