MicrosoftDocs
diff --git a/‎articles/active-directory/develop/quickstart-v2-java-webapp.md
Lines changed: 2 additions & 2 deletions b/‎articles/active-directory/develop/quickstart-v2-java-webapp.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/iot-hub/iot-hub-bulk-identity-mgmt.md
Lines changed: 1 addition & 1 deletion b/‎articles/iot-hub/iot-hub-bulk-identity-mgmt.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/security/develop/index.yml
Lines changed: 55 additions & 52 deletions b/‎articles/security/develop/index.yml
Lines changed: 55 additions & 52 deletions
diff --git a/‎articles/storage/blobs/TOC.yml
Lines changed: 2 additions & 0 deletions b/‎articles/storage/blobs/TOC.yml
Lines changed: 2 additions & 0 deletions
diff --git a/‎articles/storage/common/media/storage-private-endpoints/storage-private-endpoints-overview.jpg
199 KB b/‎articles/storage/common/media/storage-private-endpoints/storage-private-endpoints-overview.jpg
199 KB
diff --git a/‎articles/storage/common/storage-network-security.md
Lines changed: 18 additions & 11 deletions b/‎articles/storage/common/storage-network-security.md
Lines changed: 18 additions & 11 deletions
@@ -140,7 +140,7 @@ Add MSAL4J to your application by using Maven or Gradle to manage your dependenc
 <dependency>
     <groupId>com.microsoft.azure</groupId>
     <artifactId>msal4j</artifactId>
-    <version>0.5.0-preview</version>
+    <version>0.6.0-preview</version>
 </dependency>
 ```
 
@@ -171,6 +171,6 @@ To know more about the auth flow for this scenario, see the Oauth 2.0 authorizat
 Help us improve the Microsoft identity platform. Tell us what you think by completing a short two-question survey.
 
 > [!div class="nextstepaction"]
-> [Microsoft identity platform survey](https://forms.office.com/Pages/ResponsePage.aspxid=v4j5cvGGr0GRqy180BHbRyKrNDMV_xBIiPGgSvnbQZdUQjFIUUFGUE1SMEVFTkdaVU5YT0EyOEtJVi4u)
+> [Microsoft identity platform survey](https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbRyKrNDMV_xBIiPGgSvnbQZdUQjFIUUFGUE1SMEVFTkdaVU5YT0EyOEtJVi4u)
 
 [!INCLUDE [Help and support](../../../includes/active-directory-develop-help-support-include.md)]
@@ -86,7 +86,7 @@ Only 1 active device import or export job is allowed at a time for all IoT Hub t
 
 ## Export devices
 
-Use the **ExportDevicesAsync** method to export the entirety of an IoT hub identity registry to an [Azure Storage](../storage/index.yml) blob container using a [Shared Access Signature](../storage/common/storage-security-guide.md#data-plane-security).
+Use the **ExportDevicesAsync** method to export the entirety of an IoT hub identity registry to an [Azure Storage](../storage/index.yml) blob container using a [Shared Access Signature](../storage/common/storage-security-guide.md#authorization).
 
 This method enables you to create reliable backups of your device information in a blob container that you control.
 
 
@@ -1,64 +1,67 @@
-### YamlMime:YamlDocument
-documentType: LandingData
+### YamlMime:Landing
+
 title: Secure development documentation
+summary: Learn how to develop and deploy secure applications on Azure with our sample apps, best practices, and guidance.
+
 metadata:
-  document_id: 
   title: Secure development documentation on Microsoft Azure
-  meta.description: Learn how to develop secure apps on Azure.
+  description: Learn how to develop secure apps on Azure.
   services: security
-  author: TerryLanfear
-  manager: rkarlin
   ms.service: security
   ms.subservice: develop
-  ms.tgt_pltfrm: na
-  ms.devlang: na
   ms.topic: landing-page
-  ms.date: 09/30/2019
+  author: TerryLanfear
   ms.author: terrylan
-abstract:
-  description: "Learn how to develop and deploy secure applications on Azure with our sample apps, best practices, and guidance."
