Draft updates

ecfan · ecfan · commit 02e50b419d71 · 2024-06-17T15:02:35.000-07:00
diff --git a/articles/logic-apps/enterprise-integration/create-integration-account.md b/articles/logic-apps/enterprise-integration/create-integration-account.md
@@ -9,7 +9,7 @@ ms.author: estfan
 ms.reviewer: estfan, divyaswarnkar, azla
 ms.topic: how-to
 ms.custom: devx-track-azurecli
-ms.date: 01/10/2024
+ms.date: 06/31/2024
 ---
 
 # Create and manage integration accounts for B2B workflows in Azure Logic Apps with the Enterprise Integration Pack
@@ -47,25 +47,21 @@ If you're new to creating B2B enterprise integration workflows in Azure Logic Ap
 
 * An Azure account and subscription. If you don't have an Azure subscription, [sign up for a free Azure account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F). Make sure that you use the same Azure subscription for both your integration account and logic app resource.
 
-* Whether you're working on a Consumption or Standard logic app workflow, your logic app resource must already exist before you can link your integration account.
+* Whether you're working on a Consumption or Standard logic app workflow, your logic app resource must already exist if you need to link your integration account.
 
-  * For Consumption logic app resources, this link is required before you can use the artifacts from your integration account with your workflow. Although you can create your artifacts without this link, the link is required when you're ready to use these artifacts.
+  * For Consumption logic app resources, this link is required before you can use the artifacts from your integration account with your workflow. Although you can create your artifacts without this link, the link is required when you're ready to use these artifacts. To create an example Consumption logic app workflow, see [Quickstart: Create an example Consumption logic app workflow in multi-tenant Azure Logic Apps](../quickstart-create-example-consumption-workflow.md).
 
-  * For Standard logic app resources, this link is optional, based on your scenario:
+  * For Standard logic app resources, this link might be required or optional, based on your scenario:
 
-    * If you have an integration account with the artifacts that you need or want to use, you can link the integration account to each Standard logic app resource where you want to use the artifacts.
+    * If you have an integration account with the artifacts that you need or want to use, link the integration account to each Standard logic app resource where you want to use the artifacts.
 
-    * Some Azure-hosted integration account connectors, such as **AS2**, **EDIFACT**, and **X12**, let you create a connection to your integration account. If you're just using these connectors, you don't need the link.
+    * Some Azure-hosted integration account connectors don't require the link and let you create a connection to your integration account. For example, such as **AS2**, **EDIFACT**, and **X12** don't require the link, but the **AS2 (v2)** connector requires the link.
 
     * The built-in connectors named **Liquid** and **Flat File** let you select maps and schemas that you previously uploaded to your logic app resource or to a linked integration account.
 
       If you don't have or need an integration account, you can use the upload option. Otherwise, you can use the linking option, which also means you don't have to upload maps and schemas to each logic app resource. Either way, you can use these artifacts across all child workflows within the *same logic app resource*.
 
-* Basic knowledge about how to create logic app workflows. For more information, see the following documentation:
-
-  * [Quickstart: Create an example Consumption logic app workflow in multi-tenant Azure Logic Apps](../quickstart-create-example-consumption-workflow.md)
-
-  * [Create an example Standard logic app workflow in single-tenant Azure Logic Apps](../create-single-tenant-workflows-azure-portal.md)
+    To create an example Standard logic app workflow, see [Create an example Standard logic app workflow in single-tenant Azure Logic Apps](../create-single-tenant-workflows-azure-portal.md).
 
