Merge pull request #185590 from zxue/master

Add vnet peering configuration

Author: laurabren

articles/healthcare-apis/azure-api-for-fhir/configure-private-link.md

@@ -6,7 +6,7 @@ author: matjazl
 ms.service: healthcare-apis
 ms.subservice: fhir
 ms.topic: reference
-ms.date: 05/27/2021
+ms.date: 01/20/2022
 ms.author: zxue
 ---
 
@@ -64,19 +64,29 @@ After the deployment is complete, you can go back to "Private endpoint connectio
 
 ![Options](media/private-link/private-link-options.png)
 
-## Test private endpoint
+## VNet Peering
 
-To ensure that your FHIR server is not receiving public traffic after disabling public network access, select the /metadata endpoint for your server from your computer. You should receive a 403 Forbidden. 
+With Private Link configured, you can access the FHIR server in the same VNet or a different VNet that is peered to the VNet for the FHIR server. Follow the steps below to configure VNet peering and Private Link DNS zone configuration.
 
+### Configure VNet Peering
 
-> [!NOTE]
-> It can take up to 5 minutes after updating the public network access flag before public traffic is blocked.
+You can configure VNet peering from the portal or using PowerShell, CLI scripts, and Azure Resource Manager (ARM) template. The second VNet can be in the same or different subscriptions, and in the same or different regions. Make sure that you grant the **Network contributor** role. For more information on VNet Peering, see [Create a virtual network peering](../../virtual-network/create-peering-different-subscriptions.md).
 
-To ensure your private endpoint can send traffic to your server:
+### Add VNet link to the private link zone
 
-1. Create a virtual machine (VM) that is connected to the virtual network and subnet your private endpoint is configured on. To ensure your traffic from the VM is only using the private network, disable the outbound internet traffic using the network security group (NSG) rule.
-2. RDP into the VM.
-3. Access your FHIR server’s /metadata endpoint from the VM. You should receive the capability statement as a response.
+In the Azure portal, select the resource group of the FHIR server. Select and open the Private DNS zone, **privatelink.azurehealthcareapis.com**. Select **Virtual network links** under the *settings* section. Click the Add button to add your second VNet to the private DNS zone. Enter the link name of your choice, select the subscription and the VNet you just created. Optionally, you can enter the resource ID for the second VNet. Select **Enable auto registration**, which automatically adds a DNS record for your VM connected to the second VNet. When you delete a VNet link, the DNS record for the VM is also deleted.
+
+For more information on how private link DNS zone resolves the private endpoint IP address to the fully qualified domain name (FQDN) of the resource such as the FHIR server, see [Azure Private Endpoint DNS configuration](../../private-link/private-endpoint-dns.md).
+
+  :::image type="content" source="media/private-link/private-link-add-vnet-link.png" alt-text="Add VNet link." lightbox="media/private-link/private-link-add-vnet-link.png":::
+
+You can add more VNet links if needed, and view all VNet links you've added from the portal.
+
+  :::image type="content" source="media/private-link/private-link-vnet-links.png" alt-text="Private Link VNet links." lightbox="media/private-link/private-link-vnet-links.png":::
+  
+From the Overview blade you can view the private IP addresses of the FHIR server and the VMs connected to peered virtual networks.
+
+  :::image type="content" source="media/private-link/private-link-dns-zone.png" alt-text="Private Link FHIR and VM Private IP Addresses." lightbox="media/private-link/private-link-dns-zone.png":::
 
 ## Manage private endpoint
 
@@ -91,3 +101,62 @@ Private endpoints and the associated network interface controller (NIC) are visi
 Private endpoints can only be deleted from the Azure portal from the **Overview** blade or by selecting the **Remove** option under the **Networking Private endpoint connections** tab. Selecting **Remove** will delete the private endpoint and the associated NIC. If you delete all private endpoints to the FHIR resource and the public network, access is disabled and no request will make it to your FHIR server.
 
 ![Delete Private Endpoint](media/private-link/private-link-delete.png)
+
+## Test and troubleshoot private link and VNet peering
+
+To ensure that your FHIR server is not receiving public traffic after disabling public network access, select the /metadata endpoint for your server from your computer. You should receive a 403 Forbidden. 
+
+> [!NOTE]
+> It can take up to 5 minutes after updating the public network access flag before public traffic is blocked.
+
+### Create and use a VM
+
+To ensure your private endpoint can send traffic to your server:
+
+1. Create a virtual machine (VM) that is connected to the virtual network and subnet your private endpoint is configured on. To ensure your traffic from the VM is only using the private network, disable the outbound internet traffic using the network security group (NSG) rule.
+2. RDP into the VM.
+3. Access your FHIR server’s /metadata endpoint from the VM. You should receive the capability statement as a response.
+
+### Use nslookup
+
+You can use the **nslookup** tool to verify connectivity. If the private link is configured properly, you should see the FHIR server URL resolves to the valid private IP address, as shown below. Note that IP address **168.63.129.16** is a virtual public IP address used in Azure. For more information, see [What is IP address 168.63.129.16](../../virtual-network/what-is-ip-address-168-63-129-16.md)
+
+```
+C:\Users\testuser>nslookup fhirserverxxx.azurehealthcareapis.com
+Server:  UnKnown
+Address:  168.63.129.16
+
+Non-authoritative answer:
+Name:    fhirserverxxx.privatelink.azurehealthcareapis.com
+Address:  172.21.0.4
+Aliases:  fhirserverxxx.azurehealthcareapis.com
+```
+
+If the private link is not configured properly, you may see the public IP address instead and a few aliases including the Traffic Manager endpoint. This indicates that the private link DNS zone cannot resolve to the valid private IP address of the FHIR server. When VNet peering is configured, one possible reason is that the second peered VNet hasn't been added to the private link DNS zone. As a result, you will see the HTTP error 403, "Access to xxx was denied", when trying to access the /metadata endpoint of the FHIR server.
+
+```
+C:\Users\testuser>nslookup fhirserverxxx.azurehealthcareapis.com
+Server:  UnKnown
+Address:  168.63.129.16
+
+Non-authoritative answer:
+Name:    xxx.cloudapp.azure.com
+Address:  52.xxx.xxx.xxx
+Aliases:  fhirserverxxx.azurehealthcareapis.com
+          fhirserverxxx.privatelink.azurehealthcareapis.com
+          xxx.trafficmanager.net
+```
+
+For more information, see [Troubleshoot Azure Private Link connectivity problems](../../private-link/troubleshoot-private-link-connectivity.md).
+
+## Next steps
+
+In this article, you've learned how to configure the private link and VNet peering. You also learned how to troubleshoot the private link and VNet configurations.
+
+Based on your private link setup and for more information about registering your applications, see
+
+* [Register a resource application](register-resource-azure-ad-client-app.md)
+* [Register a confidential client application](register-confidential-azure-ad-client-app.md)
+* [Register a public client application](register-public-azure-ad-client-app.md)
+* [Register a service application](register-service-azure-ad-client-app.md)
+