Merge pull request #307508 from MicrosoftDocs/main

Auto Publish – main to live - 2025-10-29 11:00 UTC

Author: learn-build-service-prod[bot]

articles/azure-compute-fleet/overview.md

@@ -7,7 +7,7 @@ ms.topic: overview
 ms.service: azure-compute-fleet
 ms.custom:
   - ignite-2024
-ms.date: 04/21/2025
+ms.date: 10/29/2025
 ms.reviewer: jushiman
 # Customer intent: As a cloud administrator, I want to deploy and manage multiple virtual machines efficiently using an automated compute resource management tool, so that I can optimize resource allocation based on cost and capacity while ensuring high availability for my workloads.
 ---
@@ -32,7 +32,6 @@ Using Azure Compute Fleet, you can:
 ## Features and benefits
 
 - **Multiple VM series:** Compute Fleet launches multiple VM series within a given fleet. Overall availability in the fleet is enhanced by ensuring it isn't reliant on any single VM type.
-- **Distributing VMs across Availability Zones:** Compute Fleet automatically distributes VMs across multiple Availability Zones to ensure high availability and resilience against potential zone failures.
 - **Diverse pricing models:** Compute Fleet leverages various purchasing options, including Spot VMs for cost savings and standard pay-as-you-go VMs. You can also integrate Azure Reserved Instances and Savings Plans to optimize costs while ensuring consistent capacity. There's no extra charge for using Azure Compute Fleet. You're only charged for the VMs your Compute Fleet launches per hour. For more information, see [states and billing status of Azure VMs](/azure/virtual-machines/states-billing).
 - **Automated Replacement of Spot VMs:** When using Spot VMs, Compute Fleet can automatically replace Spot VMs when evicted due to price fluctuations or capacity constraints.
 - **Multi-Region deployment:** Compute Fleet allows you to dynamically distribute workloads across multiple regions. For more information, see [Multi-Region Compute Fleet (Preview)](multi-region-compute-fleet.md).

articles/azure-functions/dotnet-aspire-integration.md

@@ -180,6 +180,155 @@ By default, when you publish an Azure Functions project to Azure, it's deployed
 
 During the preview period, the container app resources don't support event-driven scaling. Azure Functions support is not available for apps deployed in this mode. If you need to open a support ticket, select the Azure Container Apps resource type.
 
