added new docs

Author: naman-msft

scenarios/azure-aks-docs/articles/aks/azure-cni-powered-by-cilium.md

@@ -0,0 +1,229 @@
+---
+title: Configure Azure CNI Powered by Cilium in Azure Kubernetes Service (AKS)
+description: Learn how to create an Azure Kubernetes Service (AKS) cluster with Azure CNI Powered by Cilium.
+ms.topic: how-to
+ms.date: 02/12/2024
+author: asudbring
+ms.author: allensu
+ms.subservice: aks-networking
+ms.custom: references_regions, devx-track-azurecli, build-2023, innovation-engine
+---
+
+# Configure Azure CNI Powered by Cilium in Azure Kubernetes Service (AKS)
+
+Azure CNI Powered by Cilium combines the robust control plane of Azure CNI with the data plane of [Cilium](https://cilium.io/) to provide high-performance networking and security.
+
+By making use of eBPF programs loaded into the Linux kernel and a more efficient API object structure, Azure CNI Powered by Cilium provides the following benefits:
+
+- Functionality equivalent to existing Azure CNI and Azure CNI Overlay plugins
+
+- Improved Service routing
+
+- More efficient network policy enforcement
+
+- Better observability of cluster traffic
+
+- Support for larger clusters (more nodes, pods, and services)
+
+## IP Address Management (IPAM) with Azure CNI Powered by Cilium
+
+Azure CNI Powered by Cilium can be deployed using two different methods for assigning pod IPs:
+
+- Assign IP addresses from an overlay network (similar to Azure CNI Overlay mode)
+
+- Assign IP addresses from a virtual network (similar to existing Azure CNI with Dynamic Pod IP Assignment)
+
+If you aren't sure which option to select, read ["Choosing a network model to use."](./azure-cni-overlay.md#choosing-a-network-model-to-use)
+
+## Versions
+
+| Kubernetes Version | Cilium Version |
+|--------------------|----------------|
+| 1.27 (LTS)         | 1.13.18        |
+| 1.28 (End of Life) | 1.13.18        |
+| 1.29               | 1.14.19        |
+| 1.30 (LTS)         | 1.14.19        |
+| 1.31               | 1.16.6         |
+| 1.32               | 1.17.0         |
+
+See [Supported Kubernetes Versions](./supported-kubernetes-versions.md) for more information on AKS versioning and release timelines.
+
+## Network Policy Enforcement
+
+Cilium enforces [network policies to allow or deny traffic between pods](./operator-best-practices-network.md#control-traffic-flow-with-network-policies). With Cilium, you don't need to install a separate network policy engine such as Azure Network Policy Manager or Calico.
+
+## Limitations
+
+Azure CNI powered by Cilium currently has the following limitations:
+
+* Available only for Linux and not for Windows.
+
+* Cilium L7 policy enforcement is disabled.
+
+* Network policies can't use `ipBlock` to allow access to node or pod IPs. See [frequently asked questions](#frequently-asked-questions) for details and recommended workaround.
+
+* Multiple Kubernetes services can't use the same host port with different protocols (for example, TCP or UDP) ([Cilium issue #14287](https://github.com/cilium/cilium/issues/14287)).
+
+* Network policies may be enforced on reply packets when a pod connects to itself via service cluster IP ([Cilium issue #19406](https://github.com/cilium/cilium/issues/19406)).
+
