Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr

Author: RoseHJM

.openpublishing.redirection.json

@@ -2755,6 +2755,11 @@
       "redirect_url": "/azure/azure-portal/azure-portal-supported-browsers-devices",
       "redirect_document_id": false
     },
+    {
+      "source_path_from_root": "/articles/azure-resource-manager/bicep/deploy-vscode.md",
+      "redirect_url": "/azure/azure-resource-manager/bicep/deploy-visual-studio-code",
+      "redirect_document_id": false
+    },
     {
       "source_path_from_root": "/articles/azure-resource-manager/management/control-plane-metrics.md",
       "redirect_url": "/azure/azure-resource-manager/management/monitor-resource-manager",
@@ -6894,6 +6899,11 @@
       "source_path": "articles/cyclecloud/how-to/collect-custom-metrics-gpu-infiniband-telegraf.md",
       "redirect_url": "/azure/cyclecloud/how-to/monitor-cyclecloud-cluster-using-prometheus-grafana",
       "redirect_document_id": false
-    }    
+    },
+    {
+      "source_path": "articles/application-gateway/for-containers/quickstart-deploy-application-gateway-for-containers-alb-controller.md",
+      "redirect_url": "/azure/application-gateway/for-containers/quickstart-deploy-application-gateway-for-containers-alb-controller-addon",
+      "redirect_document_id": false
+    }
   ]
 }

articles/api-management/breaking-changes/managed-certificates-suspension-august-2025.md

@@ -6,7 +6,7 @@ author: dlepow
 ms.service: azure-api-management
 ms.topic: reference
 ai-usage: ai-assisted
-ms.date: 01/26/2026
+ms.date: 02/06/2026
 ms.author: danlep
 ---
 
@@ -36,11 +36,37 @@ If you need to add new managed certificates, plan to do so before August 15, 202
 
 If you already have managed certificates for your custom domains, do the following to ensure continued access:
 
-- Ensure that your API Management service allows [inbound traffic from DigiCert IP addresses on port 80](#allow-access-to-digicert-ip-addresses). This access is now required for the certificate autorenewal process.
+1. Ensure that your API Management service [allows inbound traffic from DigiCert IP addresses on port 80](#step-1-allow-access-to-digicert-ip-addresses). This access is now required for the certificate autorenewal process.
+1. [Configure DNS records](#step-2-configure-dns-records) to resolve your custom domain name.
+1. [Allow API Management service access to port 80](#step-3-allow-api-management-service-access-to-port-80) if you have inbound network restrictions in place.
 
+### Step 1: Allow access to DigiCert IP addresses
 
 [!INCLUDE [api-management-managed-certificate-ip-access.md](../../../includes/api-management-managed-certificate-ip-access.md)]
 
+### Step 2: Configure DNS records
+
+Configure DNS records for your custom domain to point to your API Management gateway. The type of DNS record you need to add depends on your API Management tier.
+
+#### DNS records for Developer, Basic, Standard, or Premium tier
+
+1. Add either a [CNAME](/azure/api-management/configure-custom-domain?tabs=custom#cname-record) or A-record with your DNS provider. 
+
+1. Add DigiCert as an authorized certificate authority (CA) in Azure DNS. For this, create a specific CAA record set within your domain's DNS zone using the Azure portal or other management tools.
+
+#### DNS records for Consumption tier
+
+1. Add either a [CNAME](/azure/api-management/configure-custom-domain?tabs=custom#cname-record) or [TXT](/azure/api-management/configure-custom-domain?tabs=managed#txt-record) record with your DNS provider. If you configure both, the TXT record takes precedence.
+1. Add DigiCert as an authorized certificate authority (CA) in Azure DNS. For this, you need to create a specific CAA record set within your domain's DNS zone using the Azure portal or other management tools
+
+### Step 3: Allow API Management service access to port 80
+
+If you have inbound network restrictions configured for your API Management service, allow the Azure API Management resource provider access on port 80. This is required to allow inbound traffic to support certificate revocation list (CRL) checks, certificate renewal, and management communication. 
+
+1. In the Azure portal, go to **Network security groups**.
+1. Select the network security group associated with your API Management subnet.
+1. Under **Settings** > **Inbound security rules**, add a new rule allowing traffic on port 80 from the **ApiManagement** service tag to the API Management instance.
+
 ## Help and support
 
