Merge pull request #114528 from mrcarter8/master

Updated for Private Endpoint GA and IP Whitelisting

Author: denrea

articles/search/TOC.yml

@@ -315,6 +315,8 @@
       href: search-security-overview.md
     - name: Create a private endpoint
       href: service-create-private-endpoint.md
+    - name: Configure an IP firewall
+      href: service-configure-firewall.md
     - name: Service key management
       href: search-security-api-keys.md
     - name: Role-based admin access

articles/search/media/service-configure-firewall/azure-portal-firewall.png

@@ -0,0 +1,58 @@
+---
+title: Configure an IP firewall for your Azure Cognitive Search service
+titleSuffix: Azure Cognitive Search
+description: Configure IP control policies to restrict access to your Azure Cognitive Search service.
+
+manager: nitinme
+author: mrcarter8
+ms.author: mcarter
+ms.service: cognitive-search
+ms.topic: conceptual
+ms.date: 05/11/2020
+---
+
+# Configure IP firewall for Azure Cognitive Search
+
+Azure Cognitive Search supports IP rules for inbound firewall support. This model provides an additional layer of security for your search service similar to the IP rules you'll find in an Azure virtual network security group. With these IP rules, you can configure your search service to be accessible only from an approved set of machines and/or cloud services. Access to data stored in your search service from these approved sets of machines and services will still require the caller to present a valid authorization token.
+
+> [!Important]
+> IP rules on your Azure Cognitive Search service can be configured using the Azure portal or the [Management REST API version 2020-03-13](https://docs.microsoft.com/rest/api/searchmanagement/).
+
+## <a id="configure-ip-policy"></a> Configure an IP firewall using the Azure portal
+
+To set the IP access control policy in the Azure portal, go to your Azure Cognitive Search service page and select **Networking** on the navigation menu. Endpoint networking connectivity must be **Public**. If your connectivity is set to **Private**, you can only access your search service via a Private Endpoint.
+
+![Screenshot showing how to configure the IP firewall in the Azure portal](./media/service-configure-firewall/azure-portal-firewall.png)
+
+The Azure portal provides the ability to specify IP addresses and IP address ranges in the CIDR format. An example of CIDR notation is 8.8.8.0/24, which represents the IPs that range from 8.8.8.0 to 8.8.8.255.
+
+> [!NOTE]
+> After you enable the IP access control policy for your Azure Cognitive Search service, all requests to the data plane from machines outside the allowed list of IP address ranges are rejected. When IP rules are configured, some features of the Azure portal are disabled. You'll be able to view and manage service level information, but portal access to index data and the various components in the service, such as the index, indexer, and skillset definitions, is restricted for security reasons.
+
+### Requests from your current IP
+
+To simplify development, the Azure portal helps you identify and add the IP of your client machine to the allowed list. Apps running on your machine can then access your Azure Cognitive Search service.
+
+The portal automatically detects your client IP address. It might be the client IP address of your machine or network gateway. Make sure to remove this IP address before you take your workload to production.
+
+To add your current IP to the list of IPs, check **Add your client IP address**. Then select **Save**.
+
+![Screenshot showing a how to configure IP firewall settings to allow the current IP](./media/service-configure-firewall/enable-current-ip.png)
+
+## <a id="troubleshoot-ip-firewall"></a>Troubleshoot issues with an IP access control policy
+
+You can troubleshoot issues with an IP access control policy by using the following options:
+
+### Azure portal
+
+Enabling an IP access control policy for your Azure Cognitive Search service blocks all requests from machines outside the allowed list of IP address ranges, including the Azure portal.  You'll be able to view and manage service level information, but portal access to index data and the various components in the service, such as the index, indexer, and skillset definitions, is restricted for security reasons. 
+
+### SDKs
+
+When you access Azure Cognitive Search service using the SDK from machines that are not in the allowed list, a generic **403 Forbidden** response is returned with no additional details. Verify the allowed IP list for your account, and make sure that the correct configuration updated for your search service.
+
+## Next steps
+
+For more information on accessing your search service via Private Link, see the following article:
+
+* [Create a Private Endpoint for a secure connection to Azure Cognitive Search](service-create-private-endpoint.md)

articles/search/media/service-configure-firewall/enable-current-ip.png

@@ -8,20 +8,17 @@ author: mrcarter8
 ms.author: mcarter
 ms.service: cognitive-search
 ms.topic: conceptual
-ms.date: 01/13/2020
+ms.date: 05/11/2020
 ---
 
-# Create a Private Endpoint for a secure connection to Azure Cognitive Search (Preview)
+# Create a Private Endpoint for a secure connection to Azure Cognitive Search
 
-In this article, use the portal to create a new Azure Cognitive Search service instance that can't be accessed via a public IP address. Next, configure an Azure virtual machine in the same virtual network, and use it to access the search service via a private endpoint.
+In this article, you'll use the Azure portal to create a new Azure Cognitive Search service instance that can't be accessed via the internet. Next, you'll configure an Azure virtual machine in the same virtual network and use it to access the search service via a private endpoint.
 