+  manager: rkarlin
+  ms.date: 10/24/2019
+
+# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | whats-new
 
-sections:
-- items:
-  - type: list
-    style: cards
-    className: cardsM
-    columns: 2
-    items:
-      - href: /azure/security/develop/secure-dev-overview
-        html: <p>Develop a secure web application on Azure</p>
-        image:
-          src: https://docs.microsoft.com/media/common/i_get-started.svg
-        title: Get started
-      - href: https://docs.microsoft.com/learn/modules/top-5-security-items-to-consider
-        html: <p>Top five security items for web apps</p>
-        image:
-          src: https://docs.microsoft.com/media/common/i_learn-about.svg
-        title: Build your skills with Microsoft Learn
+landingContent:
+# Cards and links should be based on top customer tasks or top subjects
+# Start card title with a verb
+  # Card
+  - title: Develop secure sample apps
+    linkLists:
+      - linkListType: tutorial
+        links:
+          - text: Web app in a Linux container
+            url: secure-web-app.md
+          - text: Web app with Azure Active Directory
+            url: secure-aad-app.md
+          - text: Payment card industry
+            url: secure-pci-web-app.md
 
-- title: Secure sample apps
-  items:
-  - type: list
-    style: unordered
-    className: spaced noBullet
-    items:
-    - html: <a href="/azure/security/develop/secure-web-app">Web app in a Linux container</a>
-    - html: <a href="/azure/security/develop/secure-aad-app">Web app with Azure Active Directory</a>
-    - html: <a href="/azure/security/develop/secure-pci-web-app">Payment card industry</a>
+  # Card
+  - title: Get started
+    linkLists:
+      - linkListType: concept
+        links:
+          - text: Secure development best practices
+            url: secure-dev-overview.md
+          - text: Desgin phase
+            url: secure-design.md
+          - text: Development phase
+            url: secure-develop.md
+          - text: Deployment phase
+            url: secure-deploy.md
 
-- title: Concepts
-  items:
-  - type: list
-    style: unordered
-    className: spaced noBullet
-    items:
-    - html: <a href="/azure/security/develop/secure-dev-overview">Secure development best practices</a>
+  # Card
+  - title: Add analysis tools to your secure development
+    linkLists:
+      - linkListType: concept
+        links:
+          - text: Security code analysis
+            url: security-code-analysis-overview.md
+          - text: Threat modeling
+            url: threat-modeling-tool.md
 
-- title: Resources
-  items:
-  - type: list
-    style: unordered
-    className: spaced noBullet
-    items:
-    - html: <a href="/azure/security/develop/security-code-analysis-overview">Microsoft Security Code Analysis</a>    
-    - html: <a href="/azure/security/develop/threat-modeling-tool">Threat modeling tool</a>    
+  # Card
+  - title: Build your skills
+    linkLists:
+      - linkListType: learn
+        links:
+          - text: Top 5 security items
+            url: https://docs.microsoft.com/learn/modules/top-5-security-items-to-consider
+          - text: Secure your cloud applications in Azure
+            url: https://docs.microsoft.com/learn/paths/secure-your-cloud-apps
@@ -120,6 +120,8 @@
         href: ../common/storage-advanced-threat-protection.md?toc=%2fazure%2fstorage%2fblobs%2ftoc.json
       - name: Built-in security controls
         href: ../common/storage-security-controls.md?toc=%2fazure%2fstorage%2fblobs%2ftoc.json
+      - name: Use Azure Private Endpoints
+        href: ../common/storage-private-endpoints.md?toc=%2fazure%2fstorage%2fblobs%2ftoc.json  
     - name: Data redundancy
       href: ../common/storage-redundancy.md?toc=%2fazure%2fstorage%2fblobs%2ftoc.json
       items:
 
@@ -8,30 +8,34 @@ ms.service: storage
 ms.topic: conceptual
 ms.date: 03/21/2019
 ms.author: tamram
-ms.reviewer: cbrooks
+ms.reviewer: santoshc
 ms.subservice: common
 ---
 
 # Configure Azure Storage firewalls and virtual networks
 
-Azure Storage provides a layered security model. This model enables you to secure your storage accounts to a specific subset of networks. When network rules are configured, only applications requesting data over the specified set of networks can access a storage account. You can limit access to your storage account to requests originating from specified IP addresses, IP ranges or from a list of subnets in Azure Virtual Networks.
+Azure Storage provides a layered security model. This model enables you to secure and control the level of access to your storage accounts that your applications and enterprise environments demand, based on the type and subset of networks used. When network rules are configured, only applications requesting data over the specified set of networks can access a storage account. You can limit access to your storage account to requests originating from specified IP addresses, IP ranges or from a list of subnets in an Azure Virtual Network (VNet).
 
-An application that accesses a storage account when network rules are in effect requires proper authorization for the request. Authorization is supported with Azure Active Directory (Azure AD) credentials for blobs and queues, with a valid account access key, or with an SAS token.
+Storage accounts have a public endpoint that is accessible through the internet. You can also create [Private Endpoints for your storage account](storage-private-endpoints.md), which assigns a private IP address from your VNet to the storage account, and secures all traffic between your VNet and the storage account over a private link. The Azure storage firewall provides access control access for the public endpoint of your storage account. You can also use the firewall to block all access through the public endpoint when using private endpoints. Your storage firewall configuration also enables select trusted Azure platform services to access the storage account securely.
+
+An application that accesses a storage account when network rules are in effect still requires proper authorization for the request. Authorization is supported with Azure Active Directory (Azure AD) credentials for blobs and queues, with a valid account access key, or with an SAS token.
