Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into vnet-old-review

Author: asudbring

articles/active-directory/develop/multi-service-web-app-access-storage.md

@@ -7,7 +7,7 @@ manager: CelesteDG
 ms.service: app-service
 ms.topic: tutorial
 ms.workload: identity
-ms.date: 04/25/2021
+ms.date: 03/24/2023
 ms.author: ryanwi
 ms.reviewer: stsoneff
 ms.devlang: csharp, javascript
@@ -64,7 +64,7 @@ To create a general-purpose v2 storage account in the Azure portal, follow these
 
 1. On the Azure portal menu, select **All services**. In the list of resources, enter **Storage Accounts**. As you begin typing, the list filters based on your input. Select **Storage Accounts**.
 
-1. In the **Storage Accounts** window that appears, select **Add**.
+1. In the **Storage Accounts** window that appears, select **Create**.
 
 1. Select the subscription in which to create the storage account.
 
@@ -74,33 +74,27 @@ To create a general-purpose v2 storage account in the Azure portal, follow these
 
 1. Select a location for your storage account, or use the default location.
 
-1. Leave these fields set to their default values:
+1. For **Performance**, select the **Standard** option.
 
-    |Field|Value|
-    |--|--|
-    |Deployment model|Resource Manager|
-    |Performance|Standard|
-    |Account kind|StorageV2 (general-purpose v2)|
-    |Replication|Read-access geo-redundant storage (RA-GRS)|
-    |Access tier|Hot|
+1. For **Redundancy**, select the **Locally-redundant storage (LRS)** option from the dropdown.
 
-1. Select **Review + Create** to review your storage account settings and create the account.
+1. Select **Review** to review your storage account settings and create the account.
 
 1. Select **Create**.
 
 To create a Blob Storage container in Azure Storage, follow these steps.
 
 1. Go to your new storage account in the Azure portal.
 
-1. In the left menu for the storage account, scroll to the **Blob service** section, and then select **Containers**.
+1. In the left menu for the storage account, scroll to the **Data storage** section, and then select **Containers**.
 
 1. Select the **+ Container** button.
 
 1. Type a name for your new container. The container name must be lowercase, must start with a letter or number, and can include only letters, numbers, and the dash (-) character.
 
 1. Set the level of public access to the container. The default level is **Private (no anonymous access)**.
 
-1. Select **OK** to create the container.
+1. Select **Create** to create the container.
 
 # [PowerShell](#tab/azure-powershell)
 
@@ -172,7 +166,15 @@ You need to grant your web app access to the storage account before you can crea
 
 In the [Azure portal](https://portal.azure.com), go into your storage account to grant your web app access. Select **Access control (IAM)** in the left pane, and then select **Role assignments**. You'll see a list of who has access to the storage account. Now you want to add a role assignment to a robot, the app service that needs access to the storage account. Select **Add** > **Add role assignment** to open the **Add role assignment** page.
 
-Assign the **Storage Blob Data Contributor** role to the **App Service** at subscription scope.  For detailed steps, see [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.md).
+1. In the **Assignment type** tab, select **Job function type** and then **Next**.  
+
+1. In the **Role** tab, select **Storage Blob Data Contributor** role from the dropdown and then select **Next**.  
+
+1. In the **Members** tab, select **Assign access to** -> **Managed identity** and then select **Members** -> **Select members**.  In the **Select managed identities** window, find and select the managed identity created for your App Service in the **Managed identity** dropdown.  Select the **Select** button.  
+
+1. Select **Review and assign** and then select **Review and assign** once more.  
+ 
+For detailed steps, see [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.md).
 
 Your web app now has access to your storage account.
 

articles/active-directory/hybrid/how-to-connect-install-prerequisites.md

@@ -57,7 +57,7 @@ To read more about securing your Active Directory environment, see [Best practic
 
 #### Installation prerequisites
 
-- Azure AD Connect must be installed on a domain-joined Windows Server 2016 or later - **note that Windows Server 2022 is not yet supported**. You can deploy Azure AD Connect on Windows Server 2016 but since Windows Server 2016 is in extended support, you may require [a paid support program](/lifecycle/policies/fixed#extended-support) if you require support for this configuration. We recommend the usage of domain joined Windows Server 2019.
+- Azure AD Connect must be installed on a domain-joined Windows Server 2016 or later. You can deploy Azure AD Connect on Windows Server 2016 but since Windows Server 2016 is in extended support, you may require [a paid support program](/lifecycle/policies/fixed#extended-support) if you require support for this configuration. We recommend the usage of domain joined Windows Server 2022.
 - The minimum .NET Framework version required is 4.6.2, and newer versions of .Net are also supported.
 - Azure AD Connect can't be installed on Small Business Server or Windows Server Essentials before 2019 (Windows Server Essentials 2019 is supported). The server must be using Windows Server standard or better. 
 - The Azure AD Connect server must have a full GUI installed. Installing Azure AD Connect on Windows Server Core isn't supported. 