 If you have questions, get answers from community experts in [Microsoft Q&A](https://aka.ms/apim/azureqa/change/captcha-2022). If you have a support plan and need technical help, create a [support request](https://portal.azure.com/#view/Microsoft_Azure_Support/HelpAndSupportBlade/~/overview).

articles/api-management/breaking-changes/trusted-service-connectivity-retirement-march-2026.md

@@ -31,7 +31,7 @@ First, check for an Azure Advisor recommendation:
 
 **If you don't see a recommendation**, your API Management gateway isn't affected by the change.
 
-**If you see a recommendation**, your API Management gateway is affected by the breaking change and you need to take action: 
+**If you see a recommendation**, your API Management gateway has previously sent traffic to the listed Azure services. Because of this, it is considered affected by the breaking change and you need to take action:   
 
 1. Determine if your API Management gateway relies on trusted service connectivity to Azure services. 
 1. If it does, update the networking configuration to eliminate the dependency on trusted service connectivity. If it doesn’t, proceed to the next step. 

articles/api-management/configure-custom-domain.md

@@ -126,6 +126,8 @@ API Management offers a free, managed TLS certificate for your domain, if you do
 * Supports only public domain names
 * Can only be configured when updating an existing API Management instance, not when creating an instance
 
+### Allow access to DigiCert IP addresses
+
 [!INCLUDE [api-management-managed-certificate-ip-access.md](../../includes/api-management-managed-certificate-ip-access.md)]
 
 ---

articles/api-management/import-soap-api.md

@@ -1,12 +1,13 @@
 ---
 title: Import SOAP API to Azure API Management | Microsoft Docs
-description: Learn how to import a SOAP API to Azure API Management as a WSDL specification using the Azure portal, Azure CLI, or Azure PowerShell. Then, test the API in the Azure portal.
+description: Learn how to import a SOAP API to Azure API Management as a WSDL specification using the Azure portal, Azure CLI, or Azure PowerShell. Then, test the API.
 author: dlepow
 ms.service: azure-api-management
 ms.custom: devx-track-azurepowershell, devx-track-azurecli
 ms.topic: how-to
-ms.date: 11/05/2024
+ms.date: 02/02/2026
 ms.author: danlep
+#customer intent: As an API developer, I want to import the WSDL specification for an API by using the best tool for my workflow.
 ---
 # Import SOAP API to API Management
 
@@ -17,23 +18,18 @@ This article shows how to import a WSDL specification, which is a standard XML r
 In this article, you learn how to:
 
 > [!div class="checklist"]
-> * Import a SOAP API
-> * Test the API in the Azure portal
+> - Import a SOAP API
+> - Test the API in the Azure portal
 
 [!INCLUDE [api-management-wsdl-import](../../includes/api-management-wsdl-import.md)]
 
 ## Prerequisites
 
-* An API Management instance. If you don't already have one, complete the following quickstart: [Create an Azure API Management instance](get-started-create-service-instance.md).
-
-* Azure CLI
+- An API Management instance. If you don't already have one, complete the following quickstart: [Create an Azure API Management instance](get-started-create-service-instance.md).
+- Azure CLI
     [!INCLUDE [azure-cli-prepare-your-environment-no-header.md](~/reusable-content/azure-cli/azure-cli-prepare-your-environment-no-header.md)]
-
-
-* Azure PowerShell
+- Azure PowerShell
     [!INCLUDE [azure-powershell-requirements-no-header](~/reusable-content/ce-skilling/azure/includes/azure-powershell-requirements-no-header.md)]
-
-
 
 ## <a name="create-api"> </a>Import a backend API
 
@@ -43,16 +39,20 @@ In this article, you learn how to:
 1. In the left menu, select **APIs** > **+ Add API**.
 1. Under **Create from definition**, select **WSDL**.
 
