Merge pull request #115589 from dlepow/dde

[ACR] Dedicated endpoints - portal

Author: GitHubber17

articles/container-registry/container-registry-firewall-access-rules.md

@@ -2,7 +2,7 @@
 title: Firewall access rules
 description: Configure rules to access an Azure container registry from behind a firewall, by allowing access to ("whitelisting") REST API and data endpoint domain names or service-specific IP address ranges.
 ms.topic: article
-ms.date: 05/07/2020
+ms.date: 05/18/2020
 ---
 
 # Configure rules to access an Azure container registry behind a firewall
@@ -13,7 +13,7 @@ If instead you want to configure inbound network access to a container registry
 
 ## About registry endpoints
 
-To pull or push images or other artifacts to an Azure container registry, a client such as a Docker daemon needs to interact over HTTPS with two distinct endpoints. For clients that access a registry from behind a firewall, you need to configure access rules for both endpoints.
+To pull or push images or other artifacts to an Azure container registry, a client such as a Docker daemon needs to interact over HTTPS with two distinct endpoints. For clients that access a registry from behind a firewall, you need to configure access rules for both endpoints. Both endpoints are reached over port 443.
 
 * **Registry REST API endpoint** - Authentication and registry management operations are handled through the registry's public REST API endpoint. This endpoint is the login server name of the registry. Example: `myregistry.azurecr.io`
 
@@ -26,7 +26,7 @@ If your registry is [geo-replicated](container-registry-geo-replication.md), a c
 * **REST endpoint** - Allow access to the fully qualified registry login server name, `<registry-name>.azurecr.io`, or an associated IP address range
 * **Storage (data) endpoint** - Allow access to all Azure blob storage accounts using the wildcard `*.blob.core.windows.net`, or an associated IP address range.
 > [!NOTE]
-> Azure Container Registry is introducing  [dedicated data endpoints](#enable-dedicated-data-endpoints-preview) (preview), allowing you to tightly scope client firewall rules for your registry storage. Optionally enable data endpoints in all regions where the registry is located or replicated, using the form `<registry-name>.<region>.data.azurecr.io`.
+> Azure Container Registry is introducing [dedicated data endpoints](#enable-dedicated-data-endpoints), allowing you to tightly scope client firewall rules for your registry storage. Optionally enable data endpoints in all regions where the registry is located or replicated, using the form `<registry-name>.<region>.data.azurecr.io`.
 
 ## Allow access by IP address range
 
@@ -112,26 +112,45 @@ In an Azure virtual network, use network security rules to filter traffic from a
 
 For example, create an outbound network security group rule with destination **AzureContainerRegistry** to allow traffic to an Azure container registry. To allow access to the service tag only in a specific region, specify the region in the following format: **AzureContainerRegistry**.[*region name*].
 
-## Enable dedicated data endpoints (preview)
+## Enable dedicated data endpoints 
 
 > [!WARNING]
 > If you previously configured client firewall access to the existing `*.blob.core.windows.net` endpoints, switching to dedicated data endpoints will impact client connectivity, causing pull failures. To ensure clients have consistent access, add the new data endpoint rules to the client firewall rules. Once completed, enable dedicated data endpoints for your registries using the Azure CLI or other tools.
 
-Dedicated data endpoints is an optional feature of the **Premium** container registry service tier. For information about registry service tiers and limits, see [Azure Container Registry Tiers](container-registry-skus.md). To enable data endpoints using the Azure CLI, use Azure CLI version 2.4.0 or higher. If you need to install or upgrade, see [Install Azure CLI](/cli/azure/install-azure-cli).
+Dedicated data endpoints is an optional feature of the **Premium** container registry service tier. For information about registry service tiers and limits, see [Azure Container Registry service tiers](container-registry-skus.md). 
 
-The following [az acr update][az-acr-update] command enables dedicated data endpoints on a registry *myregistry*. For demonstration purpose, assume that the registry is replicated in two regions:
+You can enable dedicated data endpoints using the Azure portal or the Azure CLI. The data endpoints follow a regional pattern, `<registry-name>.<region>.data.azurecr.io`. In a geo-replicated registry, enabling data endpoints enables endpoints in all replica regions.
+
+### Portal
+
+To enable data endpoints using the portal:
+
+1. Navigate to your container registry.
+1. Select **Networking** > **Public access**.
+1. Select the **Enable dedicated data endpoint** checkbox.
+1. Select **Save**.
+
+The data endpoint or endpoints appear in the portal.
+
+![Dedicated data endpoints in portal](./media/container-registry-firewall-access-rules/dedicated-data-endpoints-portal.png)
+
+### Azure CLI
+
+To enable data endpoints using the Azure CLI, use Azure CLI version 2.4.0 or higher. If you need to install or upgrade, see [Install Azure CLI](/cli/azure/install-azure-cli).
+
+The following [az acr update][az-acr-update] command enables dedicated data endpoints on a registry *myregistry*. 
 
 ```azurecli
 az acr update --name myregistry --data-endpoint-enabled
 ```
 
-The data endpoints use a regional pattern, `<registry-name>.<region>.data.azurecr.io`. To view the data endpoints, use the [az acr show-endpoints][az-acr-show-endpoints] command:
+To view the data endpoints, use the [az acr show-endpoints][az-acr-show-endpoints] command:
 
 ```azurecli
 az acr show-endpoints --name myregistry
 ```
 
-Output:
+Output for demonstration purposes shows two regional endpoints
 
 ```
 {
@@ -161,6 +180,8 @@ If you need to access Microsoft Container Registry (MCR) from behind a firewall,
 
 * Learn more about [security groups](/azure/virtual-network/security-overview) in an Azure virtual network
 
+* Learn more about setting up [Private Link](container-registry-private-link.md) for a container registry
+
 * Learn more about [dedicated data endpoints](https://azure.microsoft.com/blog/azure-container-registry-mitigating-data-exfiltration-with-dedicated-data-endpoints/) for Azure Container Registry