articles/aks/load-balancer-standard.md

@@ -26,11 +26,9 @@ This article covers integration with a public load balancer on AKS. For internal
 
 ## Before you begin
 
-Azure Load Balancer is available in two SKUs: *Basic* and *Standard*. The *Standard* SKU is used by default when you create an AKS cluster. The *Standard* SKU gives you access to added functionality, such as a larger backend pool, [multiple node pools](use-multiple-node-pools.md), [Availability Zones](availability-zones.md), and is [secure by default][azure-lb]. It's the recommended load balancer SKU for AKS.
-
-For more information on the *Basic* and *Standard* SKUs, see [Azure Load Balancer SKU comparison][azure-lb-comparison].
-
-This article assumes you have an AKS cluster with the *Standard* SKU Azure Load Balancer. If you need an AKS cluster, you can create one [using Azure CLI][aks-quickstart-cli], [Azure PowerShell][aks-quickstart-powershell], or [the Azure portal][aks-quickstart-portal].
+* Azure Load Balancer is available in two SKUs: *Basic* and *Standard*. The *Standard* SKU is used by default when you create an AKS cluster. The *Standard* SKU gives you access to added functionality, such as a larger backend pool, [multiple node pools](use-multiple-node-pools.md), [Availability Zones](availability-zones.md), and is [secure by default][azure-lb]. It's the recommended load balancer SKU for AKS. For more information on the *Basic* and *Standard* SKUs, see [Azure Load Balancer SKU comparison][azure-lb-comparison].
+* This article assumes you have an AKS cluster with the *Standard* SKU Azure Load Balancer. If you need an AKS cluster, you can create one [using Azure CLI][aks-quickstart-cli], [Azure PowerShell][aks-quickstart-powershell], or [the Azure portal][aks-quickstart-portal].
+* AKS manages the lifecycle and operations of agent nodes. Modifying the IaaS resources associated with the agent nodes isn't supported. An example of an unsupported operation is making manual changes to the load balancer resource group.
 
 > [!IMPORTANT]
 > If you'd prefer to use your own gateway, firewall, or proxy to provide outbound connection, you can skip the creation of the load balancer outbound pool and respective frontend IP by using [**outbound type as UserDefinedRouting (UDR)**](egress-outboundtype.md). The outbound type defines the egress method for a cluster and defaults to type `LoadBalancer`.

articles/api-management/api-management-features.md

@@ -7,7 +7,7 @@ author: dlepow
 
 ms.service: api-management
 ms.topic: article
-ms.date: 02/07/2022
+ms.date: 02/06/2023
 ms.author: danlep
 ---
 
@@ -22,6 +22,7 @@ Each API Management [pricing tier](https://aka.ms/apimpricing) offers a distinct
 | -------------------------------------------------------------------------------------------- | ----------- | --------- | ----- | -------- | ------- |
 | Azure AD integration<sup>1</sup>                                                             | No          | Yes       | No    | Yes      | Yes     |
 | Virtual Network (VNet) support                                                               | No          | Yes       | No    | No       | Yes     |
+| Private endpoint support for inbound connections                                                               | No          | Yes       | Yes    | Yes       | Yes     |
 | Multi-region deployment                                                                      | No          | No        | No    | No       | Yes     |
 | Availability zones                                                                           | No          | No        | No    | No       | Yes     |
 | Multiple custom domain names                                                                 | No          | Yes        | No    | No       | Yes     |
@@ -45,5 +46,5 @@ Each API Management [pricing tier](https://aka.ms/apimpricing) offers a distinct
 <sup>1</sup> Enables the use of Azure AD (and Azure AD B2C) as an identity provider for user sign in on the developer portal.<br/>
 <sup>2</sup> Including related functionality such as users, groups, issues, applications, and email templates and notifications.<br/>
 <sup>3</sup> See [Gateway overview](api-management-gateways-overview.md#feature-comparison-managed-versus-self-hosted-gateways) for a feature comparison of managed versus self-hosted gateways. In the Developer tier self-hosted gateways are limited to a single gateway node. <br/>
-<sup>4</sup> The following policies aren't available in the Consumption tier: rate limit by key and quota by key. <br/>
+<sup>4</sup> See [Gateway overview](api-management-gateways-overview.md#policies) for differences in policy support in the dedicated, consumption, and self-hosted gateways. <br/>
 <sup>5</sup> GraphQL subscriptions aren't supported in the Consumption tier.