 ## Create integration account
 
@@ -77,7 +73,7 @@ Your integration account uses an automatically created and enabled system-assign
 
 | Tier | Description |
 |------|-------------|
-| **Premium** (preview) | **Note:** This capability is in preview and is subject to the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). <br><br>For scenarios with the following criteria: <br><br>- Store and use unlimited artifacts, such as partners, agreements, schemas, maps, certificates, and so on. <br><br>- Bring and use your own storage, which contains the relevant runtime states for specific B2B actions and EDI standards. For example, these states include the MIC number for AS2 actions and the control numbers for X12 actions, if configured on your agreements. <br><br>To access this storage, your integration account uses its system-assigned managed identity, which is automatically created and enabled for your integration account. <br><br>You can also apply more governance and policies to data, such as customer-managed ("Bring Your Own") keys for data encryption. To store these keys, you'll need a key vault. <br><br>- Set up and use a key vault to store private certificates or customer-managed keys. To access these keys, your Premium integration account uses its system-assigned managed identity, not an Azure Logic Apps shared service principal. <br><br>Pricing follows [Standard integration account pricing](https://azure.microsoft.com/pricing/details/logic-apps/). <br><br>**Note**: During preview, your Azure bill uses the same meter name and ID as a Standard integration account, but changes when the Premium level becomes generally available. <br><br>**Limitations and known issues**: <br><br>- Currently doesn't support virtual networks. <br><br>- If you use a key vault to store private certificates, your integration account's managed identity might not work. For now, use the linked logic app's managed identity instead. <br><br>- Currently doesn't support the [Azure CLI for Azure Logic Apps](/cli/azure/service-page/logic%20apps). |
+| **Premium** (preview) | **Note:** This capability is in preview and is subject to the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). <br><br>For scenarios with the following criteria: <br><br>- Store and use unlimited artifacts, such as partners, agreements, schemas, maps, certificates, and so on. <br><br>- Bring and use your own storage, which contains the relevant runtime states for specific B2B actions and EDI standards. For example, these states include the MIC number for AS2 actions and the control numbers for X12 actions, if configured on your agreements. <br><br>To access this storage, your integration account uses its system-assigned managed identity, which is automatically created and enabled for your integration account. <br><br>You can also apply more governance and policies to data, such as customer-managed ("Bring Your Own") keys for data encryption. To store these keys, you'll need a key vault. <br><br>- Set up and use a key vault to store private certificates or customer-managed keys. To access these keys, your Premium integration account uses its system-assigned managed identity, not an Azure Logic Apps shared service principal. <br><br>- Set up a private endpoint that creates a private connection between your Premium integration account and Azure services. <br><br>Pricing follows [Standard integration account pricing](https://azure.microsoft.com/pricing/details/logic-apps/). <br><br>**Note**: During preview, your Azure bill uses the same meter name and ID as a Standard integration account, but changes when the Premium level becomes generally available. <br><br>**Limitations and known issues**: <br><br>- Currently doesn't support virtual networks. <br><br>- If you use a key vault to store private certificates, your integration account's managed identity might not work. For now, use the linked logic app's managed identity instead. <br><br>- Currently doesn't support the [Azure CLI for Azure Logic Apps](/cli/azure/service-page/logic%20apps). |
 | **Standard** | For scenarios where you have more complex B2B relationships and increased numbers of entities that you must manage. <br><br>Supported by the Azure Logic Apps SLA. |
 | **Basic** | For scenarios where you want only message handling or to act as a small business partner that has a trading partner relationship with a larger business entity. <br><br>Supported by the Azure Logic Apps SLA. |
 | **Free** | For exploratory scenarios, not production scenarios. This tier has limits on region availability, throughput, and usage. For example, the Free tier is available only for public regions in Azure, for example, West US or Southeast Asia, but not for [Microsoft Azure operated by 21Vianet](/azure/china/overview-operations) or [Azure Government](../../azure-government/documentation-government-welcome.md). <br><br>**Note**: Not supported by the Azure Logic Apps SLA. |
@@ -111,7 +107,7 @@ For this task, you can use the Azure portal, [Azure CLI](/cli/azure/resource#az-
 
    After deployment completes, Azure opens your integration account.
 
-1. If you created a Premium integration account, make sure to [set up access to the associated Azure storage account](#set-up-access-storage-account).
+1. If you created a Premium integration account, make sure to [set up access to the associated Azure storage account](#set-up-access-storage-account). You can also create a private connection between your Premium integration account and Azure services by [setting up a private endpoint for your integration account](#set-up-private-endpoint).
 