-    ![SOAP API](./media/import-soap-api/wsdl-api.png)
-1. In **WSDL specification**, enter the URL to your SOAP API, or click **Select a file** to select a local WSDL file.
+   :::image type="content" source="./media/import-soap-api/wsdl-api.png" alt-text="Screenshot shows the WSDL tile for importing your SOAP API.":::
+
+1. In **WSDL specification**, enter the URL to your SOAP API, or choose **Select a file** to select a local WSDL file.
 1. In **Import method**, **SOAP pass-through** is selected by default. 
-    With this selection, the API is exposed as SOAP, and API consumers have to use SOAP rules. If you want to "restify" the API, follow the steps in [Import a SOAP API and convert it to REST](restify-soap-api.md).
 
-    ![Create SOAP API from WSDL specification](./media/import-soap-api/pass-through.png)
+   With this selection, the API is exposed as SOAP, and API consumers have to use SOAP rules. If you want to "restify" the API, follow the steps in [Import a SOAP API and convert it to REST](restify-soap-api.md).
+
+   :::image type="content" source="./media/import-soap-api/pass-through.png" alt-text="Screenshot shows the Create from WSDL page.":::
+
 1. The following API settings are filled automatically based on information from the SOAP API: **Display name**, **Name**, **Description**. Operations are filled automatically with **Display name**, **URL**, and **Description**, and receive a system-generated **Name**.
 1. Enter other API settings. You can set the values during creation or configure them later by going to the **Settings** tab. 
 
-    For more information about API settings, see [Import and publish your first API](import-and-publish.md#import-and-publish-a-backend-api) tutorial.
+   For more information about API settings, see [Import and publish your first API](import-and-publish.md#import-and-publish-a-backend-api) tutorial.
+
 1. Select **Create**.
 
 #### [Azure CLI](#tab/cli)
@@ -113,20 +113,18 @@ Import-AzApiManagementApi -Context $context -ApiId $apiId -SpecificationFormat $
 
 ## Wildcard SOAP action
 
-If you need to pass a SOAP request that doesn't have a dedicated action defined in the API, you can configure a wildcard SOAP action. The wildcard action will match any SOAP request that isn't defined in the API.  
+If you need to pass a SOAP request that doesn't have a dedicated action defined in the API, you can configure a wildcard SOAP action. The wildcard action matches any SOAP request that isn't defined in the API.  
 
 To define a wildcard SOAP action:
 
-1. In the portal, select the API you created in the previous step.
+1. In the Azure portal, select the API you created in the previous step.
 1. In the **Design** tab, select **+ Add Operation**.
 1. Enter a **Display name** for the operation.
-1. In the URL, select `POST` and enter `/?soapAction={any}` in the resource. The template parameter inside the curly brackets is arbitrary and doesn't affect the execution.
+1. In the URL, select `POST` and enter `/?soapAction={any}` in the resource. The template parameter inside the braces is arbitrary and doesn't affect the execution.
 
 > [!NOTE]
 > Don't use the **OpenAPI specification** editor in the **Design** tab to modify a SOAP API.
 
-
-
 [!INCLUDE [api-management-navigate-to-instance.md](../../includes/api-management-append-apis.md)]
 
 [!INCLUDE [api-management-define-api-topics.md](../../includes/api-management-define-api-topics.md)]

articles/api-management/media/import-soap-api/pass-through.png

@@ -4,7 +4,7 @@ description: Learn how to build a multi-region app on Azure App Service that can
 keywords: azure app service, web app, multiregion, multi-region, multiple regions
 author: seligj95
 ms.topic: tutorial
-ms.date: 2/8/2023
+ms.date: 02/08/2023
 ms.author: jordanselig
 ms.service: azure-app-service
 ms.custom:
@@ -418,10 +418,10 @@ Now that you have a service principal that can access your App Service apps, edi
         runs-on: ubuntu-latest
 
         steps:
-          - uses: actions/checkout@v2
+          - uses: actions/checkout@v4
 
