Merge branch 'main' into release-aio-2603

Author: v-alje

articles/azure-functions/durable/choose-orchestration-framework.md

@@ -14,7 +14,7 @@ titleSuffix: Durable Task
 
 # Choose your hosting model
 
-As described in [What is Durable Task?](what-is-durable-task.md), the Durable Task framework supports two hosting models: 
+As described in [What is Durable Task?](what-is-durable-task.md), Durable Task supports two hosting models: 
 - **Azure Functions** (via [Durable Functions](./durable-functions-overview.md))
 - **Self-hosted** (via [the standalone Durable Task SDKs](./durable-task-scheduler/durable-task-overview.md)). 
 
@@ -137,22 +137,11 @@ If you're already using Durable Functions and want to move to a container-based
 
 For detailed migration guidance, see [Migrate from Durable Functions to the Durable Task SDKs](durable-functions-migrate.md).
 
-## Unsupported Durable Task SDKs
+### Durable Task Framework (DTFx)
 
-All Durable Task SDKs are open source and available on GitHub. However, some SDKs aren't officially supported by Microsoft or are still in experimental stages. The following SDKs are currently unsupported:
+The [Durable Task Framework](https://github.com/Azure/durabletask) (DTFx) is a community-maintained, open-source .NET library for durable orchestration. It provides similar orchestration primitives to the modern Durable Task SDKs and continues to be actively used in production by many teams, including within Microsoft. Notably, DTFx is used internally as a dependency of Azure Durable Functions, which is one of the reasons it continues to be maintained. However, it doesn't come with official Microsoft support—bugs and feature requests are addressed on a best-effort basis. It also requires you to manage hosting and operational infrastructure yourself.
 
-### Durable Task Framework (Legacy)
-
-The [Durable Task Framework](https://github.com/Azure/durabletask) (DTFx) is an older, open-source .NET Durable Task library. While it provides similar orchestration primitives, it predates the modern Durable Task SDKs and doesn't include official Microsoft support or the latest features. It also requires you to manage hosting, operational infrastructure, and long-term maintenance yourself.
-
-If you're starting a new project, we recommend using the modern Durable Task SDKs or Durable Functions instead.
-
-### Durable Task SDK for Go
-
-The [Durable Task SDK for Go](https://github.com/Azure/durabletask-go) is a community-supported, open-source library that enables durable orchestration capabilities in Go applications. It's currently in experimental stages, doesn't work with any of the supported Durable Task state storage backends, and isn't recommended for production use.
-
-> [!NOTE]
-> If you're interested in using Durable Task with Go with formal support from Microsoft, consider providing feedback by opening an issue in the [durabletask-go GitHub repository](https://github.com/Azure/durabletask-go/issues).
+If you're starting a new project or need official Microsoft support, we recommend using the modern Durable Task SDKs or Durable Functions instead.
 
