MicrosoftDocs
diff --git a/‎articles/spring-apps/how-to-access-app-from-internet-virtual-network.md
Lines changed: 74 additions & 0 deletions b/‎articles/spring-apps/how-to-access-app-from-internet-virtual-network.md
Lines changed: 74 additions & 0 deletions
diff --git a/‎articles/spring-apps/how-to-log-streaming.md
Lines changed: 72 additions & 26 deletions b/‎articles/spring-apps/how-to-log-streaming.md
Lines changed: 72 additions & 26 deletions
diff --git a/‎articles/spring-apps/media/how-to-access-app-from-internet-virtual-network/assign-public-endpoint.png
22.2 KB b/‎articles/spring-apps/media/how-to-access-app-from-internet-virtual-network/assign-public-endpoint.png
22.2 KB
diff --git a/‎articles/spring-apps/media/how-to-log-streaming/enable-logstream-public-endpoint.png
46.9 KB b/‎articles/spring-apps/media/how-to-log-streaming/enable-logstream-public-endpoint.png
46.9 KB
diff --git a/‎articles/spring-apps/toc.yml
Lines changed: 2 additions & 0 deletions b/‎articles/spring-apps/toc.yml
Lines changed: 2 additions & 0 deletions
@@ -0,0 +1,74 @@
+---
+title: Expose applications on Azure Spring Apps to the internet from a public network
+description: Describes how to expose applications on Azure Spring Apps to the internet from a public network.
+author: karlerickson
+ms.author: karler
+ms.service: spring-cloud
+ms.topic: how-to
+ms.date: 08/09/2022
+ms.custom: devx-track-java, devx-track-azurecli, event-tier1-build-2022
+ms.devlang: azurecli
+---
+
+# Expose applications on Azure Spring Apps to the internet from a public network
+
+> [!NOTE]
+> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams.
+
+This article describes how to expose applications on Azure Spring Apps to the internet from a public network.
+
+You can expose applications to the internet with TLS Termination or end-to-end TLS using Application Gateway. These approaches are described in [Expose applications to the internet with TLS Termination at Application Gateway](./expose-apps-gateway-tls-termination.md) and [Expose applications with end-to-end TLS in a virtual network](./expose-apps-gateway-end-to-end-tls.md). These approaches work well, but Application Gateway can involve a complicated setup and extra expense.
+
+If you don't want to use Application Gateway for advanced operations, you can expose your applications to the internet with one click using the Azure portal or one command using the Azure CLI. The only extra expense is a standard public IP for one Azure Spring Apps service instance, regardless of how many apps you want to expose.
+
+## Prerequisites
+
+- An Azure Spring Apps service instance deployed in a virtual network and an app created in it. For more information, see [Deploy Azure Spring Apps in a virtual network](./how-to-deploy-in-azure-virtual-network.md).
+
+## Assign a public fully qualified domain name (FQDN) for your application in a VNet injection instance
+
+
+### [Azure portal](#tab/azure-portal)
+
+Use the following steps to assign a public FQDN for your application.
+
+1. Select the Azure Spring Apps service instance deployed in your virtual network, and then open the **Apps** tab in the menu on the left.
+
+1. Select the application to show the **Overview** page.
+
+1. Select **Assign Public Endpoint** to assign a public FQDN to your application. Assigning an FQDN can take a few minutes.
+
+   :::image type="content" source="media/how-to-access-app-from-internet-virtual-network/assign-public-endpoint.png" alt-text="Screenshot of Azure portal showing how to assign a public FQDN to your application." lightbox="media/how-to-access-app-from-internet-virtual-network/assign-public-endpoint.png":::
+
+The assigned public FQDN (labeled **URL**) is now available. It can only be accessed within the public network.
+
+### [Azure CLI](#tab/azure-CLI)
+
+Use the following command to assign a public endpoint to your app. Be sure to replace the placeholders with your actual values.
+
+```azurecli
+az spring app update \
+    --resource-group <resource-group-name> \
+    --name <app-name> \
+    --service <service-instance-name> \
+    --assign-public-endpoint true
+```
+
+---
+
+## Use a public URL to access your application from both inside and outside the virtual network
+
+You can use a public URL to access your application both inside and outside the virtual network. Follow the steps in [Access your application in a private network](./access-app-virtual-network.md) to bind the domain `.private.azuremicroservices.io` to the service runtime Subnet private IP address in your private DNS zone while keeping the **Assign Endpoint** in a disable state. You can then access the app using the **public URL** from both inside and outside the virtual network. 
+
+## Secure traffic to the public endpoint
+
+To ensure the security of your applications when you expose a public endpoint for them, secure the endpoint by filtering network traffic to your service with a network security group. For more information, see [Tutorial: Filter network traffic with a network security group using the Azure portal](../virtual-network/tutorial-filter-network-traffic.md). A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. For each rule, you can specify source and destination, port, and protocol.
+
+> [!NOTE]
+> If you couldn't access your application in VNet injection instance from internet after you have assigned a public FQDN, check your network security group first to see whether you have allowed such inbound traffic.
+
+## Next steps
+
+- [Expose applications with end-to-end TLS in a virtual network](./expose-apps-gateway-end-to-end-tls.md)
+- [Troubleshooting Azure Spring Apps in virtual networks](./troubleshooting-vnet.md)
+- [Customer responsibilities for running Azure Spring Apps in VNET](./vnet-customer-responsibilities.md)
@@ -1,15 +1,15 @@
 ---
-title:  Stream Azure Spring Apps app logs in real-time
-description: How to use log streaming to view application logs instantly
+title:  Stream Azure Spring Apps application console logs in real time
+description: Describes how to use log streaming to view application logs in real time
 author: karlerickson
 ms.author: karler
 ms.service: spring-apps
 ms.topic: how-to
-ms.date: 01/14/2019
+ms.date: 08/10/2022
 ms.custom: devx-track-java, devx-track-azurecli, event-tier1-build-2022
 ---
 
