Merge pull request #107077 from kummanish/master

Updating the doc for the new features added

Author: megvanhuygen

articles/mariadb/TOC.yml

@@ -138,6 +138,14 @@
       href: howto-auto-grow-storage-portal.md
     - name: Azure CLI
       href: howto-auto-grow-storage-cli.md  
+  - name: Deny Public Network Access
+    items:
+    - name: Azure portal
+      href: howto-deny-public-network-access.md
+  - name: Minimum TLS configuration
+    items:
+    - name: Azure portal
+      href: howto-tls-configurations.md
   - name: Access server logs
     items:
     - name: Slow query logs

articles/mariadb/concepts-data-access-security-private-link.md

@@ -1,16 +1,16 @@
 ---
-title: Private Link for Azure Database for MariaDB (Preview)
+title: Private Link - Azure Database for MariaDB
 description: Learn how Private link works for Azure Database for MariaDB.
 author: kummanish
 ms.author: manishku
 ms.service: mariadb
 ms.topic: conceptual
-ms.date: 01/09/2020
+ms.date: 03/10/2020
 ---
 
-# Private Link for Azure Database for MariaDB (Preview)
+# Private Link for Azure Database for MariaDB
 
-Private Link allows you to connect to various PaaS services in Azure via a private endpoint. Azure Private Link essentially brings Azure services inside your private Virtual Network (VNet). The PaaS resources can be accessed using the private IP address just like any other resource in the VNet.
+Private Link allows you to create private endpoints for Azure Database for MariaDB and so brings Azure services inside your private Virtual Network (VNet). The private endpoint exposes a private IP you can use to connect to your Azure Database for MariaDB database server just like any other resource in the VNet.
 
 For a list to PaaS services that support Private Link functionality, review the Private Link [documentation](https://docs.microsoft.com/azure/private-link/index). A private endpoint is a private IP address within a specific [VNet](https://docs.microsoft.com/azure/virtual-network/virtual-networks-overview) and Subnet.
 
@@ -46,42 +46,39 @@ With Private Link, you can enable cross-premises access to the private endpoint
 
 ### Creation Process
 
-Private Endpoints are required to enable Private Link. This can be done using the following how-to guides.
+Private endpoints are required to enable Private Link. This can be done using the following how-to guides.
 
 * [Azure portal](https://docs.microsoft.com/azure/mariadb/howto-configure-privatelink-portal)
 * [CLI](https://docs.microsoft.com/azure/mariadb/howto-configure-privatelink-cli)
 
 ### Approval Process
 
-Once the network admin creates the Private Endpoint (PE), the admin can manage the Private Endpoint Connection (PEC) to Azure Database for MariaDB.
-
-> [!NOTE]
-> Currently, Azure Database for MariaDB only supports auto-approval for the private endpoint.
+Once the network admin creates the private endpoint (PE), the admin can manage the private endpoint Connection (PEC) to Azure Database for MariaDB. This separation of duties between the network admin and the DBA is helpful for management of the Azure Database for MariaDB connectivity. 
 
 * Navigate to the Azure Database for MariaDB server resource in the Azure portal. 
-    * Select the Private endpoint connections in the left pane
-    * Shows a list of all Private Endpoint Connections (PECs)
-    * Corresponding Private Endpoint (PE) created
+    * Select the private endpoint connections in the left pane
+    * Shows a list of all private endpoint Connections (PECs)
+    * Corresponding private endpoint (PE) created
 
-![select the Private endpoint portal](media/concepts-data-access-and-security-private-link/select-private-link-portal.png)
+![select the private endpoint portal](media/concepts-data-access-and-security-private-link/select-private-link-portal.png)
 
 * Select an individual PEC from the list by selecting it.
 
-![select the Private endpoint pending approval](media/concepts-data-access-and-security-private-link/select-private-link.png)
+![select the private endpoint pending approval](media/concepts-data-access-and-security-private-link/select-private-link.png)
 
 * The MariaDB server admin can choose to approve or reject a PEC and optionally add a short text response.
 
