Merge pull request #177121 from ArchangelSDY/wps-service-tag

PMEds28 · web-flow · commit 1a6d1e47f89b · 2021-10-22T10:46:20.000+01:00
Add Azure Web PubSub service tag doc
diff --git a/articles/azure-web-pubsub/howto-secure-shared-private-endpoints.md b/articles/azure-web-pubsub/howto-secure-shared-private-endpoints.md
@@ -12,7 +12,7 @@ ms.author: dayshen
 
 # Secure Azure Web PubSub outbound traffic through Shared Private Endpoints
 
-If you're using [event handler](https://azure.github.io/azure-webpubsub/concepts/service-internals#event_handler) in Azure Web PubSub Service, you might have outbound traffic to upstream. Upstream such as
+If you're using [event handler](concept-service-internals.md#event_handler) in Azure Web PubSub Service, you might have outbound traffic to upstream. Upstream such as
 Azure Web App and Azure Functions, can be configured to accept connections from a list of virtual networks and refuse outside connections that originate from a public network. You can create an outbound [private endpoint connection](../private-link/private-endpoint-overview.md) to reach these endpoints.
 
    :::image type="content" alt-text="Shared private endpoint overview." source="media\howto-secure-shared-private-endpoints\shared-private-endpoint-overview.png" border="false" :::
@@ -43,7 +43,7 @@ The rest of the examples show how the _contoso-webpubsub_ service can be configu
 You can make the following API call with the [Azure CLI](/cli/azure/) to create a shared private link resource:
 
 ```dotnetcli
-az rest --method put --uri https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/contoso/providers/Microsoft.SignalRService/webPubSub/contoso-webpubsub/sharedPrivateLinkResources/func-pe?api-version=2021-06-01-preview --body @create-pe.json
+az rest --method put --uri https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/contoso/providers/Microsoft.SignalRService/webPubSub/contoso-webpubsub/sharedPrivateLinkResources/func-pe?api-version=2021-06-01-preview --body @create-pe.json --debug
 ```
 
 The contents of the *create-pe.json* file, which represent the request body to the API, are as follows:
diff --git a/articles/azure-web-pubsub/howto-service-tags.md b/articles/azure-web-pubsub/howto-service-tags.md
@@ -0,0 +1,42 @@
+---
+title: Use service tags
+titleSuffix: Azure Web PubSub service
+description: Use service tags to allow outbound traffic to your Azure Web PubSub Service
+author: ArchangelSDY
+
+ms.service: azure-web-pubsub
+ms.topic: article
+ms.date: 10/21/2021
+ms.author: dayshen
+---
+
+# Use service tags for Azure Web PubSub Service
+
+You can use [Service Tags](../virtual-network/network-security-groups-overview.md#service-tags) for Azure Web PubSub Service when configuring [Network Security Group](../virtual-network/network-security-groups-overview.md#network-security-groups). It allows you to define inbound/outbound network security rule for Azure Web PubSub Service endpoints without need to hardcode IP addresses.
+
+Azure Web PubSub Service manages these service tags. You can't create your own service tag or modify an existing one. Microsoft manages these address prefixes that match to the service tag and automatically updates the service tag as addresses change.
+
+> [!Note]
+> Starting from 15 August 2021, Azure Web PubSub Service supports bidirectional Service Tag for both inbound and outbound traffic.
+
+## Use service tag via Azure CLI
+
+### Configure outbound traffic
+
+You can allow outbound traffic to Azure Web PubSub Service by adding a new outbound network security rule:
+
+```azurecli-interactive
+az network nsg rule create -n <rule-name> --nsg-name <nsg-name> -g <resource-group> --priority 100 --direction Outbound --destination-address-prefixes AzureWebPubSub
+```
+
+### Configure inbound traffic
+
+If you're using [event handler](concept-service-internals.md#event_handler), you can also allow inbound traffic from Azure Web PubSub Service by adding a new inbound network security rule:
+
+```azurecli-interactive
+az network nsg rule create -n <rule-name> --nsg-name <nsg-name> -g <resource-group> --priority 100 --direction Inbound --source-address-prefixes AzureWebPubSub
+```
+
+## Next steps
+
+- [Network security groups: service tags](../virtual-network/network-security-groups-overview.md#security-rules)
diff --git a/articles/azure-web-pubsub/toc.yml b/articles/azure-web-pubsub/toc.yml
@@ -60,6 +60,8 @@
     items:
     - name: Protect the access key
       href: howto-secure-rotate-access-key.md
+    - name: Use Azure Service Tags
+      href: howto-service-tags.md
     - name: Use Azure private endpoints
       href: howto-secure-private-endpoints.md
     - name: Manage network access control