-# Stream Azure Spring Apps app logs in real-time
+# Stream Azure Spring Apps application console logs in real time
 
 > [!NOTE]
 > Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams.
@@ -18,33 +18,33 @@ ms.custom: devx-track-java, devx-track-azurecli, event-tier1-build-2022
 
 **This article applies to:** ✔️ Basic/Standard tier ✔️ Enterprise tier
 
-Azure Spring Apps enables log streaming in Azure CLI to get real-time application console logs for troubleshooting. You can also [Analyze logs and metrics with diagnostics settings](./diagnostic-services.md).
+This article describes how to enable log streaming in Azure CLI to get real-time application console logs for troubleshooting. You can also use diagnostics settings to analyze diagnostics data in Azure Spring Apps. For more information, see [Analyze logs and metrics with diagnostics settings](./diagnostic-services.md).
 
 ## Prerequisites
 
-* [Azure CLI](/cli/azure/install-azure-cli) with the Azure Spring Apps extension, minimum version 1.0.0. You can install the extension by using the following command: `az extension add --name spring`
-* An instance of **Azure Spring Apps** with a running application. For more information, see [Quickstart: Deploy your first application to Azure Spring Apps](./quickstart.md).
+- [Azure CLI](/cli/azure/install-azure-cli) with the Azure Spring Apps extension, minimum version 1.0.0. You can install the extension by using the following command: `az extension add --name spring`
+- An instance of Azure Spring Apps with a running application. For more information, see [Quickstart: Deploy your first application to Azure Spring Apps](./quickstart.md).
 