 ## Next steps
 

articles/azure-maps/media/private-endpoint/dns-configuration.png

@@ -0,0 +1,122 @@
+---
+title: Use private endpoints with Azure Maps
+description: Learn how to use private endpoints with Azure Maps. 
+author: pbrasil
+ms.author: peterbr 
+ms.date: 02/27/2026
+ms.topic: conceptual
+ms.service: azure-maps
+ms.subservice: authentication
+---
+
+# Use private endpoints with Azure Maps
+
+Azure Maps supports [Azure Private Link](/../private-link/private-link-overview.md), enabling secure access to Azure Maps services through a private endpoint in your virtual network. A private endpoint assigns a private IP address from your virtual network to the Azure Maps service, so traffic between your applications and Azure Maps stays on the Microsoft backbone network instead of the public internet. This provides improved security and network isolation. You can create a private endpoint when you create an Azure Maps account or add one to an existing account.
+
+## Benefits of private endpoints for Azure Maps
+
+Private endpoints provide the following benefits for Azure Maps accounts:
+
+- **No Public Internet Exposure:** You can isolate your Azure Maps account from the public internet to reduce exposure to external threats. Only clients within your private network can access the account. This can be done by blocking external access through the _publicNetworkAccess_ feature.
+- **Secure VNet Communication:** Resources in your virtual network (such as VMs and containers) communicate with Azure Maps **using private IP addresses**. Traffic stays within the VNet, **simplifying network security** and avoiding public networks, which helps meet internal security and compliance requirements.
+
+> [!NOTE]
+> All Azure Maps REST APIs (including Render, Search, Routing, and Weather) are fully supported with Private Link, with no loss of functionality. Using Azure Maps with Private Link works the same as public access, with added security.
+
+## Prerequisites
+
+If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/pricing/purchase-options/azure-account?cid=msft_learn) before you begin.
+
+- An [Azure Maps account](quick-demo-map-app.md#create-an-azure-maps-account). Use a Maps account and a virtual network in the **same Azure region** for optimal performance.
+- **A Virtual Network and Subnet**: A virtual network and subnet in your Azure subscription for the private endpoint. The subnet must have available IP addresses.
+- **Required permissions**
+  - To create a private endpoint that's automatically approved, you need:
+    - **Azure Maps Contributor** on the Azure Maps account
+    - **Network Contributor** on the virtual network
+  - To create a private endpoint that requires manual approval, only the **Network Contributor** role is required.
+- Choose whether Azure automatically manages DNS for the private endpoint using Azure Private DNS, or manage DNS manually. In most cases, Azure Private DNS provides the simplest setup.
+
+## Configure a private endpoint for Azure Maps
+
+To enable private connectivity for an Azure Maps account, create a private endpoint and configure DNS to route traffic through your virtual network.
+
+### 1. Create the private endpoint (Portal or CLI)
+
+In the Azure portal, go to **Create a resource** and search for _Private Endpoint_. You can also create a private endpoint from the **Networking** section of your Azure Maps resource. Select **Create** to open the wizard.
+
+- **Basics:** Select the proper **Subscription** and **Resource Group** for the endpoint resource and choose a Name and Region (use the same region as your VNet).
+- **Resource:** For **Connection method**, choose _Connect to an Azure resource in my directory_. Then set:
+  - **Resource type** = `Microsoft.Maps/accounts`. This tells Azure you want a private link to an Azure Maps account.
+  - **Resource** = _Your Azure Maps account name_. Pick the specific Azure Maps account
+  - **Target sub-resource** = `mapsAccount`. Azure Maps has a single private link subresource representing the account's data plane.
+- **Configuration:** Select the **Virtual Network** and **Subnet** where the private endpoint is placed. Ensure the subnet has space for one IP. Leave **Private DNS integration** enabled unless you plan to configure DNS manually. With DNS integration on, Azure creates a Private DNS zone for `privatelink.account.maps.azure.com` and add the necessary DNS record automatically.
+
+Once creation is complete, go to your Azure Maps account in the portal and navigate to **Networking > Private endpoint connections**. You should see a new connection listed. If the private endpoint creator owns or has the proper permissions on the Azure Maps account, the connection is typically **auto-approved** (status shows **"Approved"**). If it shows **"Pending"**, manual approval may be required. After approval, the private link is established.
+
+#### Example – Using Azure CLI
+
+The following Azure CLI command creates a private endpoint for an Azure Maps account, equivalent to the portal steps above:
+
+```azurecli
+az network private-endpoint create \
+  --name <MyPrivateEndpointName> \
+  --resource-group <MyResourceGroup> \
+  --vnet-name <MyVNetName> \
