Merge branch 'master' of https://github.com/Microsoft/azure-docs-pr into issue12574

KumudD · KumudD · commit 2d871d0c3f35 · 2018-08-02T14:19:07.000-07:00
diff --git a/articles/backup/backup-introduction-to-azure-backup.md b/articles/backup/backup-introduction-to-azure-backup.md
@@ -7,7 +7,7 @@ manager: carmonm
 keywords: backup and restore; recovery services; backup solutions
 ms.service: backup
 ms.topic: overview
-ms.date: 3/1/2018
+ms.date: 8/2/2018
 ms.author: markgal
 ms.custom: mvc
 ---
@@ -151,8 +151,8 @@ With **Full Backup**, each backup copy contains the entire data source. Full bac
 ### Security
 | Feature | Azure Backup agent | System Center DPM | Azure Backup Server | Azure IaaS VM Backup |
 | --- | --- | --- | --- | --- |
-| Network security<br/> (to Azure) |![Yes][green] |![Yes][green] |![Yes][green] |![Partially][yellow] |
-| Data security<br/> (in Azure) |![Yes][green] |![Yes][green] |![Yes][green] |![Partially][yellow] |
+| Network security<br/> (to Azure) |![Yes][green] |![Yes][green] |![Yes][green] |![Yes][green] |
+| Data security<br/> (in Azure) |![Yes][green] |![Yes][green] |![Yes][green] |![Yes][green] |
 
 ![table key](./media/backup-introduction-to-azure-backup/table-key.png)
 
@@ -165,7 +165,7 @@ All backup traffic from your servers to the Recovery Services vault is encrypted
 >
 
 #### Data security
-Backing up Azure VMs requires setting up encryption *within* the virtual machine. Use BitLocker on Windows virtual machines and **dm-crypt** on Linux virtual machines. Azure Backup does not automatically encrypt backup data that comes through this path.
+Backing up Azure VMs requires setting up encryption *within* the virtual machine. Azure Backup supports Azure Disk Encryption, which uses BitLocker on Windows virtual machines and **dm-crypt** on Linux virtual machines. On the back end, Azure Backup uses [Azure Storage Service encryption](../storage/common/storage-service-encryption.md), which protects data at rest.
 
 ### Network
 | Feature | Azure Backup agent | System Center DPM | Azure Backup Server | Azure IaaS VM Backup |
diff --git a/articles/cosmos-db/performance-tips.md b/articles/cosmos-db/performance-tips.md
@@ -130,9 +130,10 @@ So if you're asking "How can I improve my database performance?" consider the fo
     If you are testing at high throughput levels (>50,000 RU/s), the client application may become the bottleneck due to the machine capping out on CPU or Network utilization. If you reach this point, you can continue to push the Azure Cosmos DB account further by scaling out your client applications across multiple servers.
 8. **Cache document URIs for lower read latency**
 
-    Cache document URIs whenever possible for the best read performance.
+    Cache document URIs whenever possible for the best read performance. You have to define logic to cache the resourceid when you create the resource. Resourceid based lookups are faster than name based lookups, so caching these values improves the performance. 
+
    <a id="tune-page-size"></a>
-9. **Tune the page size for queries/read feeds for better performance**
+1. **Tune the page size for queries/read feeds for better performance**
 
     When performing a bulk read of documents using read feed functionality (for example, ReadDocumentFeedAsync) or when issuing a SQL query, the results are returned in a segmented fashion if the result set is too large. By default, results are returned in chunks of 100 items or 1 MB, whichever limit is hit first.
 
