Regional availability for DPS Private Links

kgremban · kgremban · commit 10a29d8446bf · 2023-02-27T10:20:05.000-08:00
diff --git a/articles/iot-dps/public-network-access.md b/articles/iot-dps/public-network-access.md
@@ -35,13 +35,13 @@ To turn on public network access:
 
 Note the following limitations when public network access is disabled:
 
-- The DPS instance is accessible only through [its VNET private endpoint using Azure private link](virtual-network-support.md).
+- The DPS instance is accessible only through [its VNET private endpoint using Azure Private Link](virtual-network-support.md).
 
 - You can no longer use the Azure portal to manage enrollments for the DPS instance. Instead you can manage enrollments using the Azure CLI, PowerShell, or service APIs from machines inside the virtual network(s) configured on the DPS instance. To learn more, see [Private endpoint limitations](virtual-network-support.md#private-endpoint-limitations).
 
 ## DPS endpoint, IP address, and ports after disabling public network access
 
-DPS is a multi-tenant Platform-as-a-Service (PaaS), where different customers share the same pool of compute, networking, and storage hardware resources. DPS's hostnames map to a public endpoint with a publicly routable IP address over the internet. Different customers share this DPS public endpoint, and IoT devices in wide-area networks and on-premises networks can all access it. 
+DPS is a multi-tenant Platform-as-a-Service (PaaS), where different customers share the same pool of compute, networking, and storage hardware resources. DPS's hostnames map to a public endpoint with a publicly routable IP address over the internet. Different customers share this DPS public endpoint, and IoT devices in wide-area networks and on-premises networks can all access it.
 
 Disabling public network access is enforced on a specific DPS resource, ensuring isolation. To keep the service active for other customer resources using the public path, its public endpoint remains resolvable, IP addresses discoverable, and ports remain open. This is not a cause for concern as Microsoft integrates multiple layers of security to ensure complete isolation between tenants. To learn more, see [Isolation in the Azure Public Cloud](../security/fundamentals/isolation-choices.md#tenant-level-isolation).
 
diff --git a/articles/iot-dps/virtual-network-support.md b/articles/iot-dps/virtual-network-support.md
@@ -1,41 +1,41 @@
 ---
- title: Azure IoT Device Provisioning Service (DPS) support for virtual networks
- description: How to use virtual networks connectivity pattern with Azure IoT Device Provisioning Service (DPS)
- services: iot-dps
- author: kgremban
- ms.service: iot-dps
- manager: lizross
- ms.topic: conceptual
- ms.date: 03/21/2022
- ms.author: kgremban
+title: Virtual network connections for DPS
+titleSuffix: Azure IoT Device Provisioning Service
+description: How to use the virtual networks connectivity pattern with Azure IoT Device Provisioning Service (DPS)
+services: iot-dps
+author: kgremban
+ms.service: iot-dps
+manager: lizross
+ms.topic: conceptual
+ms.date: 03/21/2022
+ms.author: kgremban
 ---
 
 # Azure IoT Hub Device Provisioning Service (DPS) support for virtual networks
 
-This article introduces the virtual network (VNET) connectivity pattern for IoT devices provisioning with IoT hubs using DPS. This pattern provides private connectivity between the devices, DPS, and the IoT hub inside a customer-owned Azure VNET. 
+This article introduces the virtual network (VNET) connectivity pattern for IoT devices provisioning with IoT hubs using DPS. This pattern provides private connectivity between the devices, DPS, and the IoT hub inside a customer-owned Azure VNET.
 
-In most scenarios where DPS is configured with a VNET, your IoT Hub will also be configured in the same VNET. For more specific information on VNET support and configuration for IoT Hubs, see, [IoT Hub virtual network support](../iot-hub/virtual-network-support.md).
+In most scenarios where DPS is configured with a VNET, your IoT Hub is also configured in the same VNET. For more specific information on VNET support and configuration for IoT Hubs, see, [IoT Hub virtual network support](../iot-hub/virtual-network-support.md).
 
 ## Introduction
 
-By default, DPS hostnames map to a public endpoint with a publicly routable IP address over the Internet. This public endpoint is visible to all customers. Access to the public endpoint can be attempted by IoT devices over wide-area networks and on-premises networks.
+By default, DPS hostnames map to a public endpoint with a publicly routable IP address over the Internet. This public endpoint is visible to all customers. IoT devices over wide-area networks and on-premises networks can try to access the public endpoint.
 
