Updating replication agent info and CES preview note

Author: sasapopo

azure-sql/managed-instance/doc-changes-updates-release-notes-whats-new.md

@@ -5,7 +5,7 @@ description: Learn about the new features and documentation improvements for Azu
 author: MashaMSFT
 ms.author: mathoma
 ms.reviewer: wiassaf, mathoma
-ms.date: 05/22/2025
+ms.date: 05/30/2025
 ms.service: azure-sql-managed-instance
 ms.subservice: service-overview
 ms.topic: whats-new
@@ -58,6 +58,7 @@ The following table lists features of Azure SQL Managed Instance that have been
 
 | Feature | GA Month | Details |
 | ---| --- |--- |
+| [TLS 1.3 support for replication](replication-transactional-overview.md#tls-13-support) | May 2025 | Configure Azure SQL Managed Instance replication agents to use TLS 1.3. |
 | [Free SQL Managed Instance](free-offer.md) | May 2025 | Try Azure SQL Managed Instance for free for the first 12 months after an instance is created.  |
 | [JSON native data type](/sql/t-sql/data-types/json-data-type?view=azuresqlmi-current&preserve-view=true) | May 2025 | The **json** data type provides new capabilities for handling semistructured data in Azure SQL Managed Instance. |
 | [JSON aggregate functions](/sql/relational-databases/json/json-data-sql-server?view=azuresqlmi-current&preserve-view=true#json-data-from-aggregates) | May 2025 | Two **json** aggregate functions (`JSON_OBJECTAGG` and `JSON_ARRAYAGG`) enable construction of JSON objects or arrays based on an aggregate from SQL data. |
@@ -86,9 +87,11 @@ Learn about significant changes to the Azure SQL Managed Instance documentation.
 | **JSON native data type GA** |  The  [**json** data type](/sql/t-sql/data-types/json-data-type?view=azuresqlmi-current&preserve-view=true) provides new capabilities for handling semistructured data in Azure SQL Managed Instance. This data type is now generally available. |
 | **JSON aggregate functions GA** | Two [**json** aggregate functions `JSON_OBJECTAGG` and `JSON_ARRAYAGG`](/sql/relational-databases/json/json-data-sql-server?view=azuresqlmi-current&preserve-view=true#json-data-from-aggregates) enable construction of JSON objects or arrays based on an aggregate from SQL data. These JSON functions are now generally available. |
 | **Regular expression functions preview** | Regular expression (REGEX) functions return text based on values in a search pattern. This capability is currently in preview for Azure SQL Managed Instance. For more information, see [Regular expressions](/sql/relational-databases/regular-expressions/overview). |
+| **TLS 1.3 support for replication GA** | Configure Azure SQL Managed Instance replication agents to use TLS 1.3. This capability is generally available. Review [TLS 1.3 support for replication](replication-transactional-overview.md#tls-13-support) to learn more.  |
 | **UNISTR (Transact-SQL) preview** | Azure SQL Managed Instance now supports the `UNISTR` T-SQL syntax for Unicode string literals. This capability is currently in preview. For more information, see [UNISTR (Transact-SQL)](/sql/t-sql/functions/unistr-transact-sql).|
 | **\|\| (String concatenation) and \|\|= (Compound assignment) syntax support preview** | Azure SQL Managed Instance now supports [\|\| (String concatenation)](/sql/t-sql/language-elements/string-concatenation-pipes-transact-sql) and [\|\|= (Compound assignment)](/sql/t-sql/language-elements/compound-assignment-pipes-transact-sql) Transact-SQL syntax. This capability is currently in preview.|
 
+
 ### April 2025
 
 | Changes | Details |

azure-sql/managed-instance/replication-transactional-overview.md

@@ -5,7 +5,7 @@ description: Learn about using SQL Server transactional replication with Azure S
 author: sasapopo
 ms.author: sasapopo
 ms.reviewer: mathoma, randolphwest
-ms.date: 06/10/2024
+ms.date: 05/30/2025
 ms.service: azure-sql-managed-instance
 ms.subservice: data-movement
 ms.topic: conceptual
@@ -77,7 +77,6 @@ The transactional and snapshot replication supportability matrix for Azure SQL M
 
 [!INCLUDE [replication-compat-matrix](../../docs/includes/replication-compat-matrix-transactional.md)]
 
-
 ## When to use
 
 Transactional replication is useful in the following scenarios:
@@ -134,6 +133,18 @@ In this configuration, a database in Azure SQL Database or Azure SQL Managed Ins
 