+### Access keys
+
+Several Azure Functions scenarios use access keys to provide a basic mitigation against unwanted access. For example, HTTP trigger functions by default require an access key to be invoked, though this requirement can be disabled using the [`AuthLevel` property](./functions-bindings-http-webhook-trigger.md#attributes). See [Work with access keys in Azure Functions](./function-keys-how-to.md) for scenarios which may require a key.
+
+When you deploy a Functions project using Aspire to Azure Container Apps, the system doesn't automatically create or manage Functions access keys. If you need to use access keys, you can manage them as part of your App Host setup. This section shows you how to create an extension method that you can call from your app host's `Program.cs` file to create and manage access keys. This approach uses Azure Key Vault to store the keys and mounts them into the container app as secrets.
+
+> [!NOTE]
+> The behavior here relies on the `ContainerApps` secret provider, which is only available starting with Functions host version `4.1044.0`. This version is not yet available in all regions, and until it is, when you publish your Aspire project, the base image used for the Functions project may not include the necessary changes.
+
+These steps require Bicep version `0.38.3` or later. You can check your Bicep version by running `bicep --version` from a command prompt. If you have the Azure CLI installed, you can use `az bicep upgrade` to quickly update Bicep to the latest version.
+
+Add the following NuGet packages to your app host project:
+- [Aspire.Hosting.Azure.AppContainers](https://www.nuget.org/packages/Aspire.Hosting.Azure.AppContainers)
+- [Aspire.Hosting.Azure.KeyVault](https://www.nuget.org/packages/Aspire.Hosting.Azure.KeyVault)
+
+Create a new class in your app host project and include the following code:
+
+```csharp
+using Aspire.Hosting.Azure;
+using Azure.Provisioning.AppContainers;
+
+namespace Aspire.Hosting;
+
+internal static class Extensions
+{
+    private record SecretMapping(string OriginalName, IAzureKeyVaultSecretReference Reference);
+
+    public static IResourceBuilder<T> PublishWithContainerAppSecrets<T>(
+        this IResourceBuilder<T> builder,
+        IResourceBuilder<AzureKeyVaultResource>? keyVault = null,
+        string[]? hostKeyNames = null,
+        string[]? systemKeyExtensionNames = null)
+        where T : AzureFunctionsProjectResource
+    {
+        if (!builder.ApplicationBuilder.ExecutionContext.IsPublishMode)
+        {
+            return builder;
+        }
+
+        keyVault ??= builder.ApplicationBuilder.AddAzureKeyVault("functions-keys");
+
+        var hostKeysToAdd = (hostKeyNames ?? []).Append("default").Select(k => $"host-function-{k}");
+        var systemKeysToAdd = systemKeyExtensionNames?.Select(k => $"host-systemKey-{k}_extension") ?? [];
+        var secrets = hostKeysToAdd.Union(systemKeysToAdd)
+            .Select(secretName => new SecretMapping(
+                secretName,
+                CreateSecretIfNotExists(builder.ApplicationBuilder, keyVault, secretName.Replace("_", "-"))
+            )).ToList();
+
+        return builder
+            .WithReference(keyVault)
+            .WithEnvironment("AzureWebJobsSecretStorageType", "ContainerApps")
+            .PublishAsAzureContainerApp((infra, app) => ConfigureFunctionsContainerApp(infra, app, builder.Resource, secrets));
+    }
+
+    private static void ConfigureFunctionsContainerApp(
+        AzureResourceInfrastructure infrastructure, 
+        ContainerApp containerApp, 
+        IResource resource, 
+        List<SecretMapping> secrets)
+    {
+        const string volumeName = "functions-keys";
+        const string mountPath = "/run/secrets/functions-keys";
+
+        var appIdentityAnnotation = resource.Annotations.OfType<AppIdentityAnnotation>().Last();
+        var containerAppIdentityId = appIdentityAnnotation.IdentityResource.Id.AsProvisioningParameter(infrastructure);
+
+        var containerAppSecretsVolume = new ContainerAppVolume
+        {
+            Name = volumeName,
+            StorageType = ContainerAppStorageType.Secret
+        };
+
+        foreach (var mapping in secrets)
+        {
+            var secret = mapping.Reference.AsKeyVaultSecret(infrastructure);
+
+            containerApp.Configuration.Secrets.Add(new ContainerAppWritableSecret()
+            {
+                Name = mapping.Reference.SecretName.ToLowerInvariant(),
+                KeyVaultUri = secret.Properties.SecretUri,
+                Identity = containerAppIdentityId
+            });
+
+            containerAppSecretsVolume.Secrets.Add(new SecretVolumeItem
+            {
+                Path = mapping.OriginalName.Replace("-", "."),
+                SecretRef = mapping.Reference.SecretName.ToLowerInvariant()
+            });
+        }
+
+        containerApp.Template.Containers[0].Value!.VolumeMounts.Add(new ContainerAppVolumeMount
+        {
+            VolumeName = volumeName,
+            MountPath = mountPath
+        });
+        containerApp.Template.Volumes.Add(containerAppSecretsVolume);
+    }
+
+    public static IAzureKeyVaultSecretReference CreateSecretIfNotExists(
+        IDistributedApplicationBuilder builder,
+        IResourceBuilder<AzureKeyVaultResource> keyVault,
+        string secretName)
+    {
+        var secretParameter = ParameterResourceBuilderExtensions.CreateDefaultPasswordParameter(builder, $"param-{secretName}", special: false);
+        builder.AddBicepTemplateString($"key-vault-key-{secretName}", """
+                param location string = resourceGroup().location
+                param keyVaultName string
+                param secretName string
+                @secure()
+                param secretValue string    
+
+                // Reference the existing Key Vault
+                resource keyVault 'Microsoft.KeyVault/vaults@2023-07-01' existing = {
+                  name: keyVaultName
+                }
+
+                // Deploy the secret only if it does not already exist
+                @onlyIfNotExists()
+                resource newSecret 'Microsoft.KeyVault/vaults/secrets@2023-07-01' = {
+                  parent: keyVault
+                  name: secretName
+                  properties: {
+                      value: secretValue
+                  }
+                }
+                """)
+            .WithParameter("keyVaultName", keyVault.GetOutput("name"))
+            .WithParameter("secretName", secretName)
+            .WithParameter("secretValue", secretParameter);
+
+        return keyVault.GetSecret(secretName);
+    }
+}
+```
+
+You can then use this method in your app host's `Program.cs` file:
+
+```csharp
+builder.AddAzureFunctionsProject<Projects.MyFunctionsProject>("MyFunctionsProject")
+       .WithHostStorage(storage)
+       .WithExternalHttpEndpoints()
+       .PublishWithContainerAppSecrets(systemKeyExtensionNames: ["mcp"]);
+```
+
+This example uses a default key vault created by the extension method. It results in a default key and a system key for use with the [Model Context Protocol extension](./functions-bindings-mcp.md#connect-to-your-mcp-server).
+
+To use these keys from clients, you need to retrieve them from the key vault.
+
 ## Considerations and best practices
 