diff --git a/articles/storage/common/storage-service-encryption-customer-managed-keys.md b/articles/storage/common/storage-service-encryption-customer-managed-keys.md
@@ -1,6 +1,6 @@
 ---
 title: Azure Storage Service Encryption using customer-managed keys in Azure Key Vault | Microsoft Docs
-description: Use the Azure Storage Service Encryption feature to encrypt Azure Blob storage, Azure Files, Azure Queue storage, and Azure Table storage on the service side when storing the data, and decrypt it when retrieving the data using customer-managed keys.
+description: Use the Azure Storage Service Encryption feature to encrypt Azure Blob storage and Azure Files on the service side when storing the data, and decrypt it when retrieving the data using customer-managed keys.
 services: storage
 author: lakasa
 manager: jeconnoc
@@ -19,7 +19,7 @@ You can use Microsoft-managed encryption keys with SSE or you can use your own e
 SSE for Azure Blob storage and Azure Files is integrated with Azure Key Vault, so that you can use a key vault to manage your encryption keys. You can create your own encryption keys and store them in a key vault, or you can use Azure Key Vault's APIs to generate encryption keys. With Azure Key Vault, you can manage and control your keys and also audit your key usage.
 
 > [!Note]  
-> Storage Service Encryption is not available for [Azure Managed Disks](../../virtual-machines/windows/managed-disks-overview.md). We recommend you use encryption on the OS level, such as [Azure Disk Encryption](../../security/azure-security-disk-encryption-overview.md), which uses industry-standard [BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview) on Windows and [DM-Crypt](https://en.wikipedia.org/wiki/Dm-crypt) on Linux to provide encryption integrated with KeyVault.
+> Storage Service Encryption using customer-managed keys is not available for [Azure Managed Disks](../../virtual-machines/windows/managed-disks-overview.md). [Azure Disk Encryption](../../security/azure-security-disk-encryption-overview.md) uses industry-standard [BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview) on Windows and [DM-Crypt](https://en.wikipedia.org/wiki/Dm-crypt) on Linux to provide an encryption solution integrated with KeyVault.
 
 Why create your own keys? Custom keys give you more flexibility, so that you can create, rotate, disable, and define access controls. Custom keys also enable you to audit the encryption keys used to protect your data.
 
@@ -117,7 +117,7 @@ Yes.
 There is a cost associated for using Azure Key Vault. For more details, visit [Key Vault Pricing](https://azure.microsoft.com/pricing/details/key-vault/). There is no additional cost for SSE, which is enabled for all storage accounts.
 
 **Is Storage Service Encryption available on Azure Managed Disks?**  
-No, Storage Service Encryption is not available for [Azure Managed Disks](../../virtual-machines/windows/managed-disks-overview.md). We recommend you use encryption on the OS level, such as [Azure Disk Encryption](../../security/azure-security-disk-encryption-overview.md), which uses industry-standard [BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview) on Windows and [DM-Crypt](https://en.wikipedia.org/wiki/Dm-crypt) on Linux to provide encryption integrated with KeyVault.
+Storage Service Encryption is available for Azure Managed Disks with Microsoft-managed keys, but not with customer managed keys. In lieu of Managed Disks supporting SSE with customer-managed keys, we recommend [Azure Disk Encryption](../../security/azure-security-disk-encryption-overview.md), which uses industry-standard [BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview) on Windows and [DM-Crypt](https://en.wikipedia.org/wiki/Dm-crypt) on Linux to provide encryption integrated with KeyVault.
 
 **How is Storage Service Encryption different from Azure Disk Encryption?**  
 Azure Disk Encryption provides integration between OS-based solutions like BitLocker and DM-Crypt and Azure KeyVault. Storage Service Encryption provides encryption natively at the Azure storage platform layer, below the virtual machine.
diff --git a/articles/storage/common/storage-service-encryption.md b/articles/storage/common/storage-service-encryption.md
@@ -1,6 +1,6 @@
 ---
 title: Azure Storage Service Encryption for data at rest | Microsoft Docs
-description: Use the Azure Storage Service Encryption feature to encrypt Azure Blob storage on the service side when storing the data, and decrypt it when retrieving the data.
+description: Use the Azure Storage Service Encryption feature to encrypt Azure Managed Disks, Azure Blob storage, Azure Files, Azure Queue storage, and Azure Table storage on the service side when storing the data, and decrypt it when retrieving the data.
 services: storage
 author: lakasa
 manager: jeconnoc
@@ -12,19 +12,21 @@ ms.author: lakasa
 ---
 