           - name: Set up Node.js version
-            uses: actions/setup-node@v1
+            uses: actions/setup-node@v4
             with:
               node-version: ${{ env.NODE_VERSION }}
 
@@ -431,7 +431,7 @@ Now that you have a service principal that can access your App Service apps, edi
               npm run build --if-present
 
           - name: Upload artifact for deployment job
-            uses: actions/upload-artifact@v2
+            uses: actions/upload-artifact@v4
             with:
               name: node-app
               path: .
@@ -445,11 +445,11 @@ Now that you have a service principal that can access your App Service apps, edi
 
         steps:
           - name: Download artifact from build job
-            uses: actions/download-artifact@v2
+            uses: actions/download-artifact@v4
             with:
               name: node-app
 
-          - uses: azure/login@v1
+          - uses: azure/login@v2
             with:
               creds: |
                 {
@@ -461,7 +461,7 @@ Now that you have a service principal that can access your App Service apps, edi
 
           - name: 'Deploy to Azure Web App'
             id: deploy-to-webapp
-            uses: azure/webapps-deploy@v2
+            uses: azure/webapps-deploy@v3
             with:
               app-name: ${{ env.AZURE_WEBAPP_NAME }}
               slot-name: ${{ env.AZURE_WEBAPP_SLOT_NAME }}

articles/app-service/tutorial-multi-region-app.md

@@ -5,7 +5,7 @@ services: application-gateway
 author: mbender-ms
 ms.service: azure-appgw-for-containers
 ms.topic: release-notes
-ms.date: 1/28/2026
+ms.date: 2/7/2026
 ms.author: mbender
 # Customer intent: As a Kubernetes operator, I want to access the release notes for the ALB Controller, so that I can understand the latest updates and changes to optimize my configuration and deployments of Application Gateway for Containers.
 ---
@@ -18,21 +18,24 @@ The ALB Controller is a Kubernetes deployment that orchestrates configuration an
 
 Each release of ALB Controller has a documented helm chart version and supported Kubernetes cluster version.
 
-Instructions for new or existing deployments of ALB Controller are found in the following links:
+Instructions for new or existing deployments of ALB Controller deployed with helm are found in the following links:
 
-- [New deployment of ALB Controller](quickstart-deploy-application-gateway-for-containers-alb-controller.md#for-new-deployments)
-- [Upgrade existing ALB Controller](quickstart-deploy-application-gateway-for-containers-alb-controller.md#for-existing-deployments)
+- [New deployment of ALB Controller with helm](quickstart-deploy-application-gateway-for-containers-alb-controller-helm.md#for-new-deployments)
+- [Upgrade existing ALB Controller with helm](quickstart-deploy-application-gateway-for-containers-alb-controller-helm.md#for-existing-deployments)
+
+If using the AKS add-on, updates will automatically be applied to the cluster.
 
 ## Latest Release (Recommended)
 
 | ALB Controller Version | Gateway API Version | Minimum Kubernetes Version | Release Notes |
 | ---------------------- | ------------------- | ------------------ | ------------- |
-| 1.9.11 | v1.2.1 | v1.27 | [allowPrivilegeEscalation false](https://github.com/Azure/AKS/issues/5389), [Integration with AKS Istio Service Mesh Add-on](https://github.com/Azure/AKS/issues/5479), [fix for NAP with Karpenter](https://github.com/Azure/AKS/issues/5486), general image updates |
+| 1.9.13 | v1.2.1 | v1.27 | Concurrency-related pod crash fix, security updates |
 
