Merge pull request #233495 from AbhishekMallick01/Apr-5-2023-CSSDocAsk

prmerger-automator[bot] · web-flow · commit 20a9e1767587 · 2023-04-26T16:07:11.000Z
CSS doc ask #15996126
diff --git a/articles/backup/backup-azure-private-endpoints-concept.md b/articles/backup/backup-azure-private-endpoints-concept.md
@@ -3,7 +3,7 @@ title: Private endpoints for Azure Backup - Overview
 description: This article explains about the concept of private endpoints for Azure Backup that helps to perform backups while maintaining the security of your resources.
 ms.topic: conceptual
 ms.service: backup
-ms.date: 03/08/2023
+ms.date: 04/26/2023
 author: jyothisuri
 ms.author: jsuri
 ---
@@ -147,8 +147,6 @@ The workload extension running on Azure VM requires connection to at least two s
 For a private endpoint enabled vault, the Azure Backup service creates private endpoint for these storage accounts. This prevents any network traffic related to Azure Backup (control plane traffic to service and backup data to storage blob) from leaving the virtual network.
 In addition to the Azure Backup cloud services, the workload extension and agent require connectivity to the Azure Storage accounts and Azure Active Directory (Azure AD).
 
-As a pre-requisite, Recovery Services vault requires permissions for creating additional private endpoints in the same Resource Group. We also recommend providing the Recovery Services vault the permissions to create DNS entries in the private DNS zones (`privatelink.blob.core.windows.net`, `privatelink.queue.core.windows.net`). Recovery Services vault searches for private DNS zones in the resource groups where VNet and private endpoint are created. If it has the permissions to add DNS entries in these zones, they’ll be created by the vault; otherwise, you must create them manually.
-
 The following diagram shows how the name resolution works for storage accounts using a private DNS zone.
 
 :::image type="content" source="./media/private-endpoints-overview/name-resolution-works-for-storage-accounts-using-private-dns-zone-inline.png" alt-text="Diagram showing how the name resolution works for storage accounts using a private DNS zone." lightbox="./media/private-endpoints-overview/name-resolution-works-for-storage-accounts-using-private-dns-zone-expanded.png":::
diff --git a/articles/backup/backup-azure-private-endpoints-configure-manage.md b/articles/backup/backup-azure-private-endpoints-configure-manage.md
@@ -3,7 +3,7 @@ title: How to create and manage private endpoints (with v2 experience) for Azure
 description: This article explains how to configure and manage private endpoints for Azure Backup.
 ms.topic: how-to
 ms.service: backup
-ms.date: 03/08/2023
+ms.date: 04/26/2023
 author: jyothisuri
 ms.author: jsuri
 ---
@@ -108,9 +108,10 @@ You'll see an entry for the virtual network for which you've created the private
 
   |Zone |Service |
   |--- |--- |
-  |`privatelink.<geo>.backup.windowsazure.com` |Backup  |
-  |`privatelink.blob.core.windows.net`         |Blob    |
-  |`privatelink.queue.core.windows.net`        |Queue   |
+  |`*.privatelink.<geo>.backup.windowsazure.com` |Backup  |
+  |`*.blob.core.windows.net`                     |Blob    |
+  |`*.queue.core.windows.net`                    |Queue   |
+  |`*.storage.azure.net`                         |Blob    |
 