 ### [Azure CLI](#tab/azure-cli)
 
@@ -195,7 +191,81 @@ To read artifacts and write any state information, your Premium integration acco
 
    For more information, see [Assign Azure role to system-assigned managed identity](../../role-based-access-control/role-assignments-portal-managed-identity.yml)
 
-1. Next, link your integration account to your logic app resource.
+<a name="set-up-private-endpoint"></a>
+
+## Set up private endpoint for Premium integration account
+
+To create a private connection between your Premium integration account and Azure services, you can [set up a private endpoint for your integration account](#set-up-private-endpoint). A [private endpoint](../../private-link/private-endpoint-overview.md) is a network interface that uses a private IP address from your Azure virtual network. This way, traffic between your virtual network and Azure services stays on the Azure backbone network and never traverses the public internet. Private endpoints ensure a secure, private communication channel between your resources and Azure services by providing the following benefits:
+
+- Eliminates exposure to the public internet and reducing the risks from attacks.
+
+- Helps your organization meet data privacy and compliance requirements by keeping data within a controlled and secured environment.
+
+- Reduces latency and improve workflow performance by keeping traffic within the Azure backbone network.
+
+- Removes the need for complex network setups, such as virtual private networks or ExpressRoute.
+
+- Saves on costs by reducing extra network infrastructure and avoiding data egress charges through public endpoints.
+
+### Best practices for private endpoints
+
+- Carefully plan your virtual network and subnet architecture to accommodate private endpoints. Make sure to properly segment and secure your subnets.
+
+- Make sure that your domain name system settings are up-to-date and correctly configured to handle name resolution for private endpoints.
+
+- Control traffic flow to and from your private endpoints and enforce strict security policies by using network security groups.
+
+- Thoroughly test your integration account's connectivity and performance to make sure that everything works as expected with private endpoints before you deploy to production.
+
+- Regularly monitor network traffic to and from your private endpoints. Audit and analyze traffic patterns by using tools such as Azure Monitor and Azure Security Center.
+
+### Create and use a private endpoint
+
+Before you start, make sure that you have an [Azure virtual network](../../virtual-network/quick-create-portal.md) defined with the appropriate subnets and network security groups to manage and secure traffic.
+
+1. In the [Azure portal](https://portal.azure.com), in the search box, enter **private endpoint**,and then select **Private endpoints**.
+
+1. On the **Private endpoints** page, select **Create**.
+
+1. On the **Basics** tab, provide the following information:
+
+   | Property | Value |
+   |----------|-------|
+   | **Subscription** | <*Azure-subscription*> |
+   | **Resource group** | <*Azure-resource-group*> |
+   | **Name** | <*private-endpoint*> |
+   | **Network interface name** | <*private-endpoint*>**-nic** |
+   | **Region** | <*Azure-region*> |
+
+1. On the **Resource** tab, provide the following information:
+
+   | Property | Value |
+   |----------|-------|
+   | **Connection method** | **Connect to an Azure resource in my directory** |
+   | **Subscription** | <*Azure-subscription*> |
+   | **Resource type** | **Microsoft.Logic/integrationAccounts** |
+   | **Resource** | <*Premium-integration-account*> |
+   | **Target sub-resource** | **integrationAccount** |
+
+1. On the **Virtual Network** tab, specify the virual network and subnet where to you want to create the endpoint:
+
+   | Property | Value |
+   |----------|-------|
+   | **Virtual network** | <*virtual-network*> |
+   | **Subnet** | <*subnet-for-endpoint*> |
+
+   Your virtual network uses a network interface attached to the private endpoint.
+
+1. On the **DNS** tab, provide the following information to make sure your aps can resolve the private IP address for your integration account. You might have to set up a private DNS zone and link to your virtual network.
+
+   | Property | Value |
+   |----------|-------|
+   | **Subscription** | <*Azure-subscription*> |
+   | **Resource group** | <*Azure-resource-group-for-private-DNS-zone*> |
+
+1. When you're done, confirm all the provided information, and select **Create**.
+
+1. After you confirm that Azure created the private endpoint, check your connectivity and test your setup to make sure that the resources in your virtual network can securely connect to the your integration account through the private endpoint.
 
 <a name="link-account"></a>
 
