Merge branch 'master' of https://github.com/MicrosoftDocs/azure-docs-pr into ts_hbase17

Author: dagiro

articles/azure-app-configuration/TOC.yml

@@ -64,8 +64,6 @@
   items:
     - name: Key-value store
       href: concept-key-value.md
-    - name: Encrypt using customer-managed keys
-      href: concept-customer-managed-keys.md
     - name: Point-in-time snapshot
       href: concept-point-time-snapshot.md
     - name: Feature management
@@ -74,8 +72,12 @@
       href: concept-github-action.md
     - name: Event handling
       href: concept-app-configuration-event.md
-    - name: Authentication
+    - name: Security
       items:
+        - name: Encrypt using customer-managed keys
+          href: concept-customer-managed-keys.md
+        - name: Secure your config store using Private Endpoints
+          href: concept-private-endpoint.md
         - name: Integrate with Azure Managed Identity
           href: howto-integrate-azure-managed-service-identity.md
         - name: Enable access using Azure Active Directory

articles/azure-app-configuration/concept-private-endpoint.md

@@ -0,0 +1,80 @@
+---
+title: Using private endpoints for Azure App Configuration
+description: Secure your App Configuration store using private endpoints
+services: azure-app-configuration
+author: lisaguthrie
+ms.service: azure-app-configuration
+ms.topic: conceptual
+ms.date: 3/12/2020
+ms.author: lcozzens
+
+#Customer intent: As a developer using Azure App Configuration, I want to understand how to use private endpoints to enable secure communication with my App Configuration instance.
+---
+# Using private endpoints for Azure App Configuration
+
+You can use [private endpoints](../private-link/private-endpoint-overview.md) for Azure App Configuration to allow clients on a virtual network (VNet) to securely access data over a [private link](../private-link/private-link-overview.md). The private endpoint uses an IP address from the VNet address space for your App Configuration store. Network traffic between the clients on the VNet and the App Configuration store traverses over the VNet using a private link on the Microsoft backbone network, eliminating exposure to the public internet.
+
+Using private endpoints for your App Configuration store enables you to:
+- Secure your application configuration details by configuring the firewall to block all connections to App Configuration on the public endpoint.
+- Increase security for the virtual network (VNet) ensuring data doesn't escape from the VNet.
+- Securely connect to the App Configuration store from on-premises networks that connect to the VNet using [VPN](../vpn-gateway/vpn-gateway-about-vpngateways.md) or [ExpressRoutes](../expressroute/expressroute-locations.md) with private-peering.
+
+> [!NOTE]
+> Azure App Configuration offers the use of private endpoints as a public preview. Public preview offerings allow customers to experiment with new features prior to their official release.  Public preview features and services are not meant for production use.
+
+## Conceptual Overview
+
+A private endpoint is a special network interface for an Azure service in your [Virtual Network](../virtual-network/virtual-networks-overview.md) (VNet). When you create a private endpoint for your App Config store, it provides secure connectivity between clients on your VNet and your configuration store. The private endpoint is assigned an IP address from the IP address range of your VNet. The connection between the private endpoint and the configuration store uses a secure private link.
+
+Applications in the VNet can connect to the configuration store over the private endpoint **using the same connection strings and authorization mechanisms that they would use otherwise**. Private endpoints can be used with all protocols supported by the App Configuration store.
+
+While App Configuration doesn't support service endpoints, private endpoints can be created in subnets that use [Service Endpoints](../virtual-network/virtual-network-service-endpoints-overview.md). Clients in a subnet can connect securely to an App Configuration store using the private endpoint while using service endpoints to access others.  
+
+When you create a private endpoint for a service in your VNet, a consent request is sent for approval to the service account owner. If the user requesting the creation of the private endpoint is also an owner of the account, this consent request is automatically approved.
+
+Service account owners can manage consent requests and private endpoints through the `Private Endpoints` tab of the config store in the [Azure portal](https://portal.azure.com).
+
+### Private Endpoints for App Configuration 
+
+When creating a private endpoint, you must specify the App Configuration store to which it connects. If you have multiple App Configuration instances within an account, you need a separate private endpoint for each store.
+
+#### Resources for creating private endpoints
+
+For more detailed information on creating a private endpoint for your App Configuration store, refer to the following articles:
+
+- [Create a private endpoint using the Private Link Center in the Azure portal](../private-link/create-private-endpoint-portal.md)
+- [Create a private endpoint using Azure CLI](../private-link/create-private-endpoint-cli.md)
+- [Create a private endpoint using Azure PowerShell](../private-link/create-private-endpoint-powershell.md)
+
+### Connecting to Private Endpoints
+
+Azure relies upon DNS resolution to route connections from the VNet to the configuration store over a private link. You can quickly find connections strings in the Azure portal by selecting your App Configuration store, then selecting **Settings** > **Access Keys**.  
+
+> [!IMPORTANT]
+> Use the same connection string to connect to your App Configuration store using private endpoints as you would use for a public endpoint. Don't connect to the storage account using its `privatelink` subdomain URL.
+
+## DNS changes for Private Endpoints
+
+When you create a private endpoint, the DNS CNAME resource record for the configuration store is updated to an alias in a subdomain with the prefix `privatelink`. Azure also creates a [private DNS zone](../dns/private-dns-overview.md) corresponding to the `privatelink` subdomain, with the DNS A resource records for the private endpoints.
+
+When you resolve the endpoint URL from outside the VNet, it resolves to the public endpoint of the store. When resolved from within the VNet hosting the private endpoint, the endpoint URL resolves to the private endpoint.
+
+You can control access for clients outside the VNet through the public endpoint using the Azure Firewall service.
+
+This approach enables access to the store **using the same connection string** for clients on the VNet hosting the private endpoints as well as clients outside the VNet.
+
+If you are using a custom DNS server on your network, clients must be able to resolve the fully qualified domain name (FQDN) for the service endpoint to the private endpoint IP address. Configure your DNS server to delegate your private link subdomain to the private DNS zone for the VNet, or configure the A records for `AppConfigInstanceA.privatelink.azconfig.io` with the private endpoint IP address.
+
+> [!TIP]
+> When using a custom or on-premises DNS server, you should configure your DNS server to resolve the store name in the `privatelink` subdomain to the private endpoint IP address. You can do this by delegating the `privatelink` subdomain to the private DNS zone of the VNet, or configuring the DNS zone on your DNS server and adding the DNS A records.
+
+#### Resources for configuring your DNS server with private endpoints
+
+For more information, see:
+
+- [Name resolution for resources in Azure virtual networks](/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances#name-resolution-that-uses-your-own-dns-server)
+- [DNS configuration for Private Endpoints](/azure/private-link/private-endpoint-overview#dns-configuration)
+
+## Pricing
+
+Enabling private endpoints requires a [Standard tier](https://azure.microsoft.com/pricing/details/app-configuration/) App Configuration store.  To learn about private link pricing details, see [Azure Private Link pricing](https://azure.microsoft.com/pricing/details/private-link).