-![select the Private endpoint message](media/concepts-data-access-and-security-private-link/select-private-link-message.png)
+![select the private endpoint message](media/concepts-data-access-and-security-private-link/select-private-link-message.png)
 
 * After approval or rejection, the list will reflect the appropriate state along with the response text
 
-![select the Private endpoint final state](media/concepts-data-access-and-security-private-link/show-private-link-approved-connection.png)
+![select the private endpoint final state](media/concepts-data-access-and-security-private-link/show-private-link-approved-connection.png)
 
 ## Use cases of Private Link for Azure Database for MariaDB
 
-Clients can connect to the Private endpoint from the same VNet, peered VNet in same region, or via VNet-to-VNet connection across regions. Additionally, clients can connect from on-premises using ExpressRoute, private peering, or VPN tunneling. Below is a simplified diagram showing the common use cases.
+Clients can connect to the private endpoint from the same VNet, peered VNet in same region, or via VNet-to-VNet connection across regions. Additionally, clients can connect from on-premises using ExpressRoute, private peering, or VPN tunneling. Below is a simplified diagram showing the common use cases.
 
-![select the Private endpoint overview](media/concepts-data-access-and-security-private-link/show-private-link-overview.png)
+![select the private endpoint overview](media/concepts-data-access-and-security-private-link/show-private-link-overview.png)
 
 ### Connecting from an Azure VM in Peered Virtual Network (VNet)
 Configure [VNet peering](https://docs.microsoft.com/azure/virtual-network/tutorial-connect-virtual-networks-powershell) to establish connectivity to the Azure Database for MariaDB from an Azure VM in a peered VNet.
@@ -106,6 +103,19 @@ The following situations and outcomes are possible when you use Private Link in
 
 * If you don't configure any public traffic or service endpoint and you create private endpoints, then the Azure Database for MariaDB is accessible only through the private endpoints. If you don't configure public traffic or a service endpoint, after all approved private endpoints are rejected or deleted, no traffic will be able to access the Azure Database for MariaDB.
 
+## Deny public access for Azure Database for MariaDB
+
+If you want to rely completely only on private endpoints for accessing their Azure Database for MariaDB, you can disable setting all public endpoints ([firewall rules](concepts-firewall-rules.md) and [VNet service endpoints](concepts-data-access-security-vnet.md)) by setting the **Deny Public Network Access** configuration on the database server. 
+
+When this setting is set to *YES*, only connections via private endpoints are allowed to your Azure Database for MariaDB. When this setting is set to *NO*, clients can connect to your Azure Database for MariaDB based on your firewall or VNet service endpoint settings. Additionally, once the value of the Private network access is set, you cannot add and/or update existing firewall and VNet service endpoint rules.
+
+> [!Note]
+> This feature is available in all Azure regions where Azure Database for PostgreSQL - Single server supports General Purpose and Memory Optimized pricing tiers.
+>
+> This setting does not have any impact on the SSL and TLS configurations for your Azure Database for MariaDB.
+
+To learn how to set the **Deny Public Network Access** for your Azure Database for MariaDB from Azure portal, refer to [How to configure Deny Public Network Access](howto-deny-public-network-access.md).
+
 ## Next steps
 
 To learn more about Azure Database for MariaDB security features, see the following articles:

articles/mariadb/concepts-ssl-connection-security.md

@@ -5,7 +5,7 @@ author: ajlam
 ms.author: andrela
 ms.service: mariadb
 ms.topic: conceptual
-ms.date: 12/02/2019
+ms.date: 03/10/2020
 ---
 
 # SSL connectivity in Azure Database for MariaDB
@@ -20,6 +20,32 @@ Connection strings for various programming languages are shown in the Azure port
 
 To learn how to enable or disable SSL connection when developing application, refer to [How to configure SSL](howto-configure-ssl.md).
 
