Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into waf-policy

Author: halkazwini

articles/active-directory-b2c/partner-trusona.md

@@ -19,7 +19,7 @@ ms.custom: sfi-image-nochange
 
 [!INCLUDE [active-directory-b2c-end-of-sale-notice-b](../../includes/active-directory-b2c-end-of-sale-notice-b.md)]
 
-In this sample tutorial, you learn how to integrate Azure AD B2C authentication with [Trusona Authentication Cloud](https://www.trusona.com/white-paper/trusona-authentication-cloud-white-paper). It's a cloud-based service enabling users to authenticate with a **tap-and-go** experience, without the need for any kind of mobile authenticator app.
+In this sample tutorial, you learn how to integrate Azure AD B2C authentication with [Trusona Authentication Cloud](https://www.trusona.com/white-papers). It's a cloud-based service enabling users to authenticate with a **tap-and-go** experience, without the need for any kind of mobile authenticator app.
 
 Benefits of integrating Trusona Authentication Cloud with Azure AD B2C include:
 -	Deliver strong authentication with a better user experience

articles/api-center/key-concepts.md

@@ -3,7 +3,7 @@ title: Azure API Center - Key concepts
 description: Key concepts of Azure API Center. API Center inventories an organization's APIs for discovery, reuse, and governance at scale.
 
 ms.service: azure-api-center
-ms.topic: conceptual
+ms.topic: concept-article
 ms.date: 11/15/2024
 
 ---

articles/api-management/breaking-changes/trusted-service-connectivity-retirement-march-2026.md

@@ -10,7 +10,6 @@ ms.service: azure-api-management
 ai-usage: ai-assisted
 ---
 
-
 # Trusted service connectivity retirement (March 2026)
 
 [!INCLUDE [api-management-availability-all-tiers](../../../includes/api-management-availability-all-tiers.md)]
@@ -60,6 +59,9 @@ APIs in workspaces aren't affect by this change, since they [do not support mana
 
 Your API Management gateway should no longer rely on trusted service connectivity to Azure services. Instead, it should establish a networking line of sight.
 
+> [!TIP]
+> You can get a detailed overview through "Diagnose and solve problems > Availability and Performance" in the Azure Portal on your API Management instance to learn about outbound requests, Entra ID tokens required and if further action is required.
+
 To verify if your API Management gateway relies on trusted connectivity to Azure services, check the networking configuration of all Azure Storage, Key Vault, Key Vault Managed HSM, Service Bus, Event Hubs, and Container Registry resources that your API Management gateway connects to: 
 
 #### For Storage accounts

articles/app-service/app-service-web-tutorial-dotnet-sqldatabase.md

@@ -23,7 +23,7 @@ ms.custom:
 
 When you finish the tutorial, you have an ASP.NET app connected to an Azure SQL database running in Azure. The following example shows the app interface.
 
-![Screenshot that shows a published ASP.NET application in Azure App Service.](./media/app-service-web-tutorial-dotnet-sqldatabase/azure-app-in-browser.png)
+![Screenshot that shows a published ASP.NET to-do list application running in Azure App Service.](./media/app-service-web-tutorial-dotnet-sqldatabase/azure-app-in-browser.png)
 
 In this tutorial, you:
 
@@ -58,7 +58,7 @@ The sample project contains a basic [ASP.NET MVC](https://www.asp.net/mvc) creat
 
 1. In the app, select **Create New** and create a couple of *to-do* items.
 
-   ![Screenshot that shows the ASP.NET web app.](media/app-service-web-tutorial-dotnet-sqldatabase/local-app-in-browser.png)
+   ![Screenshot that shows the ASP.NET to-do list web app running locally in development.](media/app-service-web-tutorial-dotnet-sqldatabase/local-app-in-browser.png)
 
 1. Test the **Edit**, **Details**, and **Delete** links.
 
@@ -86,7 +86,7 @@ To publish the app to Azure, you create and configure a Publish profile that has
 
 1. On the **App Service (Windows)** screen, configure the App Service **Name**, **Resource group**, and **Hosting Plan**.
 