 
 > [!IMPORTANT]
-> Turning on firewall rules for your storage account blocks incoming requests for data by default, unless the requests originate from a service operating within an Azure Virtual Network (VNet). Requests that are blocked include those from other Azure services, from the Azure portal, from logging and metrics services, and so on.
+> Turning on firewall rules for your storage account blocks incoming requests for data by default, unless the requests originate from a service operating within an Azure Virtual Network (VNet) or from allowed public IP addresses. Requests that are blocked include those from other Azure services, from the Azure portal, from logging and metrics services, and so on.
 >
-> You can grant access to Azure services that operate from within a VNet by allowing traffic from the subnet hosting the service instance. You can also enable a limited number of scenarios through the [Exceptions](#exceptions) mechanism described in the following section. To access data from the storage account through the Azure portal, you would need to be on a machine within the trusted boundary (either IP or VNet) that you set up.
+> You can grant access to Azure services that operate from within a VNet by allowing traffic from the subnet hosting the service instance. You can also enable a limited number of scenarios through the [Exceptions](#exceptions) mechanism described below. To access data from the storage account through the Azure portal, you would need to be on a machine within the trusted boundary (either IP or VNet) that you set up.
 
 [!INCLUDE [updated-for-az](../../../includes/updated-for-az.md)]
 
 ## Scenarios
 
-To secure your storage account, you should first configure a rule to deny access to traffic from all networks (including internet traffic) by default. Then, you should configure rules that grant access to traffic from specific VNets. This configuration enables you to build a secure network boundary for your applications. You can also configure rules to grant access to traffic from select public internet IP address ranges, enabling connections from specific internet or on-premises clients.
+To secure your storage account, you should first configure a rule to deny access to traffic from all networks (including internet traffic) on the public endpoint, by default. Then, you should configure rules that grant access to traffic from specific VNets. You can also configure rules to grant access to traffic from select public internet IP address ranges, enabling connections from specific internet or on-premises clients. This configuration enables you to build a secure network boundary for your applications.
 
-Network rules are enforced on all network protocols to Azure storage, including REST and SMB. To access data using tools such as the Azure portal, Storage Explorer, and AZCopy, explicit network rules must be configured.
+You can combine firewall rules that allow access from specific virtual networks and from public IP address ranges on the same storage account. Storage firewall rules can be applied to existing storage accounts, or when creating new storage accounts.
 
-You can apply network rules to existing storage accounts, or when you create new storage accounts.
+Storage firewall rules apply to the public endpoint of a storage account. You don't need any firewall access rules to allow traffic for private endpoints of a storage account. The process of approving the creation of a private endpoint grants implicit access to traffic from the subnet that hosts the private endpoint.
+
+Network rules are enforced on all network protocols to Azure storage, including REST and SMB. To access data using tools such as the Azure portal, Storage Explorer, and AZCopy, explicit network rules must be configured.
 
 Once network rules are applied, they're enforced for all requests. SAS tokens that grant access to a specific IP address serve to limit the access of the token holder, but don't grant new access beyond configured network rules.
 
@@ -215,7 +219,7 @@ You can manage virtual network rules for storage accounts through the Azure port
     ```
 
     > [!TIP]
-    > To add a rule for a subnet in a VNet belonging to another Azure AD tenant, use a fully-qualified subnet ID in the form "/subscriptions/subscription-ID/resourceGroups/resourceGroup-Name/providers/Microsoft.Network/virtualNetworks/vNet-name/subnets/subnet-name".
+    > To add a rule for a subnet in a VNet belonging to another Azure AD tenant, use a fully-qualified subnet ID in the form "/subscriptions/\<subscription-ID\>/resourceGroups/\<resourceGroup-Name\>/providers/Microsoft.Network/virtualNetworks/\<vNet-name\>/subnets/\<subnet-name\>".
     > 
     > You can use the **subscription** parameter to retrieve the subnet ID for a VNet belonging to another Azure AD tenant.
 
@@ -243,9 +247,12 @@ IP network rules are only allowed for **public internet** IP addresses. IP addre
    > [!NOTE]
    > IP network rules have no effect on requests originating from the same Azure region as the storage account. Use [Virtual network rules](#grant-access-from-a-virtual-network) to allow same-region requests.
 
-Only IPV4 addresses are supported at this time.
+  > [!NOTE]
+  > Services deployed in the same region as the storage account use private Azure IP addresses for communication. Thus, you cannot restrict access to specific Azure services based on their public inbound IP address range.
+
+Only IPV4 addresses are supported for configuration of storage firewall rules.
 
-Each storage account supports up to 100 IP network rules, which may be combined with [Virtual network rules](#grant-access-from-a-virtual-network).
+Each storage account supports up to 100 IP network rules.
 
 ### Configuring access from on-premises networks