Merge pull request #197664 from MicrosoftDocs/main

Merge main to live, 4 AM

Author: ttorble

.openpublishing.redirection.defender-for-cloud.json

@@ -684,6 +684,16 @@
             "source_path_from_root": "/articles/defender-for-cloud/defender-for-kubernetes-azure-arc.md",
             "redirect_url": "/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc#protect-arc-enabled-kubernetes-clusters",
             "redirect_document_id": true
+        },
+        {
+            "source_path_from_root": "/articles/defender-for-cloud/defender-for-container-registries-cicd.md",
+            "redirect_url": "/azure/defender-for-cloud/defender-for-containers-cicd",
+            "redirect_document_id": true
+        },
+        {
+            "source_path_from_root": "/articles/defender-for-cloud/defender-for-container-registries-usage.md",
+            "redirect_url": "/azure/defender-for-cloud/defender-for-containers-usage",
+            "redirect_document_id": true
         }
       ]
 }

articles/active-directory/app-provisioning/provision-on-demand.md

@@ -30,7 +30,7 @@ Use on-demand provisioning to provision a user into an application in seconds. A
 1. Search for a user by first name, last name, display name, user principal name, or email address.
    > [!NOTE]
    > For Cloud HR provisioning app (Workday/SuccessFactors to AD/Azure AD), the input value is different. 
-   > For Workday scenario, please provide "WID" of the user in Workday. 
+   > For Workday scenario, please provide "WorkerID" or "WID" of the user in Workday. 
    > For SuccessFactors scenario, please provide "personIdExternal" of the user in SuccessFactors. 
  
 1. Select **Provision** at the bottom of the page.

articles/active-directory/saas-apps/workday-writeback-tutorial.md

@@ -147,6 +147,28 @@ Pods can experience disruption due to [various](https://kubernetes.io/docs/conce
 
 Consider using [Pod Disruption Budgets](https://kubernetes.io/docs/concepts/workloads/pods/disruptions/#pod-disruption-budgets) to enforce a minimum number of pods to be available at any given time.
 
+## Security
+The self-hosted gateway is able to run as non-root in Kubernetes allowing customers to run the gateway securely.
+
+Here is an example of the security context for the self-hosted gateway:
+```yml
+securityContext:
+  allowPrivilegeEscalation: false
+  runAsNonRoot: true
+  runAsUser: 1001       # This is a built-in user, but you can use any user ie 1000 as well
+  runAsGroup: 2000      # This is just an example
+  privileged: false
+  capabilities:
+    drop:
+    - all
+```
+
+> [!WARNING]
+> Running the self-hosted gateway with read-only filesystem (`readOnlyRootFilesystem: true`) is not supported.
+
+> [!WARNING]
+> When using local CA certificates, the self-hosted gateway must run with user ID (UID) `1001` in order to manage the CA certificates otherwise the gateway will not start up.
+
 ## Next steps
 
 * To learn more about the self-hosted gateway, see [Self-hosted gateway overview](self-hosted-gateway-overview.md).

articles/api-management/how-to-self-hosted-gateway-on-kubernetes-in-production.md

@@ -39,6 +39,8 @@ Deploying self-hosted gateways into the same environments where the backend API
 
 The self-hosted gateway is a containerized, functionally equivalent version of the managed gateway deployed to Azure as part of every API Management service. The self-hosted gateway is available as a Linux-based Docker [container image](https://aka.ms/apim/sputnik/dhub) from the Microsoft Container Registry. It can be deployed to Docker, Kubernetes, or any other container orchestration solution running on a server cluster on premises, cloud infrastructure, or for evaluation and development purposes, on a personal computer. You can also deploy the self-hosted gateway as a cluster extension to an [Azure Arc-enabled Kubernetes cluster](./how-to-deploy-self-hosted-gateway-azure-arc.md).
 