   >[!NOTE]
   > In the above text, `<geo>` refers to the region code (for example *eus* and *ne* for East US and North Europe respectively). Refer to the following lists for regions codes:
diff --git a/articles/backup/private-endpoints-overview.md b/articles/backup/private-endpoints-overview.md
@@ -2,7 +2,7 @@
 title: Private endpoints overview
 description: Understand the use of private endpoints for Azure Backup and the scenarios where using private endpoints helps maintain the security of your resources.
 ms.topic: conceptual
-ms.date: 03/01/2023
+ms.date: 04/26/2023
 ms.custom: devx-track-azurepowershell
 ms.service: backup
 author: jyothisuri
@@ -26,7 +26,6 @@ This article will help you understand how private endpoints for Azure Backup wor
 - A private endpoint connection for Backup uses a total of 11 private IPs in your subnet, including those used by Azure Backup for storage. This number may be higher for certain Azure regions. So we suggest that you have enough private IPs (/26) available when you attempt to create private endpoints for Backup.
 - While a Recovery Services vault is used by (both) Azure Backup and Azure Site Recovery, this article discusses use of private endpoints for Azure Backup only.
 - Private endpoints for Backup don’t include access to Azure Active Directory (Azure AD) and the same needs to be ensured separately. So, IPs and FQDNs required for Azure AD to work in a region will need outbound access to be allowed from the secured network when performing backup of databases in Azure VMs and backup using the MARS agent. You can also use NSG tags and Azure Firewall tags for allowing access to Azure AD, as applicable.
-- Virtual networks with Network Policies aren't supported for Private Endpoints. You'll need to [disable Network Polices](../private-link/disable-private-endpoint-network-policy.md) before continuing.
 - You need to re-register the Recovery Services resource provider with the subscription if you registered it before May 1 2020. To re-register the provider, go to your subscription in the Azure portal, navigate to **Resource provider** on the left navigation bar, then select **Microsoft.RecoveryServices** and select **Re-register**.
 - [Cross-region restore](backup-create-rs-vault.md#set-cross-region-restore) for SQL and SAP HANA database backups aren't supported if the vault has private endpoints enabled.
 - When you move a Recovery Services vault already using private endpoints to a new tenant, you'll need to update the Recovery Services vault to recreate and reconfigure the vault’s managed identity and create new private endpoints as needed (which should be in the new tenant). If this isn't done, the backup and restore operations will start failing. Also, any Azure role-based access control (Azure RBAC) permissions set up within the subscription will need to be reconfigured.
@@ -55,15 +54,15 @@ In addition to these connections when the workload extension or MARS agent is in
 | Service | Domain names |
 | --- | --- |
 | Azure Backup | `*.backup.windowsazure.com` |
-| Azure Storage | `*.blob.core.windows.net` <br><br> `*.queue.core.windows.net` <br><br> `*.blob.storage.azure.net` |
+| Azure Storage | `*.blob.core.windows.net` <br><br> `*.queue.core.windows.net` <br><br> `*.blob.storage.azure.net` <br><br> `*.storage.azure.net` |
 | Azure Active Directory (Azure AD) | [Allow access to FQDNs under sections 56 and 59](/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide&preserve-view=true#microsoft-365-common-and-office-online). |
 
 When the workload extension or MARS agent is installed for Recovery Services vault with private endpoint, the following endpoints are hit:
 
 | Service | Domain name |
 | --- | --- |
 | Azure Backup | `*.privatelink.<geo>.backup.windowsazure.com` | 
-| Azure Storage | `*.blob.core.windows.net` <br><br> `*.queue.core.windows.net` <br><br> `*.blob.storage.azure.net` | 
+| Azure Storage | `*.blob.core.windows.net` <br><br> `*.queue.core.windows.net` <br><br> `*.blob.storage.azure.net`   <br><br> `*.storage.azure.net` | 
 | Azure Active Directory (Azure AD) | [Allow access to FQDNs under sections 56 and 59](/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide&preserve-view=true#microsoft-365-common-and-office-online). |
 
 >[!Note]
diff --git a/articles/backup/private-endpoints.md b/articles/backup/private-endpoints.md
@@ -2,7 +2,7 @@
 title: Create and use private endpoints for Azure Backup
 description: Understand the process to creating private endpoints for Azure Backup where using private endpoints helps maintain the security of your resources.
 ms.topic: how-to
-ms.date: 02/20/2023
+ms.date: 04/26/2023
 ms.custom: devx-track-azurepowershell
 ms.service: backup
 author: jyothisuri
@@ -165,67 +165,6 @@ For **each private DNS** zone listed above (for Backup, Blobs and Queues), do th
 