+* Network policies aren't applied to pods using host networking (`spec.hostNetwork: true`) because these pods use the host identity instead of having individual identities.
+
+## Prerequisites
+
+* Azure CLI version 2.48.1 or later. Run `az --version` to see the currently installed version. If you need to install or upgrade, see [Install Azure CLI](/cli/azure/install-azure-cli).
+
+* If using ARM templates or the REST API, the AKS API version must be 2022-09-02-preview or later.
+
+> [!NOTE]
+> Previous AKS API versions (2022-09-02preview to 2023-01-02preview) used the field [`networkProfile.ebpfDataplane=cilium`](https://github.com/Azure/azure-rest-api-specs/blob/06dbe269f7d9c709cc225c92358b38c3c2b74d60/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/preview/2022-09-02-preview/managedClusters.json#L6939-L6955). AKS API versions since 2023-02-02preview use the field [`networkProfile.networkDataplane=cilium`](https://github.com/Azure/azure-rest-api-specs/blob/06dbe269f7d9c709cc225c92358b38c3c2b74d60/specification/containerservice/resource-manager/Microsoft.ContainerService/aks/preview/2023-02-02-preview/managedClusters.json#L7152-L7173) to enable Azure CNI Powered by Cilium.
+
+## Create a new AKS Cluster with Azure CNI Powered by Cilium
+
+### Create a Resource Group
+
+Use the following command to create a resource group. Environment variables are declared and used below to replace placeholders.
+
+```azurecli-interactive
+export RANDOM_SUFFIX=$(openssl rand -hex 3)
+export RESOURCE_GROUP="myResourceGroup$RANDOM_SUFFIX"
+export LOCATION="EastUS2"
+
+az group create \
+    --name $RESOURCE_GROUP \
+    --location $LOCATION
+```
+
+Result:
+
+<!-- expected_similarity=0.3 -->
+```JSON
+{
+  "id": "/subscriptions/xxxxx-xxxxx-xxxxx-xxxxx/resourceGroups/myResourceGroupxxx",
+  "location": "WestUS2",
+  "name": "myResourceGroupxxx",
+  "provisioningState": "Succeeded"
+}
+```
+
+### Assign IP addresses from an overlay network
+
+Use the following commands to create a cluster with an overlay network and Cilium. Environment variables are declared and used below to replace placeholders.
+
+```azurecli-interactive
+export CLUSTER_NAME="myAKSCluster$RANDOM_SUFFIX"
+
+az aks create \
+    --name $CLUSTER_NAME \
+    --resource-group $RESOURCE_GROUP \
+    --location $LOCATION \
+    --network-plugin azure \
+    --network-plugin-mode overlay \
+    --pod-cidr 192.168.0.0/16 \
+    --network-dataplane cilium \
+    --generate-ssh-keys
+```
+
+<!-- expected_similarity=0.3 -->
+```JSON
+{
+  "id": "/subscriptions/xxxxx-xxxxx-xxxxx-xxxxx/resourceGroups/myResourceGroupxxx/providers/Microsoft.ContainerService/managedClusters/myAKSClusterxxx",
+  "location": "WestUS2",
+  "name": "myAKSClusterxxx",
+  "provisioningState": "Succeeded"
+}
+```
+
+> [!NOTE]
+> The `--network-dataplane cilium` flag replaces the deprecated `--enable-ebpf-dataplane` flag used in earlier versions of the aks-preview CLI extension.
+
+## Frequently asked questions
+
+- **Can I customize Cilium configuration?**
+
+    No, AKS manages the Cilium configuration and it can't be modified. We recommend that customers who require more control use [AKS BYO CNI](./use-byo-cni.md) and install Cilium manually.
+
+- **Can I use `CiliumNetworkPolicy` custom resources instead of Kubernetes `NetworkPolicy` resources?**
+