articles/azure-app-configuration/enable-dynamic-configuration-java-spring-app.md

@@ -49,4 +49,7 @@ Save the file, then build and run your application as usual.
 
 ## Next steps
 
-In this tutorial, you enabled your Spring Boot app to dynamically refresh configuration settings from App Configuration. For more information, see [Spring on Azure](https://docs.microsoft.com/java/azure/spring-framework/).
+In this tutorial, you enabled your Spring Boot app to dynamically refresh configuration settings from App Configuration. To learn how to use an Azure managed identity to streamline the access to App Configuration, continue to the next tutorial.
+
+> [!div class="nextstepaction"]
+> [Managed identity integration](./howto-integrate-azure-managed-service-identity.md)

articles/azure-app-configuration/quickstart-java-spring-app.md

@@ -181,7 +181,7 @@ Use the [Spring Initializr](https://start.spring.io/) to create a new Spring Boo
 
 ## Next steps
 
-In this quickstart, you created a new App Configuration store and used it with a Java Spring app. For more information, see [Spring on Azure](https://docs.microsoft.com/java/azure/spring-framework/). To learn how to use an Azure managed identity to streamline access to App Configuration, continue to the next tutorial.
+In this quickstart, you created a new App Configuration store and used it with a Java Spring app. For more information, see [Spring on Azure](https://docs.microsoft.com/java/azure/spring-framework/). To learn how to enable your Java Spring app to dynamically refresh configuration settings, continue to the next tutorial.
 