 For several reasons, customers may wish to restrict connectivity to Azure resources, like DPS. These reasons include:
 
 * Prevent connection exposure over the public Internet. Exposure can be reduced by introducing more layers of security via network level isolation for your IoT hub and DPS resources
 
-* Enabling a private connectivity experience from your on-premises network assets ensuring that your data and traffic 
-is transmitted directly to Azure backbone network.
+* Enabling a private connectivity experience from your on-premises network assets ensuring that your data and traffic is transmitted directly to Azure backbone network.
 
 * Preventing exfiltration attacks from sensitive on-premises networks.
 
 * Following established Azure-wide connectivity patterns using [private endpoints](../private-link/private-endpoint-overview.md).
 
-Common approaches to restricting connectivity include [DPS IP filter rules](./iot-dps-ip-filtering.md) and Virtual networking (VNET) with [private endpoints](../private-link/private-endpoint-overview.md). The goal of this article is to describe the VNET approach for DPS using private endpoints. 
+Common approaches to restricting connectivity include [DPS IP filter rules](./iot-dps-ip-filtering.md) and Virtual networking (VNET) with [private endpoints](../private-link/private-endpoint-overview.md). The goal of this article is to describe the VNET approach for DPS using private endpoints.
 
-Devices that operate in on-premises networks can use [Virtual Private Network (VPN)](../vpn-gateway/vpn-gateway-about-vpngateways.md) or [ExpressRoute](https://azure.microsoft.com/services/expressroute/) private peering to connect to a VNET in Azure and access DPS resources through private endpoints. 
+Devices that operate in on-premises networks can use [Virtual Private Network (VPN)](../vpn-gateway/vpn-gateway-about-vpngateways.md) or [ExpressRoute](https://azure.microsoft.com/services/expressroute/) private peering to connect to a VNET in Azure and access DPS resources through private endpoints.
 
-A private endpoint is a private IP address allocated inside a customer-owned VNET by which an Azure resource is accessible. By having a private endpoint for your DPS resource, you will be able to allow devices operating inside your VNET to request provisioning by your DPS resource without allowing traffic to the public endpoint. Each DPS resource can support multiple private endpoints, each of which may be located in a VNET in a different region.
+A private endpoint is a private IP address allocated inside a customer-owned VNET by which an Azure resource is accessible. By having a private endpoint for your DPS resource, you can allow devices operating inside your VNET to request provisioning by your DPS resource without allowing traffic to the public endpoint. Each DPS resource can support multiple private endpoints, each of which may be located in a VNET in a different region.
 
 ## Prerequisites
 
@@ -51,15 +51,17 @@ Before proceeding ensure that the following prerequisites are met:
 
 Note the following current limitations for DPS when using private endpoints:
 
-* Private endpoints will not work with DPS when the DPS resource and the linked Hub are in different clouds. For example, [Azure Government and global Azure](../azure-government/documentation-government-welcome.md).
+* Private endpoints don't work when the DPS resource and the linked IoT hub are in different clouds. For example, [Azure Government and global Azure](../azure-government/documentation-government-welcome.md).
 
-* Currently, [custom allocation policies with Azure Functions](concepts-custom-allocation.md) for DPS will not work when the Azure function is locked down to a VNET and private endpoints.
+* Private endpoints in DPS use Azure Private Link, which are only supported in public regions. For more information, see [Azure Private Link availability](../private-link/availability.md).
 
-* Current DPS VNET support is for data ingress into DPS only. Data egress, which is the traffic from DPS to IoT Hub, uses an internal service-to-service mechanism rather than a dedicated VNET. Support for full VNET-based egress lockdown between DPS and IoT Hub is not currently available.
+* Currently, [custom allocation policies with Azure Functions](concepts-custom-allocation.md) for DPS doesn't work when the Azure function is locked down to a VNET and private endpoints.
+
+* Current DPS VNET support is for data ingress into DPS only. Data egress, which is the traffic from DPS to IoT Hub, uses an internal service-to-service mechanism rather than a dedicated VNET. Support for full VNET-based egress lockdown between DPS and IoT Hub isn't currently available.
 
 * The lowest latency allocation policy is used to assign a device to the IoT hub with the lowest latency. This allocation policy is not reliable in a virtual network environment.
 