+  --subnet <MySubnetName> \
+  --private-connection-resource-id "/subscriptions/<SubscriptionID>/resourceGroups/<MyResourceGroup>/providers/Microsoft.Maps/accounts/<MyMapsAccountName>" \
+  --group-id mapsAccount \
+  --connection-name <MyConnectionName>
+```
+
+This command specifies the Maps account resource ID and the `mapsAccount` subresource, along with the virtual network and subnet used for the private endpoint.
+
+### 2. Configure DNS for the private endpoint
+
+If you enabled **Private DNS integration** when creating the private endpoint (the default), Azure automatically creates a Private DNS zone for `privatelink.account.maps.azure.com` in your subscription and links it to your virtual network.
+
+Within this zone, a DNS record maps your Azure Maps account's unique ID and region to the private IP address of the endpoint. For example, if your Maps account client ID is `abc123` and the region is `East US`, the DNS record resolves that hostname to the private endpoint IP address:
+
+- **Record name:** `abc123.eastus.account.maps.azure.com`
+- **Record value:** `10.x.y.z` - The private IP address assigned to the endpoint.
+
+Clients inside the virtual network resolve the hostname to a private IP address for private connectivity, while clients outside the network resolve the same hostname to the Azure Maps public endpoint. This split‑horizon DNS approach lets you use a single endpoint URL both inside and outside the virtual network.
+
+If you don't use automatic DNS integration, configure DNS manually so the Azure Maps account hostname  
+(`<maps-account-client-id>.<location>.privatelink.account.maps.azure.com`) resolves to the private endpoint IP address within your network. For more information, see [Azure Private Endpoint DNS documentation](/../private-link/private-endpoint-dns.md).
+
+### 3. Use the private endpoint in your applications
+
+To use the private endpoint, configure your applications to call the **Azure Maps account-specific endpoint**. You can find this endpoint in the Azure Maps account **Overview** or **Authentication** pages, or in the private endpoint resource under **DNS configuration** (customer-visible FQDNs).
+
+:::image type="content" source="./media/private-endpoint/dns-configuration.png" alt-text="A screenshot showing an Azure portal sidebar menu for a private endpoint resource, highlighting the DNS configuration option under Settings. The menu includes options such as Overview, Activity log, Access control IAM, Tags, Diagnose and solve problems, Resource visualizer, Application security groups, DNS configuration, and Properties.":::
+
+The access pattern is:
+
+`https://{maps-account-client-id}.{location}.privatelink.account.maps.azure.com`
+
+> [!Important]
+> If your application continues to use the default Azure Maps endpoint (such as `atlas.microsoft.com`), requests won't be routed through the private endpoint. Azure Maps SDKs support overriding the default endpoint, so configure your SDK or connection code to use your Azure Maps account–specific hostname. When configured, requests from within your network are automatically routed through Private Link.
+
+### 4. [Optional] Disable public network access
+
+Even after creating a private endpoint, your Azure Maps account's public endpoints remain active by default. This allows existing applications outside the virtual network to continue working until you intentionally restrict them. If you require **exclusive private access**, disable public network access for the Maps account.
+
+In the Azure portal, open your Maps account and go to **Networking**. Set **Public access** to **Disable** and save. Once completed, Azure Maps rejects **any** connection attempts over the public endpoint. This adds an extra layer of protection: even if someone has your Maps authentication key or SAS token, they can't use it from the internet once public access is off.
+
+> You can also disable public access via ARM templates or the Azure CLI by setting the property `publicNetworkAccess` to `Disabled`.
+
+After disabling **Public network access**, validate connectivity from each application. Public endpoints (for example, `atlas.microsoft.com`) are blocked by design, so update all application and SDK configurations to use the private DNS endpoint.
+
+### Other considerations
+
+- **DNS Resolution:** If you can't connect to Azure Maps through the private endpoint, verify your DNS configuration, as DNS issues are a common cause of connectivity problems.
+- **Multiple Networks:** You can create multiple private endpoints for a single Azure Maps account to connect from different virtual networks. Each private endpoint uses one IP address from the selected subnet.
+
+Using Azure Private Link with Azure Maps keeps all application traffic on private networks. This improves security and supports enterprise network policies while maintaining full Azure Maps functionality. Azure Maps is accessed through private IP addresses and DNS, ensuring traffic remains within your controlled network boundary.
+
+Ask Copilot
+
+## Related content
+
+- [Azure Private Endpoint private DNS zone values](/../private-link/private-endpoint-dns.md)
+- [Azure Private Link availability](/../private-link/availability.md)