 ## Security 
 
+### TLS 1.3 support 
+
+Azure SQL Managed Instance supports TLS 1.3 for replication connections initialized by agents configured to run on a SQL managed instance. This applies to a replication topology between two SQL managed instances, and also to any version of SQL Server as a subscriber from a SQL managed instance publisher and distributor. 
+
+If you use TLS 1.3 to secure the connections between instances in a replication topology, specify a value of **3** or **4** for the **-EncryptionLevel** parameter of each replication agent: 
+
+- [Distribution agent](/sql/relational-databases/replication/agents/replication-distribution-agent#encryption-level)
+- [Log reader agent](/sql/relational-databases/replication/agents/replication-log-reader-agent#encryption-level)
+- [Snapshot agent](/sql/relational-databases/replication/agents/replication-snapshot-agent#encryption-level)
+
+A value of `3` enforces TLS 1.3 connections between SQL managed instances, but has not impact on connections between SQL Server and SQL managed instances. A value of `4` enforces TLS 1.3 connections between SQL managed instances, and also connections from SQL managed instance to SQL Server, and requires that you install the certificate to the SQL Server host. 
+
 ### Login `replAgentUser`
 
 For purposes of transactional replication, a SQL managed instance has a pre-created login(s) with the name `replAgentUser`. This login is a member of the `sysadmin` server role and is used by replication agents that need to connect to a SQL managed instance participating in transactional replication setup.

docs/relational-databases/replication/agents/replication-distribution-agent.md

@@ -4,7 +4,7 @@ description: Move a snapshot and the transactions held in the distribution datab
 author: "MashaMSFT"
 ms.author: "mathoma"
 ms.reviewer: randolphwest
-ms.date: 10/16/2024
+ms.date: 05/30/2025
 ms.service: sql
 ms.subservice: replication
 ms.topic: reference
@@ -44,7 +44,7 @@ distrib [ -? ]
 [ -DistributorLogin distributor_login ]
 [ -DistributorPassword distributor_password ]
 [ -DistributorSecurityMode [ 0 | 1 ] ]
-[ -EncryptionLevel [ 0 | 1 | 2 ] ]
+[ -EncryptionLevel [ 0 | 1 | 2 | 3 | 4 ] ]
 [ -ErrorFile error_path_and_file_name ]
 [ -ExtendedEventConfigFile configuration_path_and_file_name ]
 [ -FileTransferType [ 0 | 1 ] ]
@@ -146,15 +146,19 @@ The Distributor password.
 
 Specifies the security mode of the Distributor. A value of 0 indicates [!INCLUDE [ssNoVersion](../../../includes/ssnoversion-md.md)] Authentication Mode, and a value of 1 indicates Windows Authentication Mode (default).
 
-#### -EncryptionLevel [ 0 \| 1 \| 2 ]
+<a id="encryptionlevel"></a>
+
+#### -EncryptionLevel [ 0 \| 1 \| 2 \| 3 \| 4 ]
 
 The level of Transport Layer Security (TLS), previously known as Secure Sockets Layer (SSL), encryption used by the Distribution Agent when making connections.
 
 | EncryptionLevel value | Description |
 | --- | --- |
 | `0` | Specifies that TLS isn't used. |
-| `1` | Specifies that TLS is used, but the agent doesn't verify that the TLS server certificate is signed by a trusted issuer. |
-| `2` | Specifies that TLS is used, and that the certificate is verified. |
+| `1` | Specifies that TLS 1.2 is used, but the agent doesn't verify that the TLS server certificate is signed by a trusted issuer. |
+| `2` | Specifies that TLS 1.2 is used, and that the certificate is verified. |
+| `3` | Specifies that for connections from Azure SQL Managed Instance to Azure SQL Managed Instance, TLS 1.3 is used, and the certificate is verified. For connections between Azure SQL Managed Instance and SQL Server, TLS 1.3 is not enforced. |
+| `4` | Specifies that for connections from Azure SQL Managed Instance to Azure SQL Managed Instance, TLS 1.3 is used, and the certificate is verified. For connections from Azure SQL Managed Instance to SQL Server, TLS 1.3 is used, and the certificate is verified. Requires installing the certificate on SQL Server hosts. |
 
 A valid TLS certificate is defined with a fully qualified domain name of the SQL Server. In order for the agent to connect successfully when setting `-EncryptionLevel` to `2`, create an alias on the local SQL Server. The 'Alias Name' parameter should be the server name and the 'Server' parameter should be set to the fully qualified name of the SQL Server.
 