-* Enabling one or more private endpoints typically involves [disabling public access](public-network-access.md) to your DPS instance. This means that you can no longer use the Azure portal to manage enrollments. Instead you can manage enrollments using the Azure CLI, PowerShell, or service APIs from machines inside the VNET(s)/private endpoint(s) configured on the DPS instance.
+* Enabling one or more private endpoints typically involves [disabling public access](public-network-access.md) to your DPS instance. Once public access is disabled, you can no longer use the Azure portal to manage enrollments. Instead you can manage enrollments using the Azure CLI, PowerShell, or service APIs from machines inside the VNET(s)/private endpoint(s) configured on the DPS instance.
 
 * When using private endpoints, we recommend deploying DPS in one of the regions that support [Availability Zones](iot-dps-ha-dr.md). Otherwise, DPS instances with private endpoints enabled may see reduced availability in the event of outages.
 
@@ -72,47 +74,46 @@ Note the following current limitations for DPS when using private endpoints:
 
 To set up a private endpoint, follow these steps:
 
-1. In the [Azure portal](https://portal.azure.com/), open your DPS resource and click the **Networking** tab. Click **Private endpoint connections** and **+ Private endpoint**.
+1. In the [Azure portal](https://portal.azure.com/), open your DPS resource and select the **Networking** tab. Select **Private endpoint connections** and **+ Private endpoint**.
 
-    ![Add a new private endpoint for DPS](./media/virtual-network-support/networking-tab-add-private-endpoint.png)
+    ![Screenshot that shows adding a new private endpoint for DPS.](./media/virtual-network-support/networking-tab-add-private-endpoint.png)
 
-2. On the _Create a private endpoint_ Basics page, enter the information mentioned in the table below.
+2. On the _Create a private endpoint_ Basics page, enter the information mentioned in the following table.
 
-    ![Create private endpoints basics](./media/virtual-network-support/create-private-endpoint-basics.png)
+    ![Screenshot that shows the private endpoints basics page.](./media/virtual-network-support/create-private-endpoint-basics.png)
 
     | Field | Value |
     | :---- | :-----|
     | **Subscription** | Choose the desired Azure subscription to contain the private endpoint.  |
     | **Resource group** | Choose or create a resource group to contain the private endpoint |
     | **Name**       | Enter a name for your private endpoint |
-    | **Region**     | The region chosen must be the same as the region that contains the VNET, but it does not have to be the same as the DPS resource. |
+    | **Region**     | The region chosen must be the same as the region that contains the VNET, but it doesn't have to be the same as the DPS resource. |
 
-    Click **Next : Resource** to configure the resource that the private endpoint will point to.
+    Select **Next : Resource** to configure the resource that the private endpoint points to.
 
-3. On the _Create a private endpoint Resource_ page, enter the information mentioned in the table below.
+3. On the _Create a private endpoint Resource_ page, enter the information mentioned in the following table.
 
-    ![Create private endpoint resource](./media/virtual-network-support/create-private-endpoint-resource.png)
+    ![Screenshot that shows the private endpoint resource page.](./media/virtual-network-support/create-private-endpoint-resource.png)
 
     | Field | Value |
     | :---- | :-----|
-    | **Subscription**        | Choose the Azure subscription that contains the DPS resource that your private endpoint will point to.  |
+    | **Subscription**        | Choose the Azure subscription that contains the DPS resource that your private endpoint points to.  |
     | **Resource type**       | Choose **Microsoft.Devices/ProvisioningServices**. |
-    | **Resource**            | Select the DPS resource that the private endpoint will map to. |
+    | **Resource**            | Select the DPS resource that the private endpoint maps to. |
     | **Target sub-resource** | Select **iotDps**. |
 
     > [!TIP]
     > Information on the **Connect to an Azure resource by resource ID or alias** setting is provided in the [Request a private endpoint](#request-a-private-endpoint) section in this article.
 
-
-    Click **Next : Configuration** to configure the VNET for the private endpoint.
+    Select **Next : Configuration** to configure the VNET for the private endpoint.
 
 4. On the _Create a private endpoint Configuration_ page, choose your virtual network and subnet to create the private endpoint in.
 
-    Click **Next : Tags**, and optionally provide any tags for your resource.
+    Select **Next : Tags**, and optionally provide any tags for your resource.
 