 Consider the following points when you're evaluating the integration of Azure Functions with Aspire:

articles/azure-functions/function-keys-how-to.md

@@ -63,7 +63,8 @@ Keys are stored as part of your function app in Azure and are encrypted at rest.
 | A second storage account | `blob` | Stores keys in Blob storage in a storage account that's different than the one used by the Functions runtime. The specific account and container used are defined by a shared access signature (SAS) URL set in the [`AzureWebJobsSecretStorageSas`](functions-app-settings.md#azurewebjobssecretstoragesas) setting. You must maintain the `AzureWebJobsSecretStorageSas` setting when the SAS URL changes. |
 | [Azure Key Vault](/azure/key-vault/general/overview) | `keyvault` | The key vault set in [`AzureWebJobsSecretStorageKeyVaultUri`](functions-app-settings.md#azurewebjobssecretstoragekeyvaulturi) is used to store keys. | 
 | File system  | `files` | Keys are persisted on the local file system, which is the default in Functions v1.x. File system storage isn't recommended. |
-| Kubernetes Secrets  |`kubernetes` | The resource set in [AzureWebJobsKubernetesSecretName](functions-app-settings.md#azurewebjobskubernetessecretname) is used to store keys. Supported only when your function app is deployed to Kubernetes. The [Azure Functions Core Tools](functions-run-local.md) generates the values automatically when you use it to deploy your app to a Kubernetes cluster. [Immutable secrets](https://kubernetes.io/docs/concepts/configuration/secret/#secret-immutable) aren't supported. | 
+| Kubernetes Secrets  |`kubernetes` | The resource set in [AzureWebJobsKubernetesSecretName](functions-app-settings.md#azurewebjobskubernetessecretname) is used to store keys. Supported only when your function app is deployed to Kubernetes. The [Azure Functions Core Tools](functions-run-local.md) generates the values automatically when you use it to deploy your app to a Kubernetes cluster. [Immutable secrets](https://kubernetes.io/docs/concepts/configuration/secret/#secret-immutable) aren't supported. |
+| Azure Container Apps secrets | `ContainerApps` | Keys are stored in the Azure Container Apps secrets store. Supported only when your function app is deployed to Azure Container Apps. |
 
 When you use Key Vault for key storage, the app settings you need depend on the managed identity type, either system-assigned or user-assigned. 
 

articles/azure-netapp-files/azure-netapp-files-metrics.md

@@ -287,22 +287,22 @@ Azure NetApp Files provides metrics on allocated storage, actual storage usage,
     Whether the status of the volume replication is transferring. 
 
