Merge pull request #314775 from MicrosoftDocs/main

learn-build-service-prod[bot] · web-flow · commit 8295ff3edaff · 2026-04-15T17:12:18.000Z
Auto Publish – main to live - 2026-04-15 17:00 UTC
diff --git a/articles/expressroute/gateway-migration.md b/articles/expressroute/gateway-migration.md
@@ -96,7 +96,7 @@ For detailed troubleshooting errors and best practices, see [Troubleshooting Gat
 
 ### How do I add a second prefix to the GatewaySubnet?
 
-Adding multiple prefixes to the GatewaySubnet is currently in Public Preview and supported only via PowerShell. When you add an additional prefix, both prefixes will be used by the migrated gateway, so don't delete the old prefix. For instructions, see [Create multiple prefixes for a subnet](../virtual-network/how-to-multiple-prefixes-subnet.md).
+Adding multiple prefixes to the GatewaySubnet is available currently via command line (PowerShell, CLI) or Azure Resource Manager Templates. When you add an additional prefix, both prefixes will be used by the migrated gateway, so don't delete the old prefix. For instructions, see [Create multiple prefixes for a subnet](../virtual-network/how-to-multiple-prefixes-subnet.md).
 
 ### How do I monitor the health of the new gateway?
 
diff --git a/articles/firewall/firewall-faq.yml b/articles/firewall/firewall-faq.yml
@@ -359,6 +359,10 @@ sections:
           TCP ping is a unique use case where if there's no allowed rule, the Firewall itself responds to the client's TCP ping request even though the TCP ping doesn't reach the target IP address/FQDN. In this case, the event isn't logged. If there's a network rule that allows access to the target IP address/FQDN, then the ping request reaches the target server and its response is relayed back to the client. This event is logged in the Network rules log.
 
 
+      - question: Why do TCP ping and similar tools successfully connect to a target FQDN/IP address on ports 80, 443, and 1433 but aren't observed in the Azure Firewall logs?
+        answer: |
+          Azure Firewall acts as a passive listener for ports 80, 443, and 1433. Azure Firewall doesn't log TCP SYN packets on these ports unless there's application traffic. The HTTP GET request and TLS client hello are logged in Azure Firewall.
+
       - question: Are there limits for the number of IP addresses supported by IP Groups?
         answer: |
           Yes. For more information, see [Azure subscription and service limits, quotas, and constraints](../azure-resource-manager/management/azure-subscription-service-limits.md#azure-firewall-limits)
diff --git a/articles/governance/policy/concepts/policy-for-kubernetes.md b/articles/governance/policy/concepts/policy-for-kubernetes.md
@@ -616,11 +616,11 @@ Patch CVE-2026-25679, CVE-2026-27142, CVE-2026-27139, and CVE-2026-32280.
 Security improvements.
 - Released: May 2026
 - Kubernetes: 1.36+
-- Gatekeeper: 3.22.0
+- Gatekeeper: 3.22.1
 
-##### Gatekeeper 3.22.0
-Gatekeeper Release: https://github.com/open-policy-agent/gatekeeper/releases/tag/v3.22.0
-Changes: https://github.com/open-policy-agent/gatekeeper/compare/v3.20.1...v3.22.0
+##### Gatekeeper 3.22.1
+Gatekeeper Release: https://github.com/open-policy-agent/gatekeeper/releases/tag/v3.22.1
+Changes: https://github.com/open-policy-agent/gatekeeper/compare/v3.20.1...v3.22.1
 
 #### 1.15.5
 Security improvements.
diff --git a/articles/nat-gateway/nat-overview.md b/articles/nat-gateway/nat-overview.md
diff --git a/articles/network-watcher/traffic-analytics-rule-impact-analyzer.md b/articles/network-watcher/traffic-analytics-rule-impact-analyzer.md
@@ -11,7 +11,7 @@ ms.topic: how-to
 
 # Analyze security rules using Rule Impact Analyzer in Traffic Analytics (preview)
 
-In this article, you learn how to use the rule impact analyzer feature with network groups in Azure Virtual Network Manager. You can use the Azure portal to create a security admin configuration, add a security admin rule, and simulate the impact of your rule changes before deploying them.
+In this article, you learn how to use the rule impact analyzer feature with network groups in the traffic analytics blade of Network Watcher. You can use the Azure portal to create a security admin configuration, add a security admin rule, and simulate the impact of your rule changes before deploying them.
 
 The rules impact analyzer enables you to preview the impact of security admin rules and network security group (NSG) rules before applying them to your environment. This feature helps you validate rule behavior, identify potential conflicts, and ensure that connectivity requirements are met without disrupting live traffic. By understanding the impact of your proposed rules changes, you can confidently plan changes, maintain compliance, and reduce the risk of misconfiguration across your virtual networks.
 
diff --git a/articles/sentinel/datalake/gql-reference-for-sentinel-custom-graph.md b/articles/sentinel/datalake/gql-reference-for-sentinel-custom-graph.md
@@ -96,16 +96,18 @@ Path patterns describe multi-hop relationships in your graph:
 ```gql
 (a)-[e1]->;(b)-[e2]->(c)     -- 2-hop path 
 (a)-[e]->;{2,4}(b)              -- 2 to 4 hops
-(a)-[e]->{1,}(b)             -- 1 or more hops
+(a)-[e]->{1,}(b)             -- 1 to maximum of 8 hops
 (a)-[:knows|likes]->;{1,3}(b)  -- 1-3 hops via knows/likes 
 p=()-[:works_at]->()         -- Binding a path variable 
 ```
 
 **Variable-length paths:**
 
 - `{2,4}`: Exactly 2 to 4 hops
-- `{1,}`: 1 or more hops (unbounded)
-- `{,3}`: Up to 3 hops
+- `{1,}`: 1 or more hops (unbounded). Unbounded path queries are limited to 8 hops.
+
+- `{,5}`: Up to 5 hops
+
 - `{5}`: Exactly 5 hops
 
 ### Path variables
diff --git a/articles/sentinel/datalake/sentinel-graph-provider-reference.md b/articles/sentinel/datalake/sentinel-graph-provider-reference.md
@@ -883,7 +883,7 @@ Node builder after data source is set: configuration methods available.
 NodeBuilderSourceSet(alias: str, graph_builder: GraphSpecBuilder, source_step: DataInputETLStep)
 ```
 
-**Note:** Created internally by NodeBuilderInitial source methods.
+**Note:** Created internally by NodeBuilderInitial source methods. 
 
 #### Methods
 
@@ -979,6 +979,8 @@ Configure columns with required key and display designation.
 - Time filter column is automatically added if specified
 - Property types are auto-inferred from source schema
 
+- See **Restrictions** 
+
 **Example:**
 ```python
 builder.add_node("user").from_table("Users") \
@@ -2483,6 +2485,10 @@ builder.add_node("user") \
     .add_edge("follows")
 ```
 
+### Restrictions
+
+Builder support methods - add_node() and add_edge() does not allow use of underscores ('_') when naming nodes, edges or properties in a custom graph. Graph building operations will fail surfacing an invalid request error.
+
 ### Union Schemas
 
 Multiple edges with the same alias are automatically union'ed with merged properties:
