MicrosoftDocs
diff --git a/‎articles/active-directory/develop/multi-service-web-app-access-storage.md
Lines changed: 16 additions & 14 deletions b/‎articles/active-directory/develop/multi-service-web-app-access-storage.md
Lines changed: 16 additions & 14 deletions
diff --git a/‎articles/api-management/api-management-features.md
Lines changed: 3 additions & 2 deletions b/‎articles/api-management/api-management-features.md
Lines changed: 3 additions & 2 deletions
diff --git a/‎articles/api-management/api-management-gateways-overview.md
Lines changed: 1 addition & 1 deletion b/‎articles/api-management/api-management-gateways-overview.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/api-management/media/private-endpoint/add-endpoint-from-instance.png
51.5 KB b/‎articles/api-management/media/private-endpoint/add-endpoint-from-instance.png
51.5 KB
diff --git a/‎articles/api-management/private-endpoint.md
Lines changed: 35 additions & 32 deletions b/‎articles/api-management/private-endpoint.md
Lines changed: 35 additions & 32 deletions
@@ -7,7 +7,7 @@ manager: CelesteDG
 ms.service: app-service
 ms.topic: tutorial
 ms.workload: identity
-ms.date: 04/25/2021
+ms.date: 03/24/2023
 ms.author: ryanwi
 ms.reviewer: stsoneff
 ms.devlang: csharp, javascript
@@ -64,7 +64,7 @@ To create a general-purpose v2 storage account in the Azure portal, follow these
 
 1. On the Azure portal menu, select **All services**. In the list of resources, enter **Storage Accounts**. As you begin typing, the list filters based on your input. Select **Storage Accounts**.
 
-1. In the **Storage Accounts** window that appears, select **Add**.
+1. In the **Storage Accounts** window that appears, select **Create**.
 
 1. Select the subscription in which to create the storage account.
 
@@ -74,33 +74,27 @@ To create a general-purpose v2 storage account in the Azure portal, follow these
 
 1. Select a location for your storage account, or use the default location.
 
-1. Leave these fields set to their default values:
+1. For **Performance**, select the **Standard** option.
 
-    |Field|Value|
-    |--|--|
-    |Deployment model|Resource Manager|
-    |Performance|Standard|
-    |Account kind|StorageV2 (general-purpose v2)|
-    |Replication|Read-access geo-redundant storage (RA-GRS)|
-    |Access tier|Hot|
+1. For **Redundancy**, select the **Locally-redundant storage (LRS)** option from the dropdown.
 
-1. Select **Review + Create** to review your storage account settings and create the account.
+1. Select **Review** to review your storage account settings and create the account.
 
 1. Select **Create**.
 
 To create a Blob Storage container in Azure Storage, follow these steps.
 
 1. Go to your new storage account in the Azure portal.
 
-1. In the left menu for the storage account, scroll to the **Blob service** section, and then select **Containers**.
+1. In the left menu for the storage account, scroll to the **Data storage** section, and then select **Containers**.
 
 1. Select the **+ Container** button.
 
 1. Type a name for your new container. The container name must be lowercase, must start with a letter or number, and can include only letters, numbers, and the dash (-) character.
 
 1. Set the level of public access to the container. The default level is **Private (no anonymous access)**.
 
-1. Select **OK** to create the container.
+1. Select **Create** to create the container.
 
 # [PowerShell](#tab/azure-powershell)
 
@@ -172,7 +166,15 @@ You need to grant your web app access to the storage account before you can crea
 
 In the [Azure portal](https://portal.azure.com), go into your storage account to grant your web app access. Select **Access control (IAM)** in the left pane, and then select **Role assignments**. You'll see a list of who has access to the storage account. Now you want to add a role assignment to a robot, the app service that needs access to the storage account. Select **Add** > **Add role assignment** to open the **Add role assignment** page.
 
-Assign the **Storage Blob Data Contributor** role to the **App Service** at subscription scope.  For detailed steps, see [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.md).
+1. In the **Assignment type** tab, select **Job function type** and then **Next**.  
+
+1. In the **Role** tab, select **Storage Blob Data Contributor** role from the dropdown and then select **Next**.  
+
+1. In the **Members** tab, select **Assign access to** -> **Managed identity** and then select **Members** -> **Select members**.  In the **Select managed identities** window, find and select the managed identity created for your App Service in the **Managed identity** dropdown.  Select the **Select** button.  
+
+1. Select **Review and assign** and then select **Review and assign** once more.  
+ 
+For detailed steps, see [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.md).
 
 Your web app now has access to your storage account.
 
 
@@ -7,7 +7,7 @@ author: dlepow
 
 ms.service: api-management
 ms.topic: article
-ms.date: 02/07/2022
+ms.date: 02/06/2023
 ms.author: danlep
 ---
 
@@ -22,6 +22,7 @@ Each API Management [pricing tier](https://aka.ms/apimpricing) offers a distinct
 | -------------------------------------------------------------------------------------------- | ----------- | --------- | ----- | -------- | ------- |
 | Azure AD integration<sup>1</sup>                                                             | No          | Yes       | No    | Yes      | Yes     |
 | Virtual Network (VNet) support                                                               | No          | Yes       | No    | No       | Yes     |
+| Private endpoint support for inbound connections                                                               | No          | Yes       | Yes    | Yes       | Yes     |
 | Multi-region deployment                                                                      | No          | No        | No    | No       | Yes     |
 | Availability zones                                                                           | No          | No        | No    | No       | Yes     |
 | Multiple custom domain names                                                                 | No          | Yes        | No    | No       | Yes     |
@@ -45,5 +46,5 @@ Each API Management [pricing tier](https://aka.ms/apimpricing) offers a distinct
 <sup>1</sup> Enables the use of Azure AD (and Azure AD B2C) as an identity provider for user sign in on the developer portal.<br/>
 <sup>2</sup> Including related functionality such as users, groups, issues, applications, and email templates and notifications.<br/>
 <sup>3</sup> See [Gateway overview](api-management-gateways-overview.md#feature-comparison-managed-versus-self-hosted-gateways) for a feature comparison of managed versus self-hosted gateways. In the Developer tier self-hosted gateways are limited to a single gateway node. <br/>
-<sup>4</sup> The following policies aren't available in the Consumption tier: rate limit by key and quota by key. <br/>
+<sup>4</sup> See [Gateway overview](api-management-gateways-overview.md#policies) for differences in policy support in the dedicated, consumption, and self-hosted gateways. <br/>
 <sup>5</sup> GraphQL subscriptions aren't supported in the Consumption tier.
@@ -7,7 +7,7 @@ author: dlepow
 
 ms.service: api-management
 ms.topic: conceptual
-ms.date: 08/04/2022
+ms.date: 02/06/2023
 ms.author: danlep
 ---
 
 
@@ -1,35 +1,25 @@
 ---
-title: Set up private endpoint for Azure API Management Preview
-description: Learn how to restrict access to an Azure API Management instance by using an Azure private endpoint and Azure Private Link.
+title: Set up inbound private endpoint for Azure API Management
+description: Learn how to restrict inbound access to an Azure API Management instance by using an Azure private endpoint and Azure Private Link.
 ms.service: api-management
 author: dlepow
 ms.author: danlep
 ms.topic: how-to
-ms.date: 03/31/2022
+ms.date: 03/20/2023
 
 ---
 
-# Connect privately to API Management using a private endpoint
+# Connect privately to API Management using an inbound private endpoint
 
-You can configure a [private endpoint](../private-link/private-endpoint-overview.md) for your API Management instance to allow clients in your private network to securely access the instance over [Azure Private Link](../private-link/private-link-overview.md). 
+You can configure an inbound [private endpoint](../private-link/private-endpoint-overview.md) for your API Management instance to allow clients in your private network to securely access the instance over [Azure Private Link](../private-link/private-link-overview.md). 
 
-* The private endpoint uses an IP address from your Azure VNet address space. 
+* The private endpoint uses an IP address from an Azure VNet in which it's hosted.
 
 * Network traffic between a client on your private network and API Management traverses over the VNet and a Private Link on the Microsoft backbone network, eliminating exposure from the public internet.
 
 * Configure custom DNS settings or an Azure DNS private zone to map the API Management hostname to the endpoint's private IP address. 
 
-:::image type="content" source="media/private-endpoint/api-management-private-endpoint.png" alt-text="Diagram that shows a secure connection to API Management using private endpoint.":::
-
-With a private endpoint and Private Link, you can:
-
-- Create multiple Private Link connections to an API Management instance. 
-
-- Use the private endpoint to send inbound traffic on a secure connection. 
-
-- Use policy to distinguish traffic that comes from the private endpoint. 
-
-- Limit incoming traffic only to private endpoints, preventing data exfiltration.
+:::image type="content" source="media/private-endpoint/api-management-private-endpoint.png" alt-text="Diagram that shows a secure inbound connection to API Management using private endpoint.":::
 
 [!INCLUDE [api-management-private-endpoint](../../includes/api-management-private-endpoint.md)]
 
@@ -38,9 +28,9 @@ With a private endpoint and Private Link, you can:
 
 ## Limitations
 
-* Only the API Management instance's Gateway endpoint currently supports Private Link connections. 
-* Each API Management instance currently supports at most 100 Private Link connections.
-* Connections are not supported on the [self-hosted gateway](self-hosted-gateway-overview.md). 
+* Only the API Management instance's Gateway endpoint supports inbound Private Link connections. 
+* Each API Management instance supports at most 100 Private Link connections.
+* Connections aren't supported on the [self-hosted gateway](self-hosted-gateway-overview.md). 
 
 ## Prerequisites
 
@@ -108,7 +98,7 @@ When you use the Azure portal to create a private endpoint, as shown in the next
 
 1. In the left-hand menu, select **Network**.
 
-1. Select **Private endpoint connections** > **+ Add endpoint**.
+1. Select **Inbound private endpoint connections** > **+ Add endpoint**.
 