articles/api-management/api-management-gateways-overview.md

@@ -7,7 +7,7 @@ author: dlepow
 
 ms.service: api-management
 ms.topic: conceptual
-ms.date: 08/04/2022
+ms.date: 02/06/2023
 ms.author: danlep
 ---
 

articles/api-management/media/private-endpoint/add-endpoint-from-instance.png

@@ -1,35 +1,25 @@
 ---
-title: Set up private endpoint for Azure API Management Preview
-description: Learn how to restrict access to an Azure API Management instance by using an Azure private endpoint and Azure Private Link.
+title: Set up inbound private endpoint for Azure API Management
+description: Learn how to restrict inbound access to an Azure API Management instance by using an Azure private endpoint and Azure Private Link.
 ms.service: api-management
 author: dlepow
 ms.author: danlep
 ms.topic: how-to
-ms.date: 03/31/2022
+ms.date: 03/20/2023
 
 ---
 
-# Connect privately to API Management using a private endpoint
+# Connect privately to API Management using an inbound private endpoint
 
-You can configure a [private endpoint](../private-link/private-endpoint-overview.md) for your API Management instance to allow clients in your private network to securely access the instance over [Azure Private Link](../private-link/private-link-overview.md). 
+You can configure an inbound [private endpoint](../private-link/private-endpoint-overview.md) for your API Management instance to allow clients in your private network to securely access the instance over [Azure Private Link](../private-link/private-link-overview.md). 
 
-* The private endpoint uses an IP address from your Azure VNet address space. 
+* The private endpoint uses an IP address from an Azure VNet in which it's hosted.
 
 * Network traffic between a client on your private network and API Management traverses over the VNet and a Private Link on the Microsoft backbone network, eliminating exposure from the public internet.
 
 * Configure custom DNS settings or an Azure DNS private zone to map the API Management hostname to the endpoint's private IP address. 
 
-:::image type="content" source="media/private-endpoint/api-management-private-endpoint.png" alt-text="Diagram that shows a secure connection to API Management using private endpoint.":::
-
-With a private endpoint and Private Link, you can:
-
-- Create multiple Private Link connections to an API Management instance. 
-
-- Use the private endpoint to send inbound traffic on a secure connection. 
-
-- Use policy to distinguish traffic that comes from the private endpoint. 
-
-- Limit incoming traffic only to private endpoints, preventing data exfiltration.
+:::image type="content" source="media/private-endpoint/api-management-private-endpoint.png" alt-text="Diagram that shows a secure inbound connection to API Management using private endpoint.":::
 
 [!INCLUDE [api-management-private-endpoint](../../includes/api-management-private-endpoint.md)]
 
@@ -38,9 +28,9 @@ With a private endpoint and Private Link, you can:
 
 ## Limitations
 
-* Only the API Management instance's Gateway endpoint currently supports Private Link connections. 
-* Each API Management instance currently supports at most 100 Private Link connections.
-* Connections are not supported on the [self-hosted gateway](self-hosted-gateway-overview.md). 
+* Only the API Management instance's Gateway endpoint supports inbound Private Link connections. 
+* Each API Management instance supports at most 100 Private Link connections.
+* Connections aren't supported on the [self-hosted gateway](self-hosted-gateway-overview.md). 
 
 ## Prerequisites
 
@@ -108,7 +98,7 @@ When you use the Azure portal to create a private endpoint, as shown in the next
 
 1. In the left-hand menu, select **Network**.
 
-1. Select **Private endpoint connections** > **+ Add endpoint**.
+1. Select **Inbound private endpoint connections** > **+ Add endpoint**.
 