-    ![Configure private endpoint](./media/virtual-network-support/create-private-endpoint-configuration.png)
+    ![Screenshot that shows the private endpoint configuration page.](./media/virtual-network-support/create-private-endpoint-configuration.png)
 
-5. Click **Review + create** and then **Create** to create your private endpoint resource.
+5. Select **Review + create** and then **Create** to create your private endpoint resource.
 
 ## Use private endpoints with devices
 
@@ -145,45 +146,41 @@ static const char* id_scope = "[ID Scope]";
     }
 ```
 
-
 ## Request a private endpoint
 
-You can request a private endpoint to a DPS instance by resource ID. In order to make this request, you need the resource owner to supply you with the resource ID. 
+You can request a private endpoint to a DPS instance by resource ID. In order to make this request, you need the resource owner to supply you with the resource ID.
 
 1. The resource ID is provided on to the properties tab for DPS resource as shown below.
 
-    ![DPS Properties tab](./media/virtual-network-support/dps-properties.png)
+    ![Screenshot that shows the DPS Properties tab.](./media/virtual-network-support/dps-properties.png)
 
     > [!CAUTION]
-    > Be aware that the resource ID does contain the subscription ID. 
+    > Be aware that the resource ID does contain the subscription ID.
 
-2. Once you have the resource ID, follow the steps above in [Set up a private endpoint](#set-up-a-private-endpoint) to step 3 on the _Create a private endpoint Resource_ page. Click **Connect to an Azure resource by resource ID or alias** and enter the information in the following table. 
+2. Once you have the resource ID, follow the steps above in [Set up a private endpoint](#set-up-a-private-endpoint) to step 3 on the _Create a private endpoint Resource_ page. Select **Connect to an Azure resource by resource ID or alias** and enter the information in the following table. 
 
     | Field | Value |
     | :---- | :-----|
     | **Resource ID or alias** | Enter the resource ID for the DPS resource. |
     | **Target sub-resource** | Enter **iotDps** |
     | **Request message** | Enter a request message for the DPS resource owner.<br>For example, <br>`Please approve this new private endpoint`<br>`for IoT devices in site 23 to access this DPS instance`  |
 
-    Click **Next : Configuration** to configure the VNET for the private endpoint.
+    Select **Next : Configuration** to configure the VNET for the private endpoint.
 
 3. On the _Create a private endpoint Configuration_ page, choose the virtual network and subnet to create the private endpoint in.
- 
-    Click **Next : Tags**, and optionally provide any tags for your resource.
 
-4. Click **Review + create** and then **Create** to create your private endpoint request.
+    Select **Next : Tags**, and optionally provide any tags for your resource.
 
-5. The DPS owner will see the private endpoint request in the **Private endpoint connections** list on DPS networking tab. On that page, the owner can **Approve** or **Reject** the private endpoint request as shown below.
+4. Select **Review + create** and then **Create** to create your private endpoint request.
 
-    ![DPS approval](./media/virtual-network-support/approve-dps-private-endpoint.png)
+5. The DPS owner sees the private endpoint request in the **Private endpoint connections** list on DPS networking tab. On that page, the owner can **Approve** or **Reject** the private endpoint request.
 
+    ![Screenshot that shows the private endpoint request approval.](./media/virtual-network-support/approve-dps-private-endpoint.png)
 
 ## Pricing private endpoints
 
 For pricing details, see [Azure Private Link pricing](https://azure.microsoft.com/pricing/details/private-link).
 
-
-
 ## Next steps
 
 Use the links below to learn more about DPS security features:
diff --git a/articles/private-link/availability.md b/articles/private-link/availability.md
@@ -82,6 +82,7 @@ The following tables list the Private Link services and the regions where they'r
 |Supported services  |Available regions | Other considerations | Status  |
 |:-------------------|:-----------------|:----------------|:--------|
 | Azure IoT Hub | All public regions    |  | GA   <br/> [Learn how to create a private endpoint for Azure IoT Hub.](../iot-hub/virtual-network-support.md) |
+| Azure IoT Device Provisioning Service | All public regions |  |  GA   <br/> [Learn how to create a private endpoint for Azure IoT Device Provisioning Service.](../iot-dps/virtual-network-support.md) | 
 |  Azure Digital Twins         | All public regions supported by Azure Digital Twins     |  | Preview <br/> [Learn how to create a private endpoint for Azure Digital Twins.](../api-management/private-endpoint.md)  |
 
 ### Management and Governance
