Merge pull request #178012 from IngridAtMicrosoft/privatelink2

denrea · web-flow · commit 19493b94c548 · 2021-11-01T15:15:59.000-07:00
Private Link Starting Over Again
diff --git a/.openpublishing.redirection.media-services.json b/.openpublishing.redirection.media-services.json
@@ -619,7 +619,12 @@
           "source_path_from_root": "/articles/media-services/video-indexer/index.yml",
           "redirect_url": "/azure/azure-video-analyzer/video-analyzer-for-media-docs",
           "redirect_document_id": false
-        },     
+        },
+        {
+            "source_path_from_root": "/articles/media-services/latest/security-private-link-how-to.md",
+            "redirect_url": "/azure/media-services/latest/security-private-link-arm-how-to",
+            "redirect_document_id": false
+          },     
         {
             "source_path_from_root": "/articles/media-services/latest/latest/questions-collection.md",
             "redirect_url": "/articles/media-services/latest/frequently-asked-questions.yml",
diff --git a/articles/media-services/latest/TOC.yml b/articles/media-services/latest/TOC.yml
@@ -371,9 +371,10 @@
           displayName: trusted storage, storage, access, storage access, security
       - name: Network security
         items:
-          - name: Create a Media Services and Storage account with a Private Link
-            href: security-private-link-how-to.md
-            displayName: security, private link, links, firewall, storage account, storage, private, links, secure
+          - name: Private endpoint connections
+            href: security-private-link-connect-private-endpoint-concept.md
+          - name: Private Link with Azure Media Services
+            href: security-private-link-concept.md
           - name: Key delivery IP allowlist
             href: drm-content-protection-key-delivery-ip-allow.md   
             displayName: DRM, AES, content key, allow list, IP, whitelist, access control, IP allow list, IP restriction, key delivery, license delivery, AES Key, AES-128, common encryption, security, secure, protect, encrypt                
@@ -621,8 +622,10 @@
           href: ../../active-directory/managed-identities-azure-resources/howto-assign-access-portal.md
       - name: Network security
         items:
-        - name: How to use Private Link with a media and storage account
-          href: security-private-link-how-to.md
+        - name: Use a Private Link with a Streaming endpoint
+          href: security-private-link-streaming-endpoint-how-to.md
+        - name: How to use Private Link with and ARM template
+          href: security-private-link-arm-how-to.md
           displayName: security, private link, links, firewall, storage account, storage, private, links, secure
       - name: Secure streaming
         items:
diff --git a/articles/media-services/latest/security-private-link-arm-how-to.md b/articles/media-services/latest/security-private-link-arm-how-to.md
@@ -1,6 +1,6 @@
 ---
-title: Create a Media Services and Storage account with a private link
-titleSuffix: Media Services
+title: Create a Media Services and Storage account with a private link using an ARM template
+titleSuffix: Azure Media Services
 description: Create a Media Services account and Storage Account with Private Links to a VNet. The Azure Resource Manager (ARM) template also sets up DNS for both the Private Links. Finally the template creates a VM to allow the user to try out the Private Links.
 services: media-services
 author: IngridAtMicrosoft
@@ -11,7 +11,7 @@ ms.date: 04/15/2021
 ms.author: inhenkel
 ---
 
-# Create a Media Services and Storage account with a Private Link
+# Create a Media Services and Storage account with a Private Link using an ARM template
 
 [!INCLUDE [media services api v3 logo](./includes/v3-hr.md)]
 
diff --git a/articles/media-services/latest/security-private-link-concept.md b/articles/media-services/latest/security-private-link-concept.md
@@ -0,0 +1,76 @@
+---
+title: Overview of using private links with Azure Media Services
+description: This article gives an overview of using private links with Azure Media Services.
+services: media-services
+author: IngridAtMicrosoft
+manager: femila
+ms.service: media-services
+ms.topic: conceptual
+ms.date: 10/22/2021
+ms.author: inhenkel
+---
+
+# Overview of using Azure Private Link with Azure Media Services
+
+[!INCLUDE [media services api v3 logo](./includes/v3-hr.md)]
+
+This article gives an overview of using private links with Azure Media Services.
+
+## When to use Private Link with Media Services
+
+Private Link allows Media Services to be accessed from private networks. When used with the network access controls provided by Media Services, private links can enable Media Services to be used without exposing endpoints to the public internet.
+
+## Azure Private Endpoint and Azure Private Link
+
+An [Azure Private Endpoint](/private-link/private-endpoint-overview) is a network interface that uses a private IP address from your virtual network.  This network interface connects you privately and securely to a service via Azure Private Link.