+    `CiliumNetworkPolicy` custom resources are partially supported. Customers may use FQDN filtering as part of the [Advanced Container Networking Services](./advanced-container-networking-services-overview.md) feature bundle.
+
+    This `CiliumNetworkPolicy` example demonstrates a sample matching pattern for services that match the specified label.
+
+    ```yaml
+    apiVersion: "cilium.io/v2"
+    kind: CiliumNetworkPolicy
+    metadata:
+      name: "example-fqdn"
+    spec:
+      endpointSelector:
+        matchLabels:
+          foo: bar
+      egress:
+      - toFQDNs:
+        - matchPattern: "*.example.com"
+    ```
+
+- **Why is traffic being blocked when the `NetworkPolicy` has an `ipBlock` that allows the IP address?**
+
+    A limitation of Azure CNI Powered by Cilium is that a `NetworkPolicy`'s `ipBlock` can't select pod or node IPs.
+
+    For example, this `NetworkPolicy` has an `ipBlock` that allows all egress to `0.0.0.0/0`:
+    ```yaml
+    apiVersion: networking.k8s.io/v1
+    kind: NetworkPolicy
+    metadata:
+      name: example-ipblock
+    spec:
+      podSelector: {}
+      policyTypes:
+        - Egress
+      egress:
+        - to:
+          - ipBlock:
+              cidr: 0.0.0.0/0 # This will still block pod and node IPs.
+    ```
+
+    However, when this `NetworkPolicy` is applied, Cilium blocks egress to pod and node IPs even though the IPs are within the `ipBlock` CIDR.
+
+    As a workaround, you can add `namespaceSelector` and `podSelector` to select pods. This example selects all pods in all namespaces:
+    ```yaml
+    apiVersion: networking.k8s.io/v1
+    kind: NetworkPolicy
+    metadata:
+      name: example-ipblock
+    spec:
+      podSelector: {}
+      policyTypes:
+        - Egress
+      egress:
+        - to:
+          - ipBlock:
+              cidr: 0.0.0.0/0
+          - namespaceSelector: {}
+          - podSelector: {}
+    ```
+
+    > [!NOTE]
+    > It isn't currently possible to specify a `NetworkPolicy` with an `ipBlock` to allow traffic to node IPs.
+- **Does AKS configure CPU or memory limits on the Cilium `daemonset`?**
+
+    No, AKS doesn't configure CPU or memory limits on the Cilium `daemonset` because Cilium is a critical system component for pod networking and network policy enforcement.
+
+- **Does Azure CNI powered by Cilium use Kube-Proxy?**
+
+    No, AKS clusters created with network dataplane as Cilium don't use Kube-Proxy.
+    If the AKS clusters are on [Azure CNI Overlay](./azure-cni-overlay.md) or [Azure CNI with dynamic IP allocation](./configure-azure-cni-dynamic-ip-allocation.md) and are upgraded to AKS clusters running Azure CNI powered by Cilium, new nodes workloads are created without kube-proxy. Older workloads are also migrated to run without kube-proxy as a part of this upgrade process.
+
+## Next steps
+
+Learn more about networking in AKS in the following articles:
+
+* [Upgrade Azure CNI IPAM modes and Dataplane Technology](upgrade-azure-cni.md).
+
+* [Use a static IP address with the Azure Kubernetes Service (AKS) load balancer](static-ip.md)
+
+* [Use an internal load balancer with Azure Container Service (AKS)](internal-lb.md)
+
+* [Create a basic ingress controller with external network connectivity][aks-ingress-basic]
+
+<!-- LINKS - Internal -->
+[aks-ingress-basic]: ingress-basic.md