     ![Add virtual network link](./media/private-endpoints/add-virtual-network-link.png)
 
-### When using custom DNS server or host files
-
-If you're using your custom DNS servers, you'll need to add the DNS records needed by the private endpoints to your DNS servers. You can also use conditional forwarders and redirect the DNS request for the FQDN to Azure DNS. Azure DNS redirects the DNS requests to private DNS zone and resolve them.
-
-#### For the Backup service
-
-1. In your DNS server, create a DNS zone for Backup according to the following naming convention:
-
-    |Zone |Service |
-    |---------|---------|
-    |`privatelink.<geo>.backup.windowsazure.com`   |  Backup        |
-
-    >[!NOTE]
-    > In the above text, `<geo>` refers to the region code (for example *eus* and *ne* for East US and North Europe respectively). Refer to the following lists for regions codes:
-    >
-    > - [All public clouds](https://download.microsoft.com/download/1/2/6/126a410b-0e06-45ed-b2df-84f353034fa1/AzureRegionCodesList.docx)
-    > - [China](/azure/china/resources-developer-guide#check-endpoints-in-azure)
-    > - [Germany](../germany/germany-developer-guide.md#endpoint-mapping)
-    > - [US Gov](../azure-government/documentation-government-developer-guide.md)
-    > - [Geo-code list - sample XML](scripts/geo-code-list.md)
-
-1. Next, we need to add the required DNS records. To view the records that need to be added to the Backup DNS zone, navigate to the private endpoint you created above, and go to the **DNS configuration** option under the left navigation bar.
-
-    ![DNS configuration for custom DNS server](./media/private-endpoints/custom-dns-configuration.png)
-
-1. Add one entry for each FQDN and IP displayed as A type records in your DNS zone for Backup. If you're using a host file for name resolution, make corresponding entries in the host file for each IP and FQDN according to the following format:
-
-    `<private ip><space><backup service privatelink FQDN>`
-
->[!NOTE]
->As shown in the screenshot above, the FQDNs depict `xxxxxxxx.<geo>.backup.windowsazure.com` and not `xxxxxxxx.privatelink.<geo>.backup.windowsazure.com`. In such cases, ensure you include (and if required, add) the `.privatelink.` according to the stated format.
-
-#### For Blob and Queue services
-
-For blobs and queues, you can either use conditional forwarders or create DNS zones in your DNS server.
-
-##### If using conditional forwarders
-
-If you're using conditional forwarders, add forwarders for blob and queue FQDNs as follows:
-
-|FQDN  |IP  |
-|---------|---------|
-|`privatelink.blob.core.windows.net`     |  168.63.129.16       |
-|`privatelink.queue.core.windows.net`     | 168.63.129.16       |
-
-##### If using private DNS zones
-
-If you're using DNS zones for blobs and queues, you'll need to first create these DNS zones and later add the required A records.
-
-|Zone |Service  |
-|---------|---------|
-|`privatelink.blob.core.windows.net`     |  Blob     |
-|`privatelink.queue.core.windows.net`     | Queue        |
-
-At this moment, we'll only create the zones for blobs and queues when using custom DNS servers. Adding DNS records will be done later in two steps:
-
-1. When you register the first backup instance, that is, when you configure backup for the first time
-1. When you run the first backup
-
-We'll perform these steps in the following sections.
-
 ## When using custom DNS server or host files
 
 - If you're using a custom DNS server, you can use conditional forwarder for backup service, blob, and queue FQDNs to redirect the DNS requests to Azure DNS (168.63.129.16). Azure DNS redirects it to Azure Private DNS zone. In such setup, ensure that a virtual network link for Azure Private DNS zone exists as mentioned in [this section](#when-using-custom-dns-server-or-host-files).