+## TLS connectivity in Azure Database for MariaDB
+
+Azure Database for MariaDB supports encryption for clients connecting to your database server using Transport Layer Security (TLS). TLS is an industry standard protocol that ensures secure network connections between your database server and client applications, allowing you to adhere to compliance requirements.
+
+### TLS settings
+
+Azure Database for MariaDB provides the ability to enforce the TLS version for the client connections. To use the TLS option, use the **Minimum TLS version** option setting. The following values are allowed for this option setting:
+
+|  Minimum TLS Setting             | TLS Version supported                |
+|:---------------------------------|-------------------------------------:|
+| TLSEnforcementDisabled (default) | No TLS required                      |
+| TLS1_0                           | TLS 1.0, TLS 1.1, TLS 1.2 and higher |
+| TLS1_1                           | TLS 1.1, TLS 1.2 and higher          |
+| TLS1_2                           | TLS version 1.2 and higher           |
+
+
+For example, setting this Minimum TLS setting version to TLS 1.0 means your server will allow connections from clients using TLS 1.0, 1.1, and 1.2+. Alternatively, setting this to 1.2 means that you only allow connections from clients using TLS 1.2 and all connections with TLS 1.0 and TLS 1.1 will be rejected.
+
+> [!Note] 
+> Azure Database for MariaDB defaults to TLS being disabled for all new servers.
+>
+> Currently the TLS versions supported byAzure Database for MariaDB are TLS 1.0, 1.1, and 1.2.
+
+To learn how to set the TLS setting for your Azure Database for MariaDB, refer to [How to configure TLS setting](howto-tls-configurations.md).
+
 ## Next steps
 - Learn more about [server firewall rules](concepts-firewall-rules.md)
 - Learn how to [configure SSL](howto-configure-ssl.md).
+- Learn how to [configure TLS](howto-tls-configurations.md).

articles/mariadb/howto-configure-privatelink-cli.md

@@ -1,5 +1,5 @@
 ---
-title: Private Link for Azure Database for MariaDB (Preview) CLI setup method
+title: Private Link - Azure CLI - Azure Database for MariaDB
 description: Learn how to configure private link for Azure Database for MariaDB from Azure CLI
 author: kummanish
 ms.author: manishku
@@ -8,7 +8,7 @@ ms.topic: conceptual
 ms.date: 01/09/2020
 ---
 
-# Create and manage Private Link for Azure Database for MariaDB (Preview) using CLI
+# Create and manage Private Link for Azure Database for MariaDB using CLI
 
 A Private Endpoint is the fundamental building block for private link in Azure. It enables Azure resources, like Virtual Machines (VMs), to communicate privately with private link resources. In this article, you will learn how to use the Azure CLI to create a VM in an Azure Virtual Network and an Azure Database for MariaDB server with an Azure private endpoint.
 

articles/mariadb/howto-configure-privatelink-portal.md

@@ -1,5 +1,5 @@
 ---
-title: Private Link for Azure Database for MariaDB (Preview) portal setup method
+title: Private Link - Azure portal - Azure Database for MariaDB
 description: Learn how to configure private link for Azure Database for MariaDB from Azure portal
 author: kummanish
 ms.author: manishku
@@ -8,7 +8,7 @@ ms.topic: conceptual
 ms.date: 01/09/2020
 ---
 
-# Create and manage Private Link for Azure Database for MariaDB (Preview) using Portal
+# Create and manage Private Link for Azure Database for MariaDB using Portal
 
 A Private Endpoint is the fundamental building block for private link in Azure. It enables Azure resources, like Virtual Machines (VMs), to communicate privately with private link resources.  In this article, you will learn how to use the Azure portal to create a VM in an Azure Virtual Network and an Azure Database for MariaDB server with an Azure private endpoint.
 
@@ -121,12 +121,12 @@ In this section, you will create an Azure Database for MariaDB server in Azure.
 
 In this section, you will create a private endpoint to the MariaDB server to it. 
 
-1. On the upper-left side of the screen in the Azure portal, select **Create a resource** > **Networking** > **Private Link Center (Preview)**.
+1. On the upper-left side of the screen in the Azure portal, select **Create a resource** > **Networking** > **Private Link**.
 2. In **Private Link Center - Overview**, on the option to **Build a private connection to a service**, select **Start**.
 