 # Azure Storage Service Encryption for data at rest
-Azure Storage Service Encryption for data at rest helps you protect your data to meet your organizational security and compliance commitments. With this feature, the Azure storage platform automatically encrypts your data before persisting it to Azure Blob storage, Azure Files, or Azure Queue storage, and decrypts the data before retrieval. The handling of encryption, encryption at rest, decryption, and key management in Storage Service Encryption is transparent to users. All data written to the Azure storage platform is encrypted through 256-bit [AES encryption](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard), one of the strongest block ciphers available.
+Azure Storage Service Encryption for data at rest helps you protect your data to meet your organizational security and compliance commitments. With this feature, the Azure storage platform automatically encrypts your data before persisting it to Azure Managed Disks, Azure Blob storage, Azure Files, or Azure Queue storage, and decrypts the data before retrieval. The handling of encryption, encryption at rest, decryption, and key management in Storage Service Encryption is transparent to users. All data written to the Azure storage platform is encrypted through 256-bit [AES encryption](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard), one of the strongest block ciphers available.
 
 Storage Service Encryption is enabled for all new and existing storage accounts and cannot be disabled. Because your data is secured by default, you don't need to modify your code or applications to take advantage of Storage Service Encryption.
 
 The feature automatically encrypts data in:
 
-- Azure Blob storage, Azure Files, Azure Queue storage, Azure Table storage.  
+- Azure storage services:
+    - Azure Managed Disks
+    - Azure Blob storage
+    - Azure Files
+    - Azure Queue storage
+    - Azure Table storage.  
 - Both performance tiers (Standard and Premium).
 - Both deployment models (Azure Resource Manager and classic).
 
-> [!Note]  
-> Storage Service Encryption is not available for [Azure Managed Disks](../../virtual-machines/windows/managed-disks-overview.md). We recommend you use encryption on the OS level, such as [Azure Disk Encryption](../../security/azure-security-disk-encryption-overview.md), which uses industry-standard [BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview) on Windows and [DM-Crypt](https://en.wikipedia.org/wiki/Dm-crypt) on Linux to provide encryption integrated with KeyVault.
-
 Storage Service Encryption does not affect the performance of Azure storage services.
 
 You can use Microsoft-managed encryption keys with Storage Service Encryption, or you can use your own encryption keys. For more information about using your own keys, see [Storage Service Encryption using customer-managed keys in Azure Key Vault](storage-service-encryption-customer-managed-keys.md).
@@ -51,14 +53,11 @@ Encryption is enabled by default, and there is no provision to disable encryptio
 There is no additional cost.
 
 **Can I use my own encryption keys?**  
-Yes, you can use your own encryption keys. For more information, see [Storage Service Encryption using customer-managed keys in Azure Key Vault](storage-service-encryption-customer-managed-keys.md).
+For Azure Blob storage and Azure Files, yes, you can use your own encryption keys. Customer-managed keys are not currently supported by Azure Managed Disks. For more information, see [Storage Service Encryption using customer-managed keys in Azure Key Vault](storage-service-encryption-customer-managed-keys.md).
 
 **Can I revoke access to the encryption keys?**  
 Yes, if you [use your own encryption keys](storage-service-encryption-customer-managed-keys.md) in Azure Key Vault.
 
-**Is Storage Service Encryption available on Azure Managed Disks?**  
-No, Storage Service Encryption is not available for [Azure Managed Disks](../../virtual-machines/windows/managed-disks-overview.md). We recommend you use encryption on the OS level, such as [Azure Disk Encryption](../../security/azure-security-disk-encryption-overview.md), which uses industry-standard [BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview) on Windows and [DM-Crypt](https://en.wikipedia.org/wiki/Dm-crypt) on Linux to provide encryption integrated with KeyVault.
-
 **How is Storage Service Encryption different from Azure Disk Encryption?**  
 Azure Disk Encryption provides integration between OS-based solutions like BitLocker and DM-Crypt and Azure KeyVault. Storage Service Encryption provides encryption natively at the Azure storage platform layer, below the virtual machine.
 