 ## Release history
 
 | ALB Controller Version | Gateway API Version | Minimum Kubernetes Version | Release Notes |
 | ---------------------- | ------------------- | ------------------ | ------------- |
+| 1.9.11 | v1.2.1 | v1.27 | [allowPrivilegeEscalation false](https://github.com/Azure/AKS/issues/5389), [Integration with AKS Istio Service Mesh Add-on](https://github.com/Azure/AKS/issues/5479), [fix for NAP with Karpenter](https://github.com/Azure/AKS/issues/5486), general image updates |
 | 1.8.12 | v1.2.1 | v1.27 | WAF improvements |
 | 1.8.9 | v1.2.1 | v1.27 | [Slow start load balancing algorithm](api-specification-kubernetes.md#alb.networking.azure.io/v1.BackendLoadBalancingPolicy), Image updated to use [Azure Linux 3.0](https://github.com/microsoft/azurelinux), [nodeSelector fix](https://github.com/Azure/AKS/issues/5302), miscellaneous bug fixes and enhancements |
 | 1.7.12 | v1.2.1 | v1.27 | Hotfix for pod crash due to [invalid Provider ID](https://github.com/Azure/AKS/issues/5310) |

articles/application-gateway/for-containers/alb-controller-release-notes.md

@@ -57,6 +57,18 @@ This article provides detailed descriptions and requirements for components of A
 - At this time, the only security policy type offered is `waf` for web application firewall capabilities.
 - The `waf` security policy is a one-to-one mapping between the security policy resource and a Web Application Firewall policy.
   - You can reference only one web application firewall policy in any number of security policies for a defined Application Gateway for Containers resource.
+ 
+### Application Gateway for Containers AKS managed add-on
+
+The AKS add-on for Application Gateway for Containers provides a managed deployment experience by AKS for the ALB Controller, eliminating the need to manually deploy a helm chart.
+
+Some of the benefits of using the managed add-on over a helm based deployment are:
+
+- **Managed updates:** No need to manually update Helm charts; updates are managed by AKS.
+- **Automated identity management:** The add-on automatically creates and configures the managed identity (`applicationloadbalancer-<cluster-name>`) with the required permissions.
+- **Simplified subnet configuration:** A dedicated subnet (`aks-appgateway`) is automatically provisioned with the correct delegation.
+- **Reduced configuration complexity:** No need to manually set up federated credentials or role assignments.
+- **AKS Automatic support:** Add-on deployment is required when using AKS Automatic clusters.
 
 ## Azure / general concepts
 
@@ -125,4 +137,4 @@ Application Gateway for Containers enforces the following timeouts as it initiat
 | Upstream Connect Timeout | 5 seconds | Time for establishing a connection to the backend target. |
 
 > [!NOTE]
-> Request timeout strictly enforces the request to complete in the defined time irrespective if data is actively streaming or the request is idle. For example, if you're serving large file downloads and you expect transfers to take greater than 60 seconds due to size or slow transfer rates, consider increasing the request timeout value or setting it to 0.
+> Request timeout strictly enforces the request to complete in the defined time irrespective if data is actively streaming or the request is idle. For example, if you're serving large file downloads and you expect transfers to take greater than 60 seconds due to size or slow transfer rates, consider increasing the request timeout value or setting it to 0.

articles/application-gateway/for-containers/application-gateway-for-containers-components.md

@@ -78,6 +78,7 @@ A: Yes, however, installation of Application Gateway for Containers on a cluster
 
 ## Next steps
 
-* [Deploy ALB Controller](quickstart-deploy-application-gateway-for-containers-alb-controller.md?tabs=install-helm-windows)
+* [Deploy ALB Controller - Add-on](quickstart-deploy-application-gateway-for-containers-alb-controller-addon.md)
+* [Deploy ALB Controller - Helm](quickstart-deploy-application-gateway-for-containers-alb-controller-helm.md)
 * [Application Gateway for Containers components](application-gateway-for-containers-components.md)
 * [Upgrade AKS to CNI Overlay](/azure/aks/upgrade-aks-ipam-and-dataplane#upgrade-an-existing-cluster-to-azure-cni-overlay)