+
+Media Services endpoints may be accessed from a virtual network using private endpoints. Private endpoints may also be accessed from peered virtual networks or other networks connected to the virtual network using Express Route or VPN.
+
+[Azure Private Links](/private-link/) allow access to Media Services private endpoints in your virtual network without exposing them to the public Internet. It routes traffic over the Microsoft backbone network.
+
+## Restricting access
+
+> [!Important]
+> Creating a private endpoint **DOES NOT** implicitly disable internet access to it.
+
+Internet access to the endpoints in the Media Services account can be restricted in one of two ways:
+
+- Restricting access to all resources within the Media Services account.
+- Restricting access separately for each resource by using the IP allowlist.
+
+## Media Services endpoints
+
+| Endpoint                    | Description                                                               | Supports private link | Internet access control |
+| --------------------------- | ------------------------------------------------------------------------- | --------------------- | ----------------------- |
+| Streaming Endpoint          | The origin server for streaming video and formats media into HLS and DASH | Yes                   | IP allowlist            |
+| Streaming Endpoint with CDN | Stream media to many viewers                                              | No                    | Managed by CDN          |
+| Key Delivery                | Provides media content keys and DRM licenses to media viewers             | Yes                   | IP allowlist            |
+| Live event                  | Ingests media content for live streaming                                  | Yes                   | IP allowlist            |
+
+> [!NOTE]
+> Media Services accounts created with API versions prior to 2020-05-01 also have an endpoint for the legacy RESTv2 API endpoint (pending deprecation).  This endpoint does not support private links.
+
+## Other Private Link enabled Azure services
+
+| Service                | Media Services integration                      | Private link documentation |
+| ---------------------- | ----------------------------------------------- | -------------------------- |
+| Azure Storage          | Used to store media                             | [Use private endpoints for Azure Storage](/storage/common/storage-private-endpoints) |
+| Azure Key Vault        | Used to store [customer managed keys](security-customer-managed-keys-portal-tutorial.md)             | [Configure Azure Key Vault networking settings](/key-vault/general/how-to-azure-key-vault-network-security) |
+| Azure Resource Manager | Provides access to Media Services APIs          | [Use REST API to create private link for managing Azure resources](/azure-resource-manager/management/create-private-link-access-rest) |
+| Event Grid             | Provides [notifications of Media Services events](./monitoring/job-state-events-cli-how-to.md) | [Configure private endpoints for Azure Event Grid topics or domains](/event-grid/configure-private-endpoints)  |
+
+## Private endpoints are created on the Media Services account
+
+Private Endpoints for Key Delivery, Streaming Endpoints, and Live Events are created on the Media Services account instead of being created individually.
+
+A private IP address is created for each Streaming Endpoint or Live Event in the Media Services account when a Media Services private endpoint resource is created. For example, if you have two started Streaming Endpoints, a single private endpoint should be created to connect both Streaming Endpoints to a virtual network. Resources can be connected to multiple virtual networks at the same time.
+
+Internet access to the Media Services account should be restricted, either for all the resources within the account or separately for each resource.
+
+## Private Link pricing
+For pricing details, see [Azure Private Link Pricing](https://azure.microsoft.com/pricing/details/private-link)
+
+## Private Link how-tos and FAQs
+
+- [Create a Media Services and Storage account with a Private Link using an Azure Resource Management template](security-private-link-arm-how-to.md)
+- [Create a Private Link for a Streaming Endpoint](security-private-link-streaming-endpoint-how-to.md)
diff --git a/articles/media-services/latest/security-private-link-connect-private-endpoint-concept.md b/articles/media-services/latest/security-private-link-connect-private-endpoint-concept.md
@@ -0,0 +1,78 @@
+---
+title: Private Endpoint connections overview
+description: This article is an overview of Private Endpoint connections with Media Services.
+services: media-services
+author: IngridAtMicrosoft
+manager: femila
+ms.service: media-services
+ms.topic: conceptual
+ms.date: 10/22/2021
+ms.author: inhenkel
+---
+
+# Private Endpoint connections overview
+
+[!INCLUDE [media services api v3 logo](./includes/v3-hr.md)]
+
+This article is an overview of Private Endpoint connections with Media Services.
+
+## Clients using VNet
+
+Clients on a VNet using the private endpoint should use the same DNS name to connect to Media Services as clients connecting to the public Media Services endpoints. Media Services relies upon DNS resolution to automatically route the connections from the VNet to the Media Services endpoints over a private link.
+
+> [!IMPORTANT]
+> Use the same DNS names to the Media Services endpoints when using private endpoints as you’d otherwise use. Please don't connect to the Media Services endpoints using its privatelink subdomain URL.