-   ![Screenshot that shows creating an App Service plan.](./media/app-service-web-tutorial-dotnet-sqldatabase/new_rg2.png)
+   ![Screenshot that shows configuring the App Service (Windows) with name, resource group, and hosting plan settings.](./media/app-service-web-tutorial-dotnet-sqldatabase/new_rg2.png)
 
 1. Under **Name**, you can keep the generated web app name, or change it to another name with characters `a-z`, `0-9`, and `-`. The web app name must be unique across all Azure apps.
 
@@ -145,7 +145,7 @@ Before you can create a database, you need a [logical SQL server](/azure/azure-s
 
 1. On the **Connect to Azure SQL Database** screen, select **Finish**.
 
-   ![Screenshot of the screen with messagea about configuring managed identity for the connection to work.](./media/app-service-web-tutorial-dotnet-sqldatabase/connect-warning.png)
+   ![Screenshot of the screen with messages about configuring managed identity for the connection to work.](./media/app-service-web-tutorial-dotnet-sqldatabase/connect-warning.png)
 
    > [!NOTE]
    > If you see **Local user secrets files** instead, make sure you used the **Publish** page, not the **Connected Services** page, to configure SQL Database.
@@ -218,7 +218,7 @@ The Entity Framework 6 provider replaces the built-in `System.Data.SqlClient` SQ
 
 1. To test the app, add a few to-do items.
 
-   ![Screenshot that shows the published ASP.NET application in Azure App Service.](./media/app-service-web-tutorial-dotnet-sqldatabase/azure-app-in-browser.png)
+   ![Screenshot that shows a published ASP.NET to-do list application running in Azure App Service.](./media/app-service-web-tutorial-dotnet-sqldatabase/azure-app-in-browser.png)
 
 Congratulations! Your data-driven ASP.NET application is running live in Azure App Service.
 

articles/app-testing/toc.yml

@@ -158,7 +158,7 @@ items:
         - name: Python
           href: /python/api/overview/azure/load-testing
         - name: REST API
-          href: /rest/api/loadtesting/
+          href: /rest/api/apptesting/loadtest
         - name: Resource Manager template
           displayName: ARM
           href: /azure/templates/microsoft.loadtestservice/allversions

articles/application-gateway/application-gateway-autoscaling-zone-redundant.md

@@ -35,10 +35,12 @@ However, it’s important to note that provisioning a new instance may take appr
 
 For scale-in events, Application Gateway drains existing connections for 5 minutes on the instance that is subject for removal. After 5 minutes, existing connections are closed and the instance removed. Any new connections during or after the 5 minute scale-in time is established to other existing instances on the same gateway.
 
+> [!NOTE]
+> During autoscaling events, brief dips in availability metrics may be observed. This behavior is expected during scaling transitions and typically resolves within seconds.
+
 ## Next steps
 
 - Learn more about zone redundancy in [Reliability for Application Gateway v2](/azure/reliability/reliability-application-gateway-v2)
 - Learn how to [Schedule autoscaling for Application Gateway](application-gateway-externally-managed-scheduled-autoscaling.md)
 - Learn more about [Application Gateway v2](overview-v2.md)
 - [Create an autoscaling, zone redundant application gateway with a reserved virtual IP address using Azure PowerShell](tutorial-autoscale-ps.md)
-

articles/application-gateway/application-gateway-components.md

@@ -131,7 +131,7 @@ A backend pool routes request to backend servers, which serve the request. Backe
 - Public IP addresses
 - Internal IP addresses
 - FQDN (fully qualified domain names) or short names (single-label domain names), provided your DNS server can resolve them
-- Multitenant backends (such as App Service)
+- Multitenant backends such as Azure App Service and Azure Container Apps. See [Protect Container Apps with Application Gateway and WAF](../container-apps/waf-app-gateway.md) for implementation guidance.
 