 - *Volume replication lag time* <br>
-    Lag time is the actual amount of time the replication lags behind the source. It indicates the age of the replicated data in the destination volume relative to the source volume.
+    The delay between when data is written to the source volume and when it’s available on the destination volume.
 
 > [!NOTE]
 > When assessing the health status of the volume replication, consider the volume replication lag time. If the lag time is greater than the replication schedule, the replication volume won't catch up to the source. To resolve this issue, adjust the replication speed or the replication schedule. 
 
 - *Volume replication last transfer duration*   
-    The amount of time in seconds it took for the last transfer to complete. 
+    The time taken for the most recent replication session to transfer all changed data (example: blocks, snapshots) from the source volume to the destination volume. 
 
 - *Volume replication last transfer size*    
-    The total number of bytes transferred as part of the last transfer. 
-
+    The total amount of data transferred during the most recent replication session from a source volume to its destination volume.
+  
 - *Volume replication progress*    
     The total amount of data in bytes transferred for the current transfer operation. 
 
 - *Volume replication total transfer*   
-    The cumulative bytes transferred for the relationship. 
+    The cumulative volume of data transferred from the source volume to the destination volume throughout the entire lifetime of the replication relationship. 
 
 ## Throughput metrics for capacity pools   
 

articles/azure-vmware/configure-azure-elastic-san.md

@@ -27,19 +27,19 @@ The following prerequisites are required to continue.
 
 > [!IMPORTANT]
 > As of November 2025, creating and deleting an Azure Elastic SAN based datastore in Azure VMware Solution requires appropriate permissions. If you're using built-in roles such as Owner and Contributor across the these two services, no changes are necessary. If you're using custom roles, ensure you have the correct permissions configured.
-> <details><summary>For a complete list of required permissions, expand this section.</summary>
-> > To create an Elastic SAN datastore, you must have the following permissions:
-- `Microsoft.AVS/privateClouds/clusters/datastores/write`
-- `Microsoft.ElasticSan/elasticSans/volumeGroups/volumes/write`
-- `Microsoft.ElasticSan/elasticSans/volumeGroups/volumes/read`
-
-> To delete an Elastic SAN datastore, you must have the following permissions:
-- `Microsoft.AVS/privateClouds/clusters/datastores/write`
-- `Microsoft.ElasticSan/elasticSans/volumeGroups/volumes/write`
-- `Microsoft.ElasticSan/elasticSans/volumeGroups/volumes/read`
-
-> For information about creating and modifying custom roles, see [create or update Azure custom roles using the Azure portal](../role-based-access-control/custom-roles-portal.md).
-
+><details><summary>For a complete list of required permissions, expand this section.</summary>
+>
+>To create an Elastic SAN datastore, you must have the following permissions:
+>- `Microsoft.AVS/privateClouds/clusters/datastores/write`
+>- `Microsoft.ElasticSan/elasticSans/volumeGroups/volumes/write`
+>- `Microsoft.ElasticSan/elasticSans/volumeGroups/volumes/read`
+>
+>To delete an Elastic SAN datastore, you must have the following permissions:
+>- `Microsoft.AVS/privateClouds/clusters/datastores/write`
+>- `Microsoft.ElasticSan/elasticSans/volumeGroups/volumes/write`
+>- `Microsoft.ElasticSan/elasticSans/volumeGroups/volumes/read`
+>
+>For information about creating and modifying custom roles, see [create or update Azure custom roles using the Azure portal](../role-based-access-control/custom-roles-portal.md).
 </details>
 
 - Have a fully configured Azure VMware solution private cloud in a [region that Elastic SAN is available in](../storage/elastic-san/elastic-san-create.md).