+
+Media Services creates a [private DNS zone](/dns/private-dns-overview) attached to the VNet with the necessary updates for the private endpoints, by default. However, if you're using your own DNS server, you may need to make additional changes to your DNS configuration. The section on DNS changes below describes the updates required for private endpoints.
+
+## DNS changes for private endpoints
+
+When you create a private endpoint, the **DNS CNAME** resource record for each of the Media Services endpoints is updated to an alias in a subdomain with the prefix `privatelink`. By default, we also create a private DNS zone, corresponding to the `privatelink` subdomain, with the DNS A resource records for the private endpoints.
+
+When you resolve a Media Services DNS name from outside the VNet with the private endpoint, it resolves to the public endpoint of the Media Services endpoint. When resolved from the VNet hosting the private endpoint, the Media Services URL resolves to the private endpoint's IP address.
+
+For example, the DNS resource records for a Streaming Endpoint in the Media Services `MediaAccountA`, when resolved from outside the VNet hosting the private endpoint, will be:
+
+| Name | Type | Value |
+| ---- | ---- | ----- |
+| mediaaccounta-uswe1.streaming.media.azure.net | CNAME | mediaaccounta-uswe1.streaming.privatelink.media.azure.net |
+|mediaaccounta-uswe1.streaming.privatelink.media.azure.net | CNAME | `<Streaming Endpoint public endpoint>` |
+| `<Streaming Endpoint public endpoint>` | CNAME | `<Streaming Endpoint internal endpoint>` |
+| `<Streaming Endpoint internal endpoint>` | A | `<Streaming Endpoint public IP address>` |
+
+You can deny or restrict public internet access to Media Services endpoints using IP allowlists, or by disabling public network access for all resources within the account.
+
+The DNS resource records for the example Streaming Endpoint in 'MediaAccountA', when resolved by a client in the VNet hosting the private endpoint, will be:
+
+| Name | Type | Value |
+| ---- | ---- | ----- |
+| mediaaccounta-uswe1.streaming.media.azure.net | CNAME | mediaaccounta-uswe1.streaming.privatelink.media.azure.net |
+|mediaaccounta-uswe1.streaming.privatelink.media.azure.net | A | `<Streaming Endpoint public endpoint>`, for example" 10.0.0.9 |
+
+This approach enables access to the Media Services endpoint using the same DNS name for clients within the VNet hosting the private endpoints. It does the same thing for clients outside the VNet.
+
+If you're using a custom DNS server on your network, clients must resolve the FQDN for the Media Services endpoint to the private endpoint IP address. Configure your DNS server to delegate your private link subdomain to the private DNS zone for the VNet, or configure the A records for `mediaaccounta-usw22.streaming.privatelink.media.azure.net` with the private endpoint IP address.
+
+> [!TIP]
+> When using a custom or on-premises DNS server, you should configure your DNS server to resolve the Media Services endpoint name in the privatelink subdomain to the private endpoint IP address. You can do this by delegating the privatelink subdomain to the private DNS zone of the VNet, or configuring the DNS zone on your DNS server and adding the DNS A records.
+
+The recommended DNS zone names for private endpoints for storage services, and the associated endpoint target subresources, are:
+
+| Media Services Endpoint | Private Link Group ID | DNS Zone Name |
+| ----------------------- | --------------------- | ------------- |
+| Streaming Endpoint | streamingendpoint | privatelink.media.azure.net |
+| Key Delivery | streamingendpoint | privatelink.media.azure.net |
+| Live Event | liveevent | privatelink.media.azure.net |
+
+For more information about configuring your own DNS server to support private endpoints, refer to the following articles:
+
+- [Name resolution for resources in Azure virtual networks](/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances#name-resolution-that-uses-your-own-dns-server)
+- [DNS configuration for private endpoints](/private-link/private-endpoint-overview#dns-configuration)
+
+## Public network access flag
+
+The `publicNetworkAccess` flag on the Media Services account can be used to allow or block access to Media Services endpoints from the public internet. When `publicNetworkAccess` is disabled, requests to any Media Services endpoint from the public internet are blocked; requests to private endpoints are still allowed.  
+
+## Service level IP allowlists
+
+When `publicNetworkAccess` is enabled, requests from the public internet are allowed, subject to service level IP allowlists. If `publicNetworkAccess` is disabled, requests from the public internet are blocked, regardless of the IP allowlist settings. IP allowlists only apply to requests from the public internet; requests to private endpoints are not filtered by the IP allowlists.
diff --git a/articles/media-services/latest/security-private-link-streaming-endpoint-how-to.md b/articles/media-services/latest/security-private-link-streaming-endpoint-how-to.md