 Application Gateway backend pool members aren't tied to an availability set. An application gateway can communicate with instances outside of the virtual network that it's in. As a result, the members of the backend pools can be across clusters, across datacenters, or outside Azure, as long as there's IP connectivity.
 

articles/application-gateway/application-gateway-probe-overview.md

@@ -82,6 +82,10 @@ The following table provides definitions for the properties of a custom health p
 | Interval |Probe interval in seconds. This value is the time interval between two consecutive probes |
 | Time-out |Probe time-out in seconds. If a valid response isn't received within this time-out period, the probe is marked as failed  |
 | Unhealthy threshold |Probe retry count. The backend server is marked down after the consecutive probe failure count reaches the unhealthy threshold |
+| MinServers |Minimum number of servers that are always marked healthy. Default value is 0, which means health probe results determine the health status of all backend servers. When set to a value greater than 0, the specified number of servers are always marked as healthy regardless of probe results. This property is only configurable via PowerShell, Azure CLI, or ARM templates (not available in Azure portal).|
+
+> [!WARNING]
+> Use the **MinServers** parameter with caution. When MinServers is set to a value greater than 0, Application Gateway always marks that minimum number of backend servers as healthy, even if their health probes are failing. This can result in traffic being sent to unhealthy servers, potentially causing 502 Bad Gateway errors or other connectivity issues for clients. Only configure MinServers if you have specific availability requirements and understand the implications of overriding health probe results.
 
 ### Probe matching
 

articles/application-gateway/application-gateway-secure-flag-session-affinity.md

@@ -19,6 +19,9 @@ In this guide you learn to create a Rewrite set for your Application Gateway and
 * You must have an Azure subscription. You can create a [free account](https://azure.microsoft.com/pricing/purchase-options/azure-account?cid=msft_learn) before you begin.
 * An existing Application Gateway resource configured with at least one Listener, Rule, Backend Setting and Backend Pool configuration. If you don't have one, you can create one by following the [QuickStart guide](quick-create-portal.md).
 
+> [!IMPORTANT]
+> If your backend application returns multiple Set-Cookie headers (for example, application cookies in addition to the ApplicationGatewayCookie), the simple pattern matching approach shown in this article will apply the rewrite to all Set-Cookie headers. To target only the ApplicationGatewayCookie specifically, use the HeaderValueMatcher pattern matching feature. For more information, see [Pattern matching for Set-Cookie headers](rewrite-http-headers-url.md#pattern-matching).
+
 ## Creating a Rewrite set
 
 1. Sign in to the Azure portal.
@@ -41,6 +44,8 @@ In this guide you learn to create a Rewrite set for your Application Gateway and
     1. Case-sensitive - No
     1. Operator - equal (=)
     1. Pattern to match - (.*)
+        > [!NOTE]
+        > This pattern `(.*)` matches all Set-Cookie headers. If you need to target only the ApplicationGatewayCookie and preserve other Set-Cookie headers, see [Pattern matching for Set-Cookie headers](rewrite-http-headers-url.md#pattern-matching) to use the HeaderValueMatcher feature.
     1. To save these details, select **OK**.
 1. Go to the **Then** box to specify action details.
     1. Rewrite type - Response header
@@ -53,4 +58,5 @@ In this guide you learn to create a Rewrite set for your Application Gateway and
 
 
 ## Next steps
-[Visit other configurations of a Backend Setting](configuration-http-settings.md)
+- [Visit other configurations of a Backend Setting](configuration-http-settings.md)
+- [Learn about pattern matching for Set-Cookie headers](rewrite-http-headers-url.md#pattern-matching)

articles/application-gateway/configuration-listeners.md

@@ -95,7 +95,9 @@ Set-AzApplicationGateway -ApplicationGateway $gw
 > When creating an application gateway resource through the Azure portal, the default option for **HTTP2** is set as enabled. You can choose **Disabled** during creation, and re-enabled HTTP2 support using the Azure portal by selecting **Enabled** under **HTTP2** in **Application gateway > Configuration**.
 >
 > In instances where HTTP2 isn't supported by a client, HTTP1.1 will be used. Enabling HTTP2 doesn't disable HTTP1.1; it allows support for both.
->
+
+> [!NOTE]
+> Application Gateway only supports HTTP/2 over TLS (HTTPS listeners). HTTP/2 Cleartext (h2c) protocol upgrade attempts from HTTP/1.1 are not supported and will result in a 403 Forbidden error. Clients attempting h2c upgrades should use native HTTP/2 connections over HTTPS or remain on HTTP/1.1.
 
 ### WebSocket support