scenarios/azure-compute-docs/articles/container-instances/container-instances-quickstart-terraform.md

@@ -0,0 +1,93 @@
+---
+title: 'Quickstart: Create an Azure Container Instance with a public IP address using Terraform'
+description: 'In this article, you create an Azure Container Instance with a public IP address using Terraform'
+ms.topic: quickstart
+ms.service: azure-container-instances
+ms.date: 08/29/2024
+ms.custom: devx-track-terraform, linux-related-content
+author: TomArcherMsft
+ms.author: tarcher
+content_well_notification: 
+  - AI-contribution
+ai-usage: ai-assisted
+---
+
+# Quickstart: Create an Azure Container Instance with a public IP address using Terraform
+
+Use Azure Container Instances to run serverless Docker containers in Azure with simplicity and speed. Deploy an application to a container instance on-demand when you don't need a full container orchestration platform like Azure Kubernetes Service. In this article, you use [Terraform](/azure/terraform) to deploy an isolated Docker container and make its web application available with a public IP address.
+
+[!INCLUDE [Terraform abstract](~/azure-dev-docs-pr/articles/terraform/includes/abstract.md)]
+
+In this article, you learn how to:
+
+> [!div class="checklist"]
+> * Create a random value for the Azure resource group name using [random_pet](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/resource_group/pet)
+> * Create an Azure resource group using [azurerm_resource_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group)
+> * Create a random value for the container name using [random_string](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string)
+> * Create an Azure container group using [azurerm_container_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/container_group)
+
+## Prerequisites
+
+- [Install and configure Terraform](/azure/developer/terraform/quickstart-configure)
+
+## Implement the Terraform code
+
+> [!NOTE]
+> The sample code for this article is located in the [Azure Terraform GitHub repo](https://github.com/Azure/terraform/tree/master/quickstart/101-aci-linuxcontainer-public-ip). You can view the log file containing the [test results from current and previous versions of Terraform](https://github.com/Azure/terraform/tree/master/quickstart/101-aci-linuxcontainer-public-ip/TestRecord.md).
+> 
+> See more [articles and sample code showing how to use Terraform to manage Azure resources](/azure/terraform)
+
+1. Create a directory in which to test and run the sample Terraform code and make it the current directory.
+
+1. Create a file named `main.tf` and insert the following code:
+
+    [!code-terraform[master](~/terraform_samples/quickstart/101-aci-linuxcontainer-public-ip/main.tf)]
+
+1. Create a file named `outputs.tf` and insert the following code:
+
+    [!code-terraform[master](~/terraform_samples/quickstart/101-aci-linuxcontainer-public-ip/outputs.tf)]
+
+1. Create a file named `providers.tf` and insert the following code:
+
+    [!code-terraform[master](~/terraform_samples/quickstart/101-aci-linuxcontainer-public-ip/providers.tf)]
+
+1. Create a file named `variables.tf` and insert the following code:
+
+    [!code-terraform[master](~/terraform_samples/quickstart/101-aci-linuxcontainer-public-ip/variables.tf)]
+
+## Initialize Terraform
+
+[!INCLUDE [terraform-init.md](~/azure-dev-docs-pr/articles/terraform/includes/terraform-init.md)]
+
+## Create a Terraform execution plan
+
+[!INCLUDE [terraform-plan.md](~/azure-dev-docs-pr/articles/terraform/includes/terraform-plan.md)]
+
+## Apply a Terraform execution plan
+
+[!INCLUDE [terraform-apply-plan.md](~/azure-dev-docs-pr/articles/terraform/includes/terraform-apply-plan.md)]
+
+## Verify the results
+
+1. When you apply the execution plan, Terraform outputs the public IP address. To display the IP address again, run [terraform output](https://developer.hashicorp.com/terraform/cli/commands/output).
+
+    ```console
+    terraform output -raw container_ipv4_address
+    ```
+
+1. Enter the sample's public IP address in your browser's address bar. 
+
+    :::image type="content" source="./media/container-instances-quickstart-terraform/azure-container-instances-demo.png" alt-text="Screenshot of the Azure Container Instances sample page":::
+
+## Clean up resources
+
+[!INCLUDE [terraform-plan-destroy.md](~/azure-dev-docs-pr/articles/terraform/includes/terraform-plan-destroy.md)]
+
+## Troubleshoot Terraform on Azure
+
+[Troubleshoot common problems when using Terraform on Azure](/azure/developer/terraform/troubleshoot)
+
+## Next steps
+
+> [!div class="nextstepaction"] 
+> [Tutorial: Create a container image for deployment to Azure Container Instances](./container-instances-tutorial-prepare-app.md)

scenarios/azure-compute-docs/articles/virtual-machines/linux/cloud-init.txt

@@ -0,0 +1,41 @@
+#cloud-config
+package_upgrade: true
+packages:
+  - nginx
+  - nodejs
+  - npm
+write_files:
+  - owner: www-data:www-data
+    path: /etc/nginx/sites-available/default
+    defer: true
+    content: |
+      server {
+        listen 80;
+        location / {
+          proxy_pass http://localhost:3000;
+          proxy_http_version 1.1;
+          proxy_set_header Upgrade $http_upgrade;
+          proxy_set_header Connection keep-alive;
+          proxy_set_header Host $host;
+          proxy_cache_bypass $http_upgrade;
+        }
+      }
+  - owner: azureuser:azureuser
+    path: /home/azureuser/myapp/index.js
+    defer: true
+    content: |
+      var express = require('express')
+      var app = express()
+      var os = require('os');
+      app.get('/', function (req, res) {
+        res.send('Hello World from host ' + os.hostname() + '!')
+      })
+      app.listen(3000, function () {
+        console.log('Hello world app listening on port 3000!')
+      })
+runcmd:
+  - service nginx restart
+  - cd "/home/azureuser/myapp"
+  - npm init
+  - npm install express -y
+  - nodejs index.js