docs/relational-databases/replication/agents/replication-log-reader-agent.md

@@ -4,7 +4,7 @@ description: The Replication Log Reader Agent monitors SQL Server databases conf
 author: "MashaMSFT"
 ms.author: "mathoma"
 ms.reviewer: randolphwest
-ms.date: 10/15/2024
+ms.date: 05/30/2025
 ms.service: sql
 ms.subservice: replication
 ms.topic: reference
@@ -38,7 +38,7 @@ logread [ -? ]
 [ -DistributorLogin distributor_login ]
 [ -DistributorPassword distributor_password ]
 [ -DistributorSecurityMode [ 0 | 1 ] ]
-[ -EncryptionLevel [ 0 | 1 | 2 ] ]
+[ -EncryptionLevel [ 0 | 1 | 2 | 3 | 4 ] ]
 [ -ExtendedEventConfigFile configuration_path_and_file_name ]
 [ -HistoryVerboseLevel [ 0 | 1 | 2 ] ]
 [ -KeepAliveMessageInterval keep_alive_message_interval_seconds ]
@@ -100,15 +100,19 @@ The Distributor password.
 
 Specifies the security mode of the Distributor. A value of `0` indicates [!INCLUDE [ssNoVersion](../../../includes/ssnoversion-md.md)] Authentication Mode (default), and a value of `1` indicates Windows Authentication Mode.
 
-#### -EncryptionLevel [ 0 \| 1 \| 2 ]
+<a id="encryptionlevel"></a>
+
+#### -EncryptionLevel [ 0 \| 1 \| 2 \| 3 \| 4 ]
 
 The level of Transport Layer Security (TLS), previously known as Secure Sockets Layer (SSL), encryption that is used by the Log Reader Agent when making connections.
 
 | EncryptionLevel value | Description |
 | --- | --- |
 | `0` | Specifies that TLS isn't used. |
-| `1` | Specifies that TLS is used, but the agent doesn't verify that the TLS server certificate is signed by a trusted issuer. |
-| `2` | Specifies that TLS is used, and that the certificate is verified. |
+| `1` | Specifies that TLS 1.2 is used, but the agent doesn't verify that the TLS server certificate is signed by a trusted issuer. |
+| `2` | Specifies that TLS 1.2 is used, and that the certificate is verified. |
+| `3` | Specifies that for connections from Azure SQL Managed Instance to Azure SQL Managed Instance, TLS 1.3 is used, and the certificate is verified. For connections between Azure SQL Managed Instance and SQL Server, TLS 1.3 is not enforced. |
+| `4` | Specifies that for connections from Azure SQL Managed Instance to Azure SQL Managed Instance, TLS 1.3 is used, and the certificate is verified. For connections from Azure SQL Managed Instance to SQL Server, TLS 1.3 is used, and the certificate is verified. Requires installing the certificate on SQL Server hosts. |
 
 > [!NOTE]  
 > A valid TLS/SSL certificate is defined with a fully qualified domain name of the SQL Server. In order for the agent to connect successfully when setting `-EncryptionLevel` to `2`, create an alias on the local SQL Server. The 'Alias Name' parameter should be the server name and the 'Server' parameter should be set to the fully qualified name of the SQL Server.

docs/relational-databases/replication/agents/replication-snapshot-agent.md

@@ -3,7 +3,7 @@ title: "Replication Snapshot Agent"
 description: In SQL Server, the Replication Snapshot Agent prepares snapshot files, stores them in a folder, and records synchronization jobs in the distribution database.
 author: "MashaMSFT"
 ms.author: "mathoma"
-ms.date: 09/25/2024
+ms.date: 05/30/2025
 ms.service: sql
 ms.subservice: replication
 ms.topic: reference
@@ -43,7 +43,7 @@ snapshot [ -?]
 [-DynamicFilterHostName dynamic_filter_host_name]  
 [-DynamicFilterLogin dynamic_filter_login]  
 [-DynamicSnapshotLocation dynamic_snapshot_location]   
-[-EncryptionLevel [0|1|2]]  
+[-EncryptionLevel [0|1|2|3|4]]  
 [-FieldDelimiter field_delimiter]  
 [-HistoryVerboseLevel [0|1|2|3] ]  
 [-HRBcpBlocks number_of_blocks ]  
@@ -120,14 +120,18 @@ snapshot [ -?]
  **-DynamicSnapshotLocation** _dynamic_snapshot_location_  
  Is the location where the dynamic snapshot should be generated.  
 
- **-EncryptionLevel** [ **0** | **1** | **2** ]  
+<a id="encryptionlevel"></a>
+
+ **-EncryptionLevel** [ **0** | **1** | **2** | **3** | **4**]  
  Is the level of Transport Layer Security (TLS), previously known as Secure Sockets Layer (SSL), encryption used by the Snapshot Agent when making connections.  
 