-## Use CLI to tail logs
+## Use Azure CLI to produce tail logs
 
-To avoid repeatedly specifying your resource group and service instance name, set your default resource group name and cluster name.
+This section provides examples of using Azure CLI to produce tail logs. To avoid repeatedly specifying your resource group and service instance name, use the following commands to set your default resource group name and cluster name:
 
 ```azurecli
-az config set defaults.group=<service group name>
-az config set defaults.spring-cloud=<service instance name>
+az config set defaults.group=<service-group-name>
+az config set defaults.spring-cloud=<service-instance-name>
 ```
 
-In following examples, the resource group and service name will be omitted in the commands.
+The resource group and service name are omitted in the following examples.
 
-### Tail log for app with single instance
+### View the tail log for an app with a single instance
 
-If an app named auth-service has only one instance, you can view the log of the app instance with the following command:
+If an app named `auth-service` has only one instance, you can view the log of the app instance with the following command:
 
 ```azurecli
-az spring app logs --name <application name>
+az spring app logs --name <application-name>
 ```
 
-This will return logs similar to the following examples, where `auth-service` is the application name.
+This command returns logs similar to the following examples, where `auth-service` is the application name.
 
 ```output
 ...
@@ -56,11 +56,11 @@ This will return logs similar to the following examples, where `auth-service` is
 ...
 ```
 
-### Tail log for app with multiple instances
+### View the tail log for an app with multiple instances
 
 If multiple instances exist for the app named `auth-service`, you can view the instance log by using the `-i/--instance` option.
 
-First, you can get the app instance names with following command.
+First, run the following command to get the app instance names:
 
 ```azurecli
 az spring app show --name auth-service --query properties.activeDeployment.properties.instances --output table
@@ -76,25 +76,25 @@ auth-service-default-12-75cc4577fc-8nt4m  Running   UP
 auth-service-default-12-75cc4577fc-n25mh  Running   UP
 ```
 
-Then, you can stream logs of an app instance with the option `-i/--instance` option:
+Then, you can stream logs of an app instance using the `-i/--instance` option, as follows:
 
 ```azurecli
 az spring app logs --name auth-service --instance auth-service-default-12-75cc4577fc-pw7hb
 ```
 
-You can also get details of app instances from the Azure portal.  After selecting **Apps** in the left navigation pane of your Azure Spring Apps service, select **App Instances**.
+You can also get details of app instances from the Azure portal. After selecting **Apps** in the left navigation pane of your Azure Spring Apps service, select **App Instances**.
 
 ### Continuously stream new logs
 
-By default, `az spring app logs` prints only existing logs streamed to the app console and then exits. If you want to stream new logs, add `-f/--follow`:
+By default, `az spring app logs` prints only existing logs streamed to the app console, and then exits. If you want to stream new logs, add the `-f/--follow` argument:
 
 ```azurecli
 az spring app logs --name auth-service --follow
 ```
 
-When you use `--follow` to tail instant logs, the Azure Spring Apps log streaming service will send heartbeat logs to the client every minute unless your application is writing logs constantly. These heartbeat log messages look like `2020-01-15 04:27:13.473: No log from server`.
+When you use the `--follow` argument to tail instant logs, the Azure Spring Apps log streaming service sends heartbeat logs to the client every minute unless your application is writing logs constantly. Heartbeat log messages use the following format: `2020-01-15 04:27:13.473: No log from server`.
 
-To check all the logging options supported:
+Use the following command to check all the logging options that are supported:
 
 ```azurecli
 az spring app logs --help
@@ -103,9 +103,11 @@ az spring app logs --help
 ### Format JSON structured logs
 
 > [!NOTE]
-> Requires spring extension version 2.4.0 or later.
+> Formatting JSON structured logs requires spring extension version 2.4.0 or later.
 
-When the [Structured application log](./structured-app-log.md) is enabled for the app, the logs are printed in JSON format. This makes it difficult to read. The `--format-json` argument can be used to format the JSON logs into human readable format.
+Structured application logs are displayed in JSON format, which can be difficult to read. You can use the `--format-json` argument to format logs in JSON format into a more readable format. For more information, see [Structured application log for Azure Spring Apps](./structured-app-log.md).
+
+The following example shows how to use the `--format-json` argument:
 
