Merge branch 'master' of https://github.com/MicrosoftDocs/azure-docs-pr into APBIE

Author: markingmyname

articles/app-service/app-service-ip-restrictions.md

@@ -1,7 +1,7 @@
 ---
 title: "Azure App Service IP Restrictions | Microsoft Docs" 
 description: "How to use IP restrictions with Azure App Service" 
-author: btardif
+author: ccompy
 manager: stefsch
 editor: ''
 services: app-service\web
@@ -13,28 +13,66 @@ ms.workload: web
 ms.tgt_pltfrm: na
 ms.devlang: multiple
 ms.topic: article
-ms.date: 10/23/2017
-ms.author: byvinyal
+ms.date: 7/30/2018
+ms.author: ccompy
 
 ---
 # Azure App Service Static IP Restrictions #
 
-IP Restrictions allow you to define a list of IP addresses that are allowed to access your app. The allow list can include individual IP addresses or a range of IP addresses defined by a subnet mask.
+IP Restrictions allow you to define a priority ordered allow/deny list of IP addresses that are allowed to access your app. The allow list can include IPv4 and IPv6 addresses. When there are one or more entries, there is then an implicit deny all that exists at the end of the list. 
 
-When a request to the app is generated from a client, the IP address is evaluated against the allow list. If the IP address is not in the list, the app replies with an [HTTP 403](https://en.wikipedia.org/wiki/HTTP_403) status code.
+The IP Restrictions capability works with all App Service hosted work loads, which include; web apps, api apps, linux apps, linux container apps, and Functions. 
 
-IP Restrictions are defined in the web.config that your app consumes at runtime (more exactly, restrictions are inserted in a set of allowed IP addresses in applicationHost.config file, so if you also add a set of allowed IP addresses in web.config file, they will take precedence). Under certain circumstances, some module might be executed before IP restrictions logic in the HTTP pipeline. When this happens, the request fails with a different HTTP error code.
+When a request is made to your app, the FROM IP address is evaluated against the IP Restrictions list. If the address is not allowed access based on the rules in the list, the service replies with an [HTTP 403](https://en.wikipedia.org/wiki/HTTP_403) status code.
 
-IP Restrictions are evaluated on the same App Service plan instances assigned to your app.
+The IP Restrictions capability is implemented in the App Service front-end roles, which are upstream of the worker hosts where your code runs. IP Restrictions are therefor effectively network ACLs.  
+
+![IP restrictions flow](media/app-service-ip-restrictions/ip-restrictions-flow.png)
+
+For a time, the IP Restrictions capability in the portal was a layer on top of the ipSecurity capability in IIS. The current IP Restrictions capability is different. You can still configure ipSecurity within your application web.config but the front-end based IP Restrictions rules will be applied before any traffic reaches IIS.
+
+## Adding and editing IP Restriction rules in the portal ##
 
 To add an IP restriction rule to your app, use the menu to open **Network**>**IP Restrictions** and click on **Configure IP Restrictions**
 
-![IP restrictions](media/app-service-ip-restrictions/ip-restrictions.png)  
+![App Service networking options](media/app-service-ip-restrictions/ip-restrictions.png)  
+
+From the IP Restrictions UI, you can review the list of IP restriction rules defined for your app.
+
+![list IP restrictions](media/app-service-ip-restrictions/ip-restrictions-browse.png)
+
+If your rules were configured as in this image, then your app would only accept traffic from 131.107.159.0/24 and would be denied from any other IP address.
+
+You can click on **[+] Add** to add a new IP restriction rule. Once you add a rule, it will become effective immediately. Rules are enforced in priority order starting from the lowest number and going up. There is an implicit deny all that is in effect once you add even a single rule. 
+
+![add an IP restriction rule](media/app-service-ip-restrictions/ip-restrictions-add.png)
+
+IP Address notation must be specified in CIDR notation for both IPv4 and IPv6 addresses. To specify an exact address, you can use something like 1.2.3.4/32 where the first four octets represent your IP address and /32 is the mask. The IPv4 CIDR notation for all addresses is 0.0.0.0/0. To learn more about CIDR notation, you can read [Classless Inter-Domain Routing](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing).  
+
+You can click on any row to edit an existing IP restriction rule. Edits are effective immediately including changes in priority ordering.
+
+![edit an IP restriction rule](media/app-service-ip-restrictions/ip-restrictions-edit.png)
+
+To delete a rule, click the **...** on your rule and then click **remove**. 
+
+![delete IP restriction rule](media/app-service-ip-restrictions/ip-restrictions-delete.png)
+
+## Programmatic manipulation of IP restriction rules ##
+
+There currently is no CLI or PowerShell for the new IP Restrictions capability but the values can be set manually with a PUT operation on the app configuration in Resource Manager. As an example, you can use resources.azure.com and edit the ipSecurityRestrictions block to add the required JSON. 
 