-|EncryptionLevel value|Description|  
-|---------------------------|-----------------|  
-|**0**|Specifies that TLS is not used.|  
-|**1**|Specifies that TLS is used, but the agent does not verify that the TLS/SSL server certificate is signed by a trusted issuer.|  
-|**2**|Specifies that TLS is used, and that the certificate is verified.|  
+|EncryptionLevel value|Description|
+|---------------------------|-----------------|
+|`0`|Specifies that TLS is not used.|
+|`1`|Specifies that TLS 1.2 is used, but the agent does not verify that the TLS/SSL server certificate is signed by a trusted issuer.|
+|`2`|Specifies that TLS 1.2 is used, and that the certificate is verified.| 
+| `3` | Specifies that for connections from Azure SQL Managed Instance to Azure SQL Managed Instance, TLS 1.3 is used, and the certificate is verified. For connections between Azure SQL Managed Instance and SQL Server, TLS 1.3 is not enforced. |
+| `4` | Specifies that for connections from Azure SQL Managed Instance to Azure SQL Managed Instance, TLS 1.3 is used, and the certificate is verified. For connections from Azure SQL Managed Instance to SQL Server, TLS 1.3 is used, and the certificate is verified. Requires installing the certificate on SQL Server hosts. |
 
  > [!NOTE]  
  >  A valid TLS/SSL certificate is defined with a fully qualified domain name of the SQL Server. In order for the agent to connect successfully when setting -EncryptionLevel to 2, create an alias on the local SQL Server. The 'Alias Name' parameter should be the server name and the 'Server' parameter should be set to the fully qualified name of the SQL Server.

docs/relational-databases/replication/security/replication-security-best-practices.md

@@ -16,19 +16,21 @@ helpviewer_keywords:
   - "Internet [SQL Server replication], security"
 ---
 # Replication Security Best Practices
-[!INCLUDE [SQL Server](../../../includes/applies-to-version/sqlserver.md)]
+[!INCLUDE [SQL Server](../../../includes/applies-to-version/sql-asdbmi.md)]
   Replication moves data in distributed environments ranging from intranets on a single domain to applications that access data between untrusted domains and over the Internet. It is important to understand the best approach for securing replication connections under these different circumstances.  
 
  The following information is relevant to replication in all environments:  
 
 -   Encrypt the connections between computers in a replication topology using an industry standard method, such as Virtual Private Networks (VPN), Transport Layer Security (TLS), previously known as Secure Sockets Layer (SSL), or IP Security (IPSEC). For more information, see [Enable Encrypted Connections to the Database Engine (SQL Server Configuration Manager)](../../../database-engine/configure-windows/configure-sql-server-encryption.md). For information about using VPN and TLS for replicating data over the Internet, see [Securing Replication Over the Internet](../../../relational-databases/replication/security/securing-replication-over-the-internet.md).  
 
-     If you use TLS to secure the connections between computers in a replication topology, specify a value of **1** or **2** for the **-EncryptionLevel** parameter of each replication agent (a value of **2** is recommended). A value of **1** specifies that encryption is used, but the agent does not verify that the TLS/SSL server certificate is signed by a trusted issuer; a value of **2** specifies that the certificate is verified. Agent parameters can be specified in agent profiles and on the command line. For more information, see:  
+     If you use TLS 1.2 to secure the connections between computers in a replication topology, specify a value of **1** or **2** for the **-EncryptionLevel** parameter of each replication agent (a value of **2** is recommended). A value of **1** specifies that encryption is used, but the agent does not verify that the TLS/SSL server certificate is signed by a trusted issuer; a value of **2** specifies that the certificate is verified. Azure SQL Managed Instance [supports TLS 1.3](/azure/azure-sql/managed-instance/replication-transactional-overview#tls-1-3-support) for connections between instances by specifying a value of **3** and connections to SQL Server from Azure SQL Managed Instance by specifying a value of **4**.  
+
+    For information about working with agents, see:  
+
+    -   [View and Modify Replication Agent Command Prompt Parameters (SQL Server Management Studio)](../../../relational-databases/replication/agents/view-and-modify-replication-agent-command-prompt-parameters.md) 
 
     -   [Work with Replication Agent Profiles](../../../relational-databases/replication/agents/work-with-replication-agent-profiles.md)  
 
-    -   [View and Modify Replication Agent Command Prompt Parameters (SQL Server Management Studio)](../../../relational-databases/replication/agents/view-and-modify-replication-agent-command-prompt-parameters.md)  
-  
     -   [Replication Agent Executables Concepts](../../../relational-databases/replication/concepts/replication-agent-executables-concepts.md)  
 
 -   Run each replication agent under a different Windows account, and use Windows Authentication for all replication agent connections. For more information about specifying accounts, see [Identity and access control for replication](../../../relational-databases/replication/security/identity-and-access-control-replication.md).