 > [!Important]
-> Private Endpoint support for Azure Cognitive Search is available [upon request](https://aka.ms/SearchPrivateLinkRequestAccess) as a limited-access preview. Preview features are provided without a service level agreement, and are not recommended for production workloads. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). 
->
-> Once you are granted access to the preview, you'll be able to configure Private Endpoints for your service using the Azure portal or the [Management REST API version 2019-10-06-Preview](https://docs.microsoft.com/rest/api/searchmanagement/).
->   
+> Private Endpoint support for Azure Cognitive Search can be configured using the Azure portal or the [Management REST API version 2020-03-13](https://docs.microsoft.com/rest/api/searchmanagement/). When the service endpoint is private, some portal features are disabled. You'll be able to view and manage service level information, but portal access to index data and the various components in the service, such as the index, indexer, and skillset definitions, is restricted for security reasons.
 
-## Why use Private Endpoint for secure access?
+## Why use a Private Endpoint for secure access?
 
 [Private Endpoints](../private-link/private-endpoint-overview.md) for Azure Cognitive Search allow a client on a virtual network to securely access data in a search index over a [Private Link](../private-link/private-link-overview.md). The private endpoint uses an IP address from the [virtual network address space](../virtual-network/virtual-network-ip-addresses-overview-arm.md#private-ip-addresses) for your search service. Network traffic between the client and the search service traverses over the virtual network and a private link on the Microsoft backbone network, eliminating exposure from the public internet. For a list of other PaaS services that support Private Link, check the [availability section](../private-link/private-link-overview.md#availability) in the product documentation.
 
@@ -31,20 +28,6 @@ Private endpoints for your search service enables you to:
 - Increase security for the virtual network, by enabling you to block exfiltration of data from the virtual network.
 - Securely connect to your search service from on-premises networks that connect to the virtual network using [VPN](../vpn-gateway/vpn-gateway-about-vpngateways.md) or [ExpressRoutes](../expressroute/expressroute-locations.md) with private-peering.
 
-> [!NOTE]
-> There are currently some limitations in the preview that you should be aware of:
-> * Available only for search services on the **Basic** tier. 
-> * Available in the West US 2, West Central US, East US, South Central US, Australia East, and Australia Southeast regions.
-> * When the service endpoint is private, some portal features are disabled. You'll be able to view and manage service level information, but portal access to index data and the various components in the service, such as the index, indexer, and skillset definitions, is restricted for security reasons.
-> * When the service endpoint is private, you must use the [Search REST API](https://docs.microsoft.com/rest/api/searchservice/) to upload documents to the index.
-> * You must use the following link to see the private endpoint support option in the Azure portal: https://portal.azure.com/?feature.enablePrivateEndpoints=true
-
-
-
-## Request access 
-
-Click [request access](https://aka.ms/SearchPrivateLinkRequestAccess) to sign up for this preview feature. The form requests information about you, your company, and  general network topology. Once we review your request, you'll receive a confirmation email with additional instructions.
-
 ## Create the virtual network
 
 In this section, you will create a virtual network and subnet to host the VM that will be used to access your search service's private endpoint.
@@ -55,17 +38,13 @@ In this section, you will create a virtual network and subnet to host the VM tha
 
     | Setting | Value |
     | ------- | ----- |
-    | Name | Enter *MyVirtualNetwork* |
-    | Address space | Enter *10.1.0.0/16* |
     | Subscription | Select your subscription|
     | Resource group | Select **Create new**, enter *myResourceGroup*, then select **OK** |
-    | Location | Select **West US** or whatever region you are using|
-    | Subnet - Name | Enter *mySubnet* |
-    | Subnet - Address range | Enter *10.1.0.0/24* |
+    | Name | Enter *MyVirtualNetwork* |
+    | Region | Select your desired region |
     |||
 
-1. Leave the rest as default and select **Create**.
-
+1. Leave the defaults for the rest of the settings. Click **Review + create** and then **Create**
 
 ## Create a search service with a private endpoint
 
@@ -82,8 +61,8 @@ In this section, you will create a new Azure Cognitive Search service with a Pri
     | Resource group | Select **myResourceGroup**. You created this in the previous section.|
     | **INSTANCE DETAILS** |  |
     | URL | Enter a unique name. |
-    | Location | Select the region that you specified when requesting access to this preview feature. |
-    | Pricing tier | Select **Change Pricing Tier** and choose **Basic**. This tier is required for the preview. |
+    | Location | Select your desired region. |
+    | Pricing tier | Select **Change Pricing Tier** and choose your desired service tier. (Not support on **Free** tier. Must be **Basic** or higher.) |
     |||
 
 1. Select **Next: Scale**.
@@ -202,7 +181,7 @@ Download and then connect to the VM *myVm* as follows:
 
 In this section, you will verify private network access to the search service and connect privately to the using the Private Endpoint.
 
-Recall from the introduction that all interactions with the search service require the [Search REST API](https://docs.microsoft.com/rest/api/searchservice/). The portal and .NET SDK are not supported in this preview.
+When the search service endpoint is private, some portal features are disabled. You'll be able to view and manage service level settings, but portal access to index data and various other components in the service, such as the index, indexer, and skillset definitions, is restricted for security reasons.
 
 1. In the Remote Desktop of *myVM*, open PowerShell.