 > [!div class="nextstepaction"]
-> [Managed identity integration](./howto-integrate-azure-managed-service-identity.md)
+> [Enable dynamic configuration](./enable-dynamic-configuration-java-spring-app.md)

articles/cloud-services/cloud-services-dotnet-install-dotnet.md

@@ -15,19 +15,19 @@ ms.author: tagore
 # Install .NET on Azure Cloud Services roles
 This article describes how to install versions of .NET Framework that don't come with the Azure Guest OS. You can use .NET on the Guest OS to configure your cloud service web and worker roles.
 
-For example, you can install .NET 4.6.2 on the Guest OS family 4, which doesn't come with any release of .NET 4.6. (The Guest OS family 5 does come with .NET 4.6.) For the latest information on the Azure Guest OS releases, see the [Azure Guest OS release news](cloud-services-guestos-update-matrix.md). 
+For example, you can install .NET Framework 4.6.2 on the Guest OS family 4, which doesn't come with any release of .NET Framework 4.6. (The Guest OS family 5 does come with .NET Framework 4.6.) For the latest information on the Azure Guest OS releases, see the [Azure Guest OS release news](cloud-services-guestos-update-matrix.md). 
 
 >[!IMPORTANT]
->The Azure SDK 2.9 contains a restriction on deploying .NET 4.6 on the Guest OS family 4 or earlier. A fix for the restriction is available on the [Microsoft Docs](https://github.com/MicrosoftDocs/azure-cloud-services-files/tree/master/Azure%20Targets%20SDK%202.9) site.
+>The Azure SDK 2.9 contains a restriction on deploying .NET Framework 4.6 on the Guest OS family 4 or earlier. A fix for the restriction is available on the [Microsoft Docs](https://github.com/MicrosoftDocs/azure-cloud-services-files/tree/master/Azure%20Targets%20SDK%202.9) site.
 
 To install .NET on your web and worker roles, include the .NET web installer as part of your cloud service project. Start the installer as part of the role's startup tasks. 
 
 ## Add the .NET installer to your project
 To download the web installer for the .NET Framework, choose the version that you want to install:
 
-* [.NET 4.8 web installer](https://dotnet.microsoft.com/download/thank-you/net48)
-* [.NET 4.7.2 web installer](https://go.microsoft.com/fwlink/?LinkId=863262)
-* [.NET 4.6.2 web installer](https://www.microsoft.com/download/details.aspx?id=53345)
+* [.NET Framework 4.8 web installer](https://dotnet.microsoft.com/download/thank-you/net48)
+* [.NET Framework 4.7.2 web installer](https://go.microsoft.com/fwlink/?LinkId=863262)
+* [.NET Framework 4.6.2 web installer](https://www.microsoft.com/download/details.aspx?id=53345)
 
 To add the installer for a *web* role:
   1. In **Solution Explorer**, under **Roles** in your cloud service project, right-click your *web* role and select **Add** > **New Folder**. Create a folder named **bin**.
@@ -39,7 +39,7 @@ To add the installer for a *worker* role:
 When files are added in this way to the role content folder, they're automatically added to your cloud service package. The files are then deployed to a consistent location on the virtual machine. Repeat this process for each web and worker role in your cloud service so that all roles have a copy of the installer.
 