-From here, you can review the list of IP restriction rules defined for your app.
+The location for this information in Resource Manager is:
 
-![list IP restrictions](media/app-service-ip-restrictions/browse-ip-restrictions.png)
+management.azure.com/subscriptions/**subscription ID**/resourceGroups/**resource groups**/providers/Microsoft.Web/sites/**web app name**/config/web?api-version=2018-02-01
 
-You can click on **[+] Add** to add a new IP restriction rule.
+The JSON syntax for the earlier example is:
 
-![add IP restrictions](media/app-service-ip-restrictions/add-ip-restrictions.png)
+    "ipSecurityRestrictions": [
+      {
+        "ipAddress": "131.107.159.0/24",
+        "action": "Allow",
+        "tag": "Default",
+        "priority": 100,
+        "name": "allowed access"
+      }
+    ],

articles/app-service/media/app-service-ip-restrictions/ip-restrictions-add.png

@@ -4,7 +4,7 @@ description: Azure Policy is a service in Azure, that you use to create, assign
 services: azure-policy
 author: DCtheGeek
 ms.author: dacoulte
-ms.date: 05/24/2018
+ms.date: 07/31/2018
 ms.topic: overview
 ms.service: azure-policy
 manager: carmonm
@@ -183,11 +183,11 @@ the subscription or the management group.
 | Scope | Policy Definitions | 250 |
 | Scope | Initiative Definitions | 100 |
 | Tenant | Initiative Definitions | 1000 |
-| Scope | Policy Assignment | 100 |
+| Scope | Policy/Initiative Assignments | 100 |
 | Policy Definition | Parameters | 20 |
 | Initiative Definition | Policies | 100 |
 | Initiative Definition | Parameters | 100 |
-| Policy Assignment | Exclusions (notScopes) | 100 |
+| Policy/Initiative Assignments | Exclusions (notScopes) | 100 |
 | Policy Rule | Nested Conditionals | 512 |
 
 ## Recommendations for managing policies

articles/app-service/media/app-service-ip-restrictions/ip-restrictions-browse.png

@@ -214,6 +214,8 @@
       items:
       - name: Use Azure portal
         href: iot-hub-create-through-portal.md
+      - name: Use Azure IoT Toolkit for VS Code
+        href: iot-hub-create-use-iot-toolkit.md
       - name: Use Azure PowerShell
         href: iot-hub-create-using-powershell.md
       - name: Use Azure CLI

articles/app-service/media/app-service-ip-restrictions/ip-restrictions-delete.png

@@ -0,0 +1,55 @@
+---
+title: Create an Azure IoT Hub using Azure IoT Toolkit for VS Code | Microsoft Docs
+description: How to use Azure IoT Toolkit for VS Code to create an IoT hub.
+author: formulahendry
+ms.service: iot-hub
+services: iot-hub
+ms.topic: conceptual
+ms.date: 07/30/2018
+ms.author: junhan
+---
+
+# Create an IoT hub using the Azure IoT Toolkit for Visual Studio Code
+
+[!INCLUDE [iot-hub-resource-manager-selector](../../includes/iot-hub-resource-manager-selector.md)]
+
+You can use [Azure IoT Toolkit for Visual Studio Code](https://marketplace.visualstudio.com/items?itemName=vsciot-vscode.azure-iot-toolkit) to create Azure IoT hubs. This article shows you how to create an IoT hub with Azure IoT Toolkit.
+
+To complete this article, you need the following:
+
+* An active Azure account.
+- [Visual Studio Code](https://code.visualstudio.com/)
+- [Azure IoT Toolkit](https://marketplace.visualstudio.com/items?itemName=vsciot-vscode.azure-iot-toolkit)
+
+## Create an IoT hub
+
+1. In Visual Studio Code, open the **Explorer** view.
+
+2. At the bottom of the Explorer, expand the **Azure IoT Hub Devices** section. 
+
+   ![Expand Azure IoT Hub Devices](./media/iot-hub-create-use-iot-toolkit/azure-iot-hub-devices.png)
+
+3. Click on the **...** in the **Azure IoT Hub Devices** section header. If you don't see the ellipsis, hover over the header. 
+
+4. Choose **Create IoT Hub**.
+
+5. A pop-up will show in the bottom right corner to let you sign in to Azure for the first time.
+
+6. Select Azure subscription. 
+
+7. Select resource group.
+
+8. Select location.
+
+9. Select pricing tier.
+
+10. Enter a globally unique name for your IoT Hub.
+
+11. Wait a few minutes until the IoT Hub is created.
+
+## Next steps
+
+Now you have deployed an IoT hub using Azure IoT Toolkit for Visual Studio Code, you may want to explore further:
+
+* [Use Azure IoT Toolkit extension for Visual Studio Code to send and receive messages between your device and IoT Hub](iot-hub-vscode-iot-toolkit-cloud-device-messaging.md).
+* [Wiki page](https://github.com/microsoft/vscode-azure-iot-toolkit/wiki) for Azure IoT Toolkit.