articles/azure-maps/private-endpoints.md

@@ -32,42 +32,56 @@ items:
       href: tutorial-snap-to-Road.md
 - name: Concepts
   items:
-  - name: Authentication with Azure Maps
-    href: azure-maps-authentication.md
-  - name: Authentication best practices
-    href: authentication-best-practices.md
-  - name: Azure Maps Event Grid integration
-    href: azure-maps-event-grid-integration.md
-  - name: Azure Maps geographic scope
-    href: geographic-scope.md
-  - name: Consent management
-    href: consent-management.md
-  - name: Azure Services that support managed identities
-    href: ../active-directory/managed-identities-azure-resources/managed-identities-status.md
-  - name: Coverage
+  - name: Security & Identity
     items:
-    - name: Coverage
-      href: geographic-coverage.md
-    - name: Geocoding coverage
-      href: geocoding-coverage.md
-    - name: Traffic coverage
-      href: traffic-coverage.md
-    - name: Render coverage
-      href: render-coverage.md
-    - name: Routing coverage
-      href: routing-coverage.md
-    - name: Weather coverage
-      href: weather-coverage.md
-  - name: Localization support
-    href: supported-languages.md
-  - name: Supported map styles
-    href: supported-map-styles.md
-  - name: Zoom levels and tile grid
-    href: zoom-levels-and-tile-grid.md
-  - name: Weather service concepts
-    href: weather-services-concepts.md
-  - name: Weather service FAQ
-    href: weather-services-faq.yml
+    - name: Authentication with Azure Maps
+      href: azure-maps-authentication.md
+    - name: Authentication best practices
+      href: authentication-best-practices.md
+    - name: Azure Maps Event Grid integration
+      href: azure-maps-event-grid-integration.md
+    - name: Consent management
+      href: consent-management.md
+    - name: Use private endpoints with Azure Maps
+      href: private-endpoints.md
+    - name: Azure Services that support managed identities
+      href: ../active-directory/managed-identities-azure-resources/managed-identities-status.md
+  - name: Integration
+    items:
+    - name: Azure Maps Event Grid integration
+      href: azure-maps-event-grid-integration.md
+  - name: Geography & Coverage
+    items:
+      - name: Azure Maps geographic scope
+        href: geographic-scope.md
+      - name: Coverage
+        items:
+        - name: Geographic coverage
+          href: geographic-coverage.md
+        - name: Geocoding coverage
+          href: geocoding-coverage.md
+        - name: Traffic coverage
+          href: traffic-coverage.md
+        - name: Render coverage
+          href: render-coverage.md
+        - name: Routing coverage
+          href: routing-coverage.md
+        - name: Weather coverage
+          href: weather-coverage.md
+      - name: Localization support
+        href: supported-languages.md
+  - name: Maps & Visualization
+    items:
+    - name: Supported map styles
+      href: supported-map-styles.md
+    - name: Zoom levels and tile grid
+      href: zoom-levels-and-tile-grid.md
+  - name: Weather service
+    items:
+    - name: Weather service concepts
+      href: weather-services-concepts.md
+    - name: Weather service FAQ
+      href: weather-services-faq.yml
 - name: How-to guides
   items:
   - name: Migrate from Bing Maps

articles/azure-maps/toc.yml

@@ -20,7 +20,7 @@ The Bicep MCP (Model Context Protocol) server provides AI agents with tools to h
 * **`list_avm_metadata`** - Lists metadata for all Azure Verified Modules (AVM).
 * **`list_az_resource_types_for_provider`** - Lists all Azure resource types for a specific provider, such as Microsoft.Storage.
 
-Use the Bicep MCP server directly in [Visual Studio Code](#visual-studio-code). You can also run it locally with [MCP-compatible services](#integration-with-other-foundry-tools).
+Use the Bicep MCP server directly in [Visual Studio Code](#visual-studio-code). You can also run it locally with [MCP-compatible services](#integration-with-other-ai-services).
 
 ## Limitations
 
@@ -35,7 +35,7 @@ There's no way to definitively guarantee whether the agent orchestrator uses any
 
 The Bicep MCP server is available starting with Visual Studio Code Bicep extension version 0.40.2. For more information about installing, managing, and using Bicep MCP server from VS Code, see [Bicep MCP server](./visual-studio-code.md#bicep-mcp-server).
 
-## Integration with other Foundry Tools
+## Integration with other AI services
 
 You can run the Azure Bicep MCP server locally for Claude Desktop and Code, OpenAI Codex CLI, and LMStudio where you can use it with various models.
 

articles/azure-resource-manager/bicep/bicep-mcp-server.md

@@ -57,5 +57,5 @@ Similar to Azure Communication Services messaging, there are REST APIs for many
 - **[Call Automation REST APIs and SDKs](../concepts/call-automation/call-automation.md)**: Services and AI applications  use Call Automation REST APIs to answer, route, and manage all types of Azure voice and video calls.
 - **[Service-to-service audio streaming](../concepts/call-automation/audio-streaming-concept.md)**: AI applications use Azure's service-to-service WebSockets API to stream audio data. This works in both directions, your AI can listen to a call, and speak.
 - **[Service-to-service real-time transcription](../concepts/call-automation/real-time-transcription.md)**: AI applications use Azure's service-to-service WebSockets API to stream a real-time, Azure-generated transcription. Compared to audio or video content, transcript data is often easier for AI models to reason upon.
-- **[Call recording](../concepts/voice-video-calling/call-recording.md)**: You can record Azure calls in your own datastore and then direct Foundry Tools to process that content.
+- **[Call recording](../concepts/voice-video-calling/call-recording.md)**: You can record Azure calls in your own datastore and then direct the AI service to process that content.
 - **[Client raw audio and video](../concepts/voice-video-calling/media-access.md)**: The Calling client SDK provides APIs for accessing and modifying the raw audio and video feed. An example scenario is taking the video feed, using computer vision to distinguish the human speaker from their background, and customizing that background.