     ![Private Link overview](media/concepts-data-access-and-security-private-link/privatelink-overview.png)
 
-1. In **Create a private endpoint (Preview) - Basics**, enter or select this information:
+1. In **Create a private endpoint - Basics**, enter or select this information:
 
     | Setting | Value |
     | ------- | ----- |
@@ -149,7 +149,7 @@ In this section, you will create a private endpoint to the MariaDB server to it.
     |Target sub-resource |Select *mariadbServer*|
     |||
 7. Select **Next: Configuration**.
-8. In **Create a private endpoint (Preview) - Configuration**, enter or select this information:
+8. In **Create a private endpoint - Configuration**, enter or select this information:
 
     | Setting | Value |
     | ------- | ----- |

articles/mariadb/howto-deny-public-network-access.md

@@ -0,0 +1,41 @@
+---
+title: Deny Public Network Access - Azure portal - Azure Database for MariaDB
+description: Learn how to configure Deny Public Network Access using Azure portal for your Azure Database for MariaDB 
+author: kummanish
+ms.author: manishku
+ms.service: mariadb
+ms.topic: conceptual
+ms.date: 03/10/2020
+---
+
+# Deny Public Network Access in Azure Database for MariaDB using Azure portal
+
+This article describes how you can configure an Azure Database for MariaDB server to deny all public configurations and allow only connections through private endpoints to further enhance the network security.
+
+## Prerequisites
+
+To complete this how-to guide, you need:
+
+* An [Azure Database for MariaDB](quickstart-create-MariaDB-server-database-using-azure-portal.md)
+
+## Set Deny Public Network Access
+
+Follow these steps to set MariaDB server Deny Public Network Access:
+
+1. In the [Azure portal](https://portal.azure.com/), select your existing Azure Database for MariaDB server.
+
+1. On the MariaDB server page, under **Settings**, click **Connection security** to open the connection security configuration page.
+
+1. In Deny Public Network Access, select **Yes** to enable deny public access for your MariaDB server.
+
+    ![Azure Database for MariaDB Deny network access](./media/howto-deny-public-network-access/deny-public-network-access.PNG)
+
+1. Click **Save** to save the changes.
+
+1. A notification will confirm that connection security setting was successfully enabled.
+
+    ![Azure Database for MariaDB Deny network access success](./media/howto-deny-public-network-access/deny-public-network-access-success.png)
+
+## Next steps
+
+Learn about [how to create alerts on metrics](howto-alert-metric.md).

articles/mariadb/howto-tls-configurations.md

@@ -0,0 +1,43 @@
+---
+title: TLS configuration - Azure portal - Azure Database for MariaDB
+description: Learn how to set TLS configuration using Azure portal for your Azure Database for MariaDB 
+author: kummanish
+ms.author: manishku
+ms.service: mariadb
+ms.topic: conceptual
+ms.date: 03/10/2020
+---
+
+# Configuring TLS settings in Azure Database for MariaDB using Azure portal
+
+This article describes how you can configure an Azure Database for MariaDB server to enforce connections for a minimum TLS version to go through and deny all connections with lower TLS version thereby enhancing the network security.
+
+Customers now have the ability to enforce TLS version for connecting to their Azure Database for MariaDB by setting the minimal TLS version for their database server. For example, setting the minimum TLS setting version to TLS 1.0 means your server will allow connections from clients using TLS 1.0, 1.1, and 1.2+. Alternatively, setting this to 1.2 means that you only allow connections from clients using TLS 1.2 and all connections with TLS 1.0 and TLS 1.1 will be rejected.
+
+## Prerequisites
+
+To complete this how-to guide, you need:
+
+* An [Azure Database for MariaDB](quickstart-create-mariaDB-server-database-using-azure-portal.md)
+
+## Set TLS configurations for Azure Database for MariaDB
+
+Follow these steps to set MariaDB server minimum TLS version:
+
+1. In the [Azure portal](https://portal.azure.com/), select your existing Azure Database for MariaDB server.
+
+1. On the MariaDB server page, under **Settings**, click **Connection security** to open the connection security configuration page.
+
+1. In **Minimum TLS version**, select **1.2** to deny connections with TLS version less than TLS 1.2 for your MariaDB server.
+
+    ![Azure Database for MariaDB TLS configuration](./media/howto-tls-configurations/tls-configurations.png)
+
+1. Click **Save** to save the changes.
+
+1. A notification will confirm that connection security setting was successfully enabled.
+
+    ![Azure Database for MariaDB TLS configuration success](./media/howto-tls-configurations/tls-configurations-success.png)
+
+## Next steps
+
+Learn about [how to create alerts on metrics](howto-alert-metric.md).