 > [!NOTE]
-> You should install .NET 4.6.2 on your cloud service role even if your application targets .NET 4.6. The Guest OS includes the Knowledge Base [update 3098779](https://support.microsoft.com/kb/3098779) and [update 3097997](https://support.microsoft.com/kb/3097997). Issues can occur when you run your .NET applications if .NET 4.6 is installed on top of the Knowledge Base updates. To avoid these issues, install .NET 4.6.2 rather than version 4.6. For more information, see the [Knowledge Base article 3118750](https://support.microsoft.com/kb/3118750) and [4340191](https://support.microsoft.com/kb/4340191).
+> You should install .NET Framework 4.6.2 on your cloud service role even if your application targets .NET Framework 4.6. The Guest OS includes the Knowledge Base [update 3098779](https://support.microsoft.com/kb/3098779) and [update 3097997](https://support.microsoft.com/kb/3097997). Issues can occur when you run your .NET applications if .NET Framework 4.6 is installed on top of the Knowledge Base updates. To avoid these issues, install .NET Framework 4.6.2 rather than version 4.6. For more information, see the [Knowledge Base article 3118750](https://support.microsoft.com/kb/3118750) and [4340191](https://support.microsoft.com/kb/4340191).
 > 
 > 
 
@@ -77,7 +77,7 @@ You can use startup tasks to perform operations before a role starts. Installing
 
 2. Create a file named **install.cmd** and add the following install script to the file.
 
-   The script checks whether the specified version of the .NET Framework is already installed on the machine by querying the registry. If the .NET version is not installed, then the .NET web installer is opened. To help troubleshoot any issues, the script logs all activity to the file startuptasklog-(current date and time).txt that is stored in **InstallLogs** local storage.
+   The script checks whether the specified version of the .NET Framework is already installed on the machine by querying the registry. If the .NET Framework version is not installed, then the .NET Framework web installer is opened. To help troubleshoot any issues, the script logs all activity to the file startuptasklog-(current date and time).txt that is stored in **InstallLogs** local storage.
 
    > [!IMPORTANT]
    > Use a basic text editor like Windows Notepad to create the install.cmd file. If you use Visual Studio to create a text file and change the extension to .cmd, the file might still contain a UTF-8 byte order mark. This mark can cause an error when the first line of the script is run. To avoid this error, make the first line of the script a REM statement that can be skipped by the byte order processing. 

articles/data-lake-analytics/dotnet-upgrade-troubleshoot.md

@@ -1,6 +1,6 @@
 ---
-title: How to troubleshoot the Azure Data Lake Analytics U-SQL job failures because of .NET 4.7.2 upgrade
-description: 'Troubleshoot U-SQL job failures because of the upgrade to .NET 4.7.2.'
+title: How to troubleshoot the Azure Data Lake Analytics U-SQL job failures because of .NET Framework 4.7.2 upgrade
+description: 'Troubleshoot U-SQL job failures because of the upgrade to .NET Framework 4.7.2.'
 services: data-lake-analytics
 author: guyhay
 ms.author: guyhay
@@ -17,12 +17,12 @@ The Azure Data Lake Analytics default runtime is upgrading from .NET Framework v
 
 This upgrade from .NET Framework 4.5.2 to version 4.7.2 means that the .NET Framework deployed in a U-SQL runtime (the default runtime) will now always be 4.7.2. There isn't a side-by-side option for .NET Framework versions.
 
-After this upgrade to .NET 4.7.2 is complete, the system’s managed code will run as version 4.7.2, user provided libraries such as the U-SQL custom assemblies will run in the backwards-compatible mode appropriate for the version that the assembly has been generated for.
+After this upgrade to .NET Framework 4.7.2 is complete, the system’s managed code will run as version 4.7.2, user provided libraries such as the U-SQL custom assemblies will run in the backwards-compatible mode appropriate for the version that the assembly has been generated for.
 
 - If your assembly DLLs are generated for version 4.5.2, the deployed framework will treat them as 4.5.2 libraries, providing (with a few exceptions) 4.5.2 semantics.
 - You can now use U-SQL custom assemblies that make use of version 4.7.2 features, if you target the .NET Framework 4.7.2.
 
-Because of this upgrade to .NET 4.7.2, there's a potential to introduce breaking changes to your U-SQL jobs that use .NET custom assemblies. We suggest you check for backwards-compatibility issues using the procedure below.
+Because of this upgrade to .NET Framework 4.7.2, there's a potential to introduce breaking changes to your U-SQL jobs that use .NET custom assemblies. We suggest you check for backwards-compatibility issues using the procedure below.
 
 ## How to check for backwards-compatibility issues