 ```azurecli
 # Raw JSON log
@@ -119,7 +121,9 @@ $ az spring app logs --name auth-service --format-json
 2021-05-26T03:35:27.533Z  INFO [           main] com.netflix.discovery.DiscoveryClient   : Single vip registry refresh property : null
 ```
 
-The `--format-json` argument also takes optional customized format, using the keyword argument [format string syntax](https://docs.python.org/3/library/string.html#format-string-syntax).
+The `--format-json` argument also accepts an optional customized format using format string syntax. For more information, see [Format String Syntax](https://docs.python.org/3/library/string.html#format-string-syntax).
+
+The following example shows how to use format string syntax:
 
 ```azurecli
 # Custom format
@@ -134,6 +138,48 @@ Single vip registry refresh property : null
 > {timestamp} {level:>5} [{thread:>15.15}] {logger{39}:<40.40}: {message}{n}{stackTrace}
 > ```
 
+## Stream an Azure Spring Apps app log in a VNet injection instance
+
+For an Azure Spring Apps instance deployed in a custom virtual network, you can access log streaming by default from a private network. For more information, see [Deploy Azure Spring Apps in a virtual network](./how-to-deploy-in-azure-virtual-network.md)
+
+Azure Spring Apps also enables you to access real-time app logs from a public network using Azure portal or the Azure CLI.
+
+### [Azure portal](#tab/azure-portal)
+
+Use the following steps to enable a log streaming endpoint on the public network.
+
+1. Select the Azure Spring Apps service instance deployed in your virtual network, and then open the **Networking** tab in the navigation menu.
+
+1. Select the **Vnet injection** page.
+
+1. Switch the status of **Log streaming on public network** to **enable** to enable a log streaming endpoint on the public network. This process will take a few minutes.
+
+   :::image type="content" source="media/how-to-log-streaming/enable-logstream-public-endpoint.png" alt-text="Screenshot of enabling a log stream public endpoint on the Vnet Injection page." lightbox="media/how-to-log-streaming/enable-logstream-public-endpoint.png":::
+
+#### [CLI](#tab/azure-CLI)
+
+Use the following command to enable the log stream public endpoint.
+
+```azurecli
+az spring update \
+    --resource-group <resource-group-name> \
+    --service <service-instance-name> \
+    --enable-log-stream-public-endpoint true
+```
+
+After you've enabled the log stream public endpoint, you can access the app log from a public network as you would access a normal instance.
+
+---
+
+## Secure traffic to the log streaming public endpoint
+
+Log streaming uses the same key as the test endpoint described in [Set up a staging environment in Azure Spring Apps](./how-to-staging-environment.md) to authenticate the connections to your deployments. As a result, only users who have read access to the test keys can access log streaming.
+
+To ensure the security of your applications when you expose a public endpoint for them, secure the endpoint by filtering network traffic to your service with a network security group. For more information, see [Tutorial: Filter network traffic with a network security group using the Azure portal](../virtual-network/tutorial-filter-network-traffic.md). A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. For each rule, you can specify source and destination, port, and protocol.
+
+> [!NOTE]
+> If you can't access app logs in the VNet injection instance from the internet after you've enabled a log stream public endpoint, check your network security group to see whether you've allowed such inbound traffic.
+
 ## Next steps
 
 * [Quickstart: Monitoring Azure Spring Apps apps with logs, metrics, and tracing](./quickstart-logs-metrics-tracing.md)
 
@@ -210,6 +210,8 @@ items:
       href: expose-apps-gateway-tls-termination.md
     - name: Expose applications to the internet with end-to-end TLS/SSL
       href: expose-apps-gateway-end-to-end-tls.md
+    - name: Expose applications to the internet from a public network
+      href: how-to-access-app-from-internet-virtual-network.md
     - name: Configure Palo Alto
       href: how-to-configure-palo-alto.md
     - name: Customer responsibilities running Azure Spring Apps in VNET