     :::image type="content" source="media/private-endpoint/add-endpoint-from-instance.png" alt-text="Add a private endpoint using Azure portal":::
 
@@ -120,7 +110,8 @@ When you use the Azure portal to create a private endpoint, as shown in the next
     | Subscription | Select your subscription. |
     | Resource group | Select an existing resource group, or create a new one. It must be in the same region as your virtual network.|
     | **Instance details** |  |
-    | Name  | Enter a name for the endpoint such as **myPrivateEndpoint**. |
+    | Name  | Enter a name for the endpoint such as *myPrivateEndpoint*. |
+    | Network Interface Name | Enter a name for the network interface, such as *myInterface* |
     | Region | Select a location for the private endpoint. It must be in the same region as your virtual network. It may differ from the region where your API Management instance is hosted. |
 
 1. Select the **Resource** tab or the **Next: Resource** button at the bottom of the page. The following information about your API Management instance is already populated:
@@ -132,28 +123,37 @@ When you use the Azure portal to create a private endpoint, as shown in the next
 
     :::image type="content" source="media/private-endpoint/create-private-endpoint.png" alt-text="Create a private endpoint in Azure portal":::
 
-1. Select the **Configuration** tab or the **Next: Configuration** button at the bottom of the screen.
+1. Select the **Virtual Network** tab or the **Next: Virtual Network** button at the bottom of the screen.
 
-1. In **Configuration**, enter or select this information:
+1. In **Networking**, enter or select this information:
 
     | Setting | Value |
     | ------- | ----- |
-    | **Networking** |  |
     | Virtual network | Select your virtual network. |
     | Subnet | Select your subnet. |
-    | **Private DNS integration** |  |
+    | Private IP configuration | In most cases, select **Dynamically allocate IP address.** |
+    | Application security group | Optionally select an [application security group](../virtual-network/application-security-groups.md). |
+
+1. Select the **DNS** tab or the **Next: DNS** button at the bottom of the screen.
+
+1. In **Private DNS integration**, enter or select this information:
+
+    | Setting | Value |
+    | ------- | ----- |
     | Integrate with private DNS zone | Leave the default of **Yes**. |
     | Subscription | Select your subscription. |
     | Resource group | Select your resource group. |
-    | Private DNS zones | Leave the default of **(new) privatelink.azure-api.net**.
+    | Private DNS zones | The default value is displayed: **(new) privatelink.azure-api.net**.
 
-1. Select **Review + create**.
+1. Select the **Tags** tab or the **Next: Tabs** button at the bottom of the screen. If you desire, enter tags to organize your Azure resources.
+
+1.  Select **Review + create**.
 
 1. Select **Create**.
 
 ### List private endpoint connections to the instance
 
-After the private endpoint is created, it appears in the list on the API Management instance's **Private endpoint connections** page in the portal.
+After the private endpoint is created, it appears in the list on the API Management instance's **Inbound private endpoint connections** page in the portal.
 
 You can also use the [Private Endpoint Connection - List By Service](/rest/api/apimanagement/current-ga/private-endpoint-connection/list-by-service) REST API to list private endpoint connections to the service instance.
 
@@ -200,9 +200,12 @@ Use the following JSON body:
 
 After the private endpoint is created, confirm its DNS settings in the portal:
 
-1. In the portal, navigate to the **Private Link Center**.
-1. Select **Private endpoints** and select the private endpoint you created.
+1. Navigate to your API Management service in the [Azure portal](https://portal.azure.com/).
+
+1. In the left-hand menu, select **Network** > **Inbound private endpoint connections**, and select the private endpoint you created.
+
 1. In the left-hand navigation, select **DNS configuration**.
+
 1. Review the DNS records and IP address of the private endpoint. The IP address is a private address in the address space of the subnet where the private endpoint is configured.
 
 ### Test in virtual network
@@ -232,7 +235,7 @@ To connect to 'Microsoft.ApiManagement/service/my-apim-service', please use the
 ## Next steps
 
 * Use [policy expressions](api-management-policy-expressions.md#ref-context-request) with the `context.request` variable to identify traffic from the private endpoint.
-* Learn more about [private endpoints](../private-link/private-endpoint-overview.md) and [Private Link](../private-link/private-link-overview.md).
+* Learn more about [private endpoints](../private-link/private-endpoint-overview.md) and [Private Link](../private-link/private-link-overview.md), including [Private Link pricing](https://azure.microsoft.com/pricing/details/private-link/).
 * Learn more about [managing private endpoint connections](../private-link/manage-private-endpoint.md).
 * [Troubleshoot Azure private endpoint connectivity problems](../private-link/troubleshoot-private-endpoint-connectivity.md).
 * Use a [Resource Manager template](https://azure.microsoft.com/resources/templates/api-management-private-endpoint/) to create an API Management instance and a private endpoint with private DNS integration.