+### Known limitations
+
 The following functionality found in the managed gateways is **not available** in the self-hosted gateways:
 
 - Sending resource logs (diagnostic logs) to Azure Monitor. However, you can [send metrics](how-to-configure-cloud-metrics-logs.md) to Azure Monitor, or [configure and persist logs locally](how-to-configure-local-metrics-logs.md) where the self-hosted gateway is deployed.

articles/api-management/self-hosted-gateway-overview.md

@@ -25,6 +25,7 @@ The new v2 SKU includes the following enhancements:
 - **Key Vault Integration**: Application Gateway v2 supports integration with Key Vault for server certificates that are attached to HTTPS enabled listeners. For more information, see [TLS termination with Key Vault certificates](key-vault-certs.md).
 - **Mutual Authentication (mTLS)**: Application Gateway v2 supports authentication of client requests. For more information, see [Overview of mutual authentication with Application Gateway](mutual-authentication-overview.md).
 - **Azure Kubernetes Service Ingress Controller**: The Application Gateway v2 Ingress Controller allows the Azure Application Gateway to be used as the ingress for an Azure Kubernetes Service (AKS) known as AKS Cluster. For more information, see [What is Application Gateway Ingress Controller?](ingress-controller-overview.md).
+- **Private link**: The v2 SKU offers private connectivity from other virtual networks in other regions and subscriptions through the use of private endpoints.
 - **Performance enhancements**: The v2 SKU offers up to 5X better TLS offload performance as compared to the Standard/WAF SKU.
 - **Faster deployment and update time** The v2 SKU provides faster deployment and update time as compared to Standard/WAF SKU. This also includes WAF configuration changes.
 
@@ -72,6 +73,7 @@ The following table compares the features available with each SKU.
 | URL-based routing                                 | ✓ | ✓ |
 | Multiple-site hosting                             | ✓ | ✓ |
 | Mutual Authentication (mTLS)                      |          | ✓ |
+| Private Link support                              |          | ✓ |
 | Traffic redirection                               | ✓ | ✓ |
 | Web Application Firewall (WAF)                    | ✓ | ✓ |
 | WAF custom rules                                  |          | ✓ |