     :::image type="content" source="media/private-endpoint/add-endpoint-from-instance.png" alt-text="Add a private endpoint using Azure portal":::
 
@@ -120,7 +110,8 @@ When you use the Azure portal to create a private endpoint, as shown in the next
     | Subscription | Select your subscription. |
     | Resource group | Select an existing resource group, or create a new one. It must be in the same region as your virtual network.|
     | **Instance details** |  |
-    | Name  | Enter a name for the endpoint such as **myPrivateEndpoint**. |
+    | Name  | Enter a name for the endpoint such as *myPrivateEndpoint*. |
+    | Network Interface Name | Enter a name for the network interface, such as *myInterface* |
     | Region | Select a location for the private endpoint. It must be in the same region as your virtual network. It may differ from the region where your API Management instance is hosted. |
 
 1. Select the **Resource** tab or the **Next: Resource** button at the bottom of the page. The following information about your API Management instance is already populated:
@@ -132,28 +123,37 @@ When you use the Azure portal to create a private endpoint, as shown in the next
 
     :::image type="content" source="media/private-endpoint/create-private-endpoint.png" alt-text="Create a private endpoint in Azure portal":::
 
-1. Select the **Configuration** tab or the **Next: Configuration** button at the bottom of the screen.
+1. Select the **Virtual Network** tab or the **Next: Virtual Network** button at the bottom of the screen.
 
-1. In **Configuration**, enter or select this information:
+1. In **Networking**, enter or select this information:
 
     | Setting | Value |
     | ------- | ----- |
-    | **Networking** |  |
     | Virtual network | Select your virtual network. |
     | Subnet | Select your subnet. |
-    | **Private DNS integration** |  |
+    | Private IP configuration | In most cases, select **Dynamically allocate IP address.** |
+    | Application security group | Optionally select an [application security group](../virtual-network/application-security-groups.md). |
+
+1. Select the **DNS** tab or the **Next: DNS** button at the bottom of the screen.
+
+1. In **Private DNS integration**, enter or select this information:
+
+    | Setting | Value |
+    | ------- | ----- |
     | Integrate with private DNS zone | Leave the default of **Yes**. |
     | Subscription | Select your subscription. |
     | Resource group | Select your resource group. |
-    | Private DNS zones | Leave the default of **(new) privatelink.azure-api.net**.
+    | Private DNS zones | The default value is displayed: **(new) privatelink.azure-api.net**.
 
-1. Select **Review + create**.
+1. Select the **Tags** tab or the **Next: Tabs** button at the bottom of the screen. If you desire, enter tags to organize your Azure resources.
+
+1.  Select **Review + create**.
 
 1. Select **Create**.
 
 ### List private endpoint connections to the instance
 
-After the private endpoint is created, it appears in the list on the API Management instance's **Private endpoint connections** page in the portal.
+After the private endpoint is created, it appears in the list on the API Management instance's **Inbound private endpoint connections** page in the portal.
 
 You can also use the [Private Endpoint Connection - List By Service](/rest/api/apimanagement/current-ga/private-endpoint-connection/list-by-service) REST API to list private endpoint connections to the service instance.
 
@@ -200,9 +200,12 @@ Use the following JSON body:
 
 After the private endpoint is created, confirm its DNS settings in the portal:
 
-1. In the portal, navigate to the **Private Link Center**.
-1. Select **Private endpoints** and select the private endpoint you created.
+1. Navigate to your API Management service in the [Azure portal](https://portal.azure.com/).
+
+1. In the left-hand menu, select **Network** > **Inbound private endpoint connections**, and select the private endpoint you created.
+
 1. In the left-hand navigation, select **DNS configuration**.
+
 1. Review the DNS records and IP address of the private endpoint. The IP address is a private address in the address space of the subnet where the private endpoint is configured.
 
 ### Test in virtual network
@@ -232,7 +235,7 @@ To connect to 'Microsoft.ApiManagement/service/my-apim-service', please use the
 ## Next steps
 
 * Use [policy expressions](api-management-policy-expressions.md#ref-context-request) with the `context.request` variable to identify traffic from the private endpoint.
-* Learn more about [private endpoints](../private-link/private-endpoint-overview.md) and [Private Link](../private-link/private-link-overview.md).
+* Learn more about [private endpoints](../private-link/private-endpoint-overview.md) and [Private Link](../private-link/private-link-overview.md), including [Private Link pricing](https://azure.microsoft.com/pricing/details/private-link/).
 * Learn more about [managing private endpoint connections](../private-link/manage-private-endpoint.md).
 * [Troubleshoot Azure private endpoint connectivity problems](../private-link/troubleshoot-private-endpoint-connectivity.md).
 * Use a [Resource Manager template](https://azure.microsoft.com/resources/templates/api-management-private-endpoint/) to create an API Management instance and a private endpoint with private DNS integration.