articles/application-gateway/media/private-link/private-link.png

@@ -0,0 +1,194 @@
+---
+title: Configure Azure Application Gateway Private Link
+description: This article shows you how to configure Application Gateway Private Link.
+services: application-gateway
+author: greglin
+ms.service: application-gateway
+ms.topic: how-to
+ms.date: 05/09/2022
+ms.author: greglin
+
+---
+
+# Configure Azure Application Gateway Private Link
+
+Application Gateway Private Link allows you to connect your workloads over a private connection spanning across VNets and subscriptions. For more information, see [Application Gateway Private Link](private-link.md).
+
+:::image type="content" source="media/private-link/private-link.png" alt-text="Diagram showing Application Gateway Private Link":::
+
+
+## Configuration options
+
+Application Gateway Private Link can be configured via multiple options, such as, but not limited to, the Azure portal, Azure PowerShell, and Azure CLI.
+
+# [Azure portal](#tab/portal)
+
+**Define a subnet for Private Link Configuration**
+
+To enable Private Link Configuration, a subnet, different from the Application Gateway subnet, is required for the private link IP configuration. Private Link must use a subnet that doesn't contain any Application Gateways. Subnet sizing can be determined by the number of connections required for your deployment. Each IP address allocated to this subnet ensures 64-K concurrent TCP connections that can be established via Private Link at single point in time. Allocate more IP addresses to allow more connections via Private Link.  For example: `n * 64K`; where `n` is the number of IP addresses being provisioned.
+
+> [!Note]
+> The maximum number of IP addresses per private link configuration is eight. Only dynamic allocation is supported.
+
+The following steps can be completed to create a new subnet:
+
+[Add, change, or delete a virtual network subnet](../virtual-network/virtual-network-manage-subnet.md#add-a-subnet)
+
+**Configure Private Link**
+
+The Private link configuration defines the infrastructure used by Application Gateway to enable connections from Private Endpoints. To create the Private link configuration, complete the following steps:
+
+1. Go to the [Azure portal](https://portal.azure.com)
+1. Search for and select **Application Gateways**.
+1. Select the name of the application gateway you want to enable private link.
+1. Select **Private link**
+1. Configure the following items:
+
+   - **Name**: The name of the private link configuration.
+   - **Private link subnet**: The subnet IP addresses should be consumed from.
+   - **Frontend IP Configuration**: The frontend IP address that private link should forward traffic to on Application Gateway.
+   - **Private IP address settings**: specify at least one IP address
+1. Select **Add**.
+
+**Configure Private Endpoint**
+
+A private endpoint is a network interface that uses a private IP address from the virtual network containing clients wishing to connect to your gateway. Each of the clients will use the private IP address of the Private Endpoint to tunnel traffic to the Application Gateway. To create a private endpoint, complete the following steps:
+
+1. Select the **Private endpoint connections** tab.
+1. Select **Create**.
+1. On the **Basics** tab, configure a resource group, name, and region for the Private Endpoint.  Select **Next**.
+1. On the **Resource** tab, select **Next**.
+1. On the **Virtual Network** tab, configure a virtual network and subnet where the private endpoint network interface should be provisioned to. Configure whether the private endpoint should have a dynamic or static IP address.  Last, configure if you want a new private link zone to be created to automatically manage IP addressing.  Select **Next**.
+1. On the **Tags** tab, optionally configure resource tags. Select **Next**.
+1. Select **Create**.
+
+> [!Note]
+> If the public or private IP configuration resource is missing when trying to select a _Target sub-resource_ on the _Resource_ tab of private endpoint creation, please ensure a listener is actively utilizing the respected frontend IP configuration. Frontend IP configurations without an associated listener will not be shown as a _Target sub-resource_.
+
+# [Azure PowerShell](#tab/powershell)
+
+To configure Private link on an existing Application Gateway via Azure PowerShell, the following commands can be referenced:
+
+```azurepowershell
+# Disable Private Link Service Network Policies
+# https://docs.microsoft.com/azure/private-link/disable-private-endpoint-network-policy
+$net =@{
+    Name = 'AppGW-PL-PSH'
+    ResourceGroupName = 'AppGW-PL-PSH-RG'
+}
+$vnet = Get-AzVirtualNetwork @net
+
+($vnet | Select -ExpandProperty subnets | Where-Object {$_.Name -eq 'AppGW-PL-Subnet'}).PrivateLinkServiceNetworkPolicies = "Disabled"
+
+$vnet | Set-AzVirtualNetwork
+
+# Get Application Gateway Frontend IP Name
+$agw = Get-AzApplicationGateway -Name AppGW-PL-PSH -ResourceGroupName AppGW-PL-PSH-RG
+# List the names
+$agw.FrontendIPConfigurations | Select Name
+
+# Add a new Private Link configuration and associate it with an existing Frontend IP
+$PrivateLinkIpConfiguration = New-AzApplicationGatewayPrivateLinkIpConfiguration `
+                            -Name "ipConfig01" `
+                            -Subnet ($vnet | Select -ExpandProperty subnets | Where-Object {$_.Name -eq 'AppGW-PL-Subnet'}) `
+                            -Primary
+
+# Add the Private Link configuration to the gateway configuration
+Add-AzApplicationGatewayPrivateLinkConfiguration `
+                            -ApplicationGateway $agw `
+                            -Name "privateLinkConfig01" `
+                            -IpConfiguration $PrivateLinkIpConfiguration
+
+# Associate private link configuration to Frontend IP
+$agwPip = ($agw | Select -ExpandProperty FrontendIpConfigurations| Where-Object {$_.Name -eq 'appGwPublicFrontendIp'}).PublicIPAddress.Id
+$privateLinkConfiguration = ($agw | Select -ExpandProperty PrivateLinkConfigurations | Where-Object {$_.Name -eq 'privateLinkConfig01'}).Id
+Set-AzApplicationGatewayFrontendIPConfig -ApplicationGateway $agw -Name "appGwPublicFrontendIp" -PublicIPAddressId $agwPip -PrivateLinkConfigurationId $privateLinkConfiguration
+
+# Apply the change to the gateway
+Set-AzApplicationGateway -ApplicationGateway $agw
+
+# Disable Private Endpoint Network Policies
+# https://docs.microsoft.com/azure/private-link/disable-private-endpoint-network-policy
+$net =@{
+    Name = 'AppGW-PL-Endpoint-PSH-VNET'
+    ResourceGroupName = 'AppGW-PL-Endpoint-PSH-RG'
+}
+$vnet_plendpoint = Get-AzVirtualNetwork @net
+
+($vnet_plendpoint | Select -ExpandProperty subnets | Where-Object {$_.Name -eq 'MySubnet'}).PrivateEndpointNetworkPolicies = "Disabled"
+
+$vnet_plendpoint | Set-AzVirtualNetwork
+
+# Create Private Link Endpoint - Group ID is the same as the frontend IP configuration
+$privateEndpointConnection = New-AzPrivateLinkServiceConnection -Name "AppGW-PL-Connection" -PrivateLinkServiceId $agw.Id -GroupID "appGwPublicFrontendIp"
+
+## Create private endpoint
+New-AzPrivateEndpoint -Name "AppGWPrivateEndpoint" -ResourceGroupName $vnet_plendpoint.ResourceGroupName -Location $vnet_plendpoint.Location -Subnet ($vnet_plendpoint | Select -ExpandProperty subnets | Where-Object {$_.Name -eq 'MySubnet'}) -PrivateLinkServiceConnection $privateEndpointConnection
+```
+A list of all Azure PowerShell references for Private Link Configuration on Application Gateway can be found here:
+- [Get-AzApplicationGatewayPrivateLinkConfiguration](/powershell/module/az.network/get-azapplicationgatewayprivatelinkconfiguration)
+- [New-AzApplicationGatewayPrivateLinkConfiguration](/powershell/module/az.network/new-azapplicationgatewayprivatelinkconfiguration)
+- [New-AzApplicationGatewayPrivateLinkIpConfiguration](/powershell/module/az.network/new-azapplicationgatewayprivatelinkipconfiguration)
+- [Add-AzApplicationGatewayPrivateLinkConfiguration](/powershell/module/az.network/add-azapplicationgatewayprivatelinkconfiguration)
+- [Remove-AzApplicationGatewayPrivateLinkConfiguration](/powershell/module/az.network/remove-azapplicationgatewayprivatelinkconfiguration)
+- [Set-AzApplicationGatewayPrivateLinkConfiguration](/powershell/module/az.network/set-azapplicationgatewayprivatelinkconfiguration)
+
+# [Azure CLI](#tab/cli)
+
+To configure Private link on an existing Application Gateway via Azure CLI, the following commands can be referenced:
+
+```azurecli
+# Disable Private Link Service Network Policies
+# https://docs.microsoft.com/en-us/azure/private-link/disable-private-endpoint-network-policy
+az network vnet subnet update \
+				--name AppGW-PL-Subnet \
+				--vnet-name AppGW-PL-CLI-VNET \
+				--resource-group AppGW-PL-CLI-RG \
+				--disable-private-link-service-network-policies true
+
+# Get Application Gateway Frontend IP Name
+az network application-gateway frontend-ip list \
+							--gateway-name AppGW-PL-CLI \
+							--resource-group AppGW-PL-CLI-RG
+
+# Add a new Private Link configuration and associate it with an existing Frontend IP
+az network application-gateway private-link add \
+							--frontend-ip appGwPublicFrontendIp \
+							--name privateLinkConfig01 \
+							--subnet /subscriptions/XXXXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX/resourceGroups/AppGW-PL-CLI-RG/providers/Microsoft.Network/virtualNetworks/AppGW-PL-CLI-VNET/subnets/AppGW-PL-Subnet \
+							--gateway-name AppGW-PL-CLI \
+							--resource-group AppGW-PL-CLI-RG
+
+# Get Private Link resource ID
+az network application-gateway private-link list \
+				--gateway-name AppGW-PL-CLI \
+				--resource-group AppGW-PL-CLI-RG
+
+
+
+# Disable Private Endpoint Network Policies
+# https://docs.microsoft.com/en-us/azure/private-link/disable-private-endpoint-network-policy
+az network vnet subnet update \
+				--name MySubnet \
+				--vnet-name AppGW-PL-Endpoint-CLI-VNET \
+				--resource-group AppGW-PL-Endpoint-CLI-RG \
+				--disable-private-endpoint-network-policies true
+
+# Create Private Link Endpoint - Group ID is the same as the frontend IP configuration
+az network private-endpoint create \
+	--name AppGWPrivateEndpoint \
+	--resource-group AppGW-PL-Endpoint-CLI-RG \
+	--vnet-name AppGW-PL-Endpoint-CLI-VNET \
+	--subnet MySubnet \
+	--group-id appGwPublicFrontendIp \
+	--private-connection-resource-id /subscriptions/XXXXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX/resourceGroups/AppGW-PL-CLI-RG/providers/Microsoft.Network/applicationGateways/AppGW-PL-CLI \
+	--connection-name AppGW-PL-Connection
+```
+
+A list of all Azure CLI references for Private Link Configuration on Application Gateway can be found here: [Azure CLI CLI - Private Link](/cli/azure/network/application-gateway/private-link)
+
+---
+
+## Next steps
+
+- Learn about Azure Private Link: [What is Azure Private Link?](